9de35dd50a079f88d3bbc4eb55c6445484f52c044aaf6d91640704301d8e9bad

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cdc8a67291632966eeeb898b1ee98e0N.exe
Size

88KB
MD5

1cdc8a67291632966eeeb898b1ee98e0
SHA1

15a9dc3847703f175d076e1a667eea5355c7680d
SHA256

9de35dd50a079f88d3bbc4eb55c6445484f52c044aaf6d91640704301d8e9bad
SHA512

a0b46d37a5474c518112a68766ff1bad292903c3ad74fc9e4c6af4066a6e3bff57936d28ec637dc06875a24b2c5e1ec5828f77fc6ee9d30cb6e4f44e4e8f7c1d
SSDEEP

1536:E1tpJgoFNmMvNIreUHMR6q8fPVOqqMWnouy8L:skMvQLsiVP1moutL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1cdc8a67291632966eeeb898b1ee98e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1cdc8a67291632966eeeb898b1ee98e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe

Executes dropped EXE 64 IoCs

pid	Process
4048	Qmmnjfnl.exe
868	Qqijje32.exe
5084	Qddfkd32.exe
1684	Qgcbgo32.exe
4232	Anmjcieo.exe
1964	Aqkgpedc.exe
2112	Acjclpcf.exe
2636	Afhohlbj.exe
4092	Anogiicl.exe
1052	Ambgef32.exe
1656	Aeiofcji.exe
4960	Afjlnk32.exe
3864	Anadoi32.exe
4488	Amddjegd.exe
3940	Aeklkchg.exe
4060	Agjhgngj.exe
2784	Andqdh32.exe
4920	Amgapeea.exe
3088	Acqimo32.exe
3520	Afoeiklb.exe
3756	Ajkaii32.exe
3148	Aadifclh.exe
4132	Agoabn32.exe
4604	Bjmnoi32.exe
2060	Bagflcje.exe
2764	Bcebhoii.exe
3736	Bfdodjhm.exe
4356	Bnkgeg32.exe
5072	Baicac32.exe
4316	Bchomn32.exe
5012	Bffkij32.exe
372	Bnmcjg32.exe
3000	Balpgb32.exe
1704	Beglgani.exe
5080	Bgehcmmm.exe
3680	Bjddphlq.exe
4456	Bmbplc32.exe
4788	Banllbdn.exe
1856	Bclhhnca.exe
1616	Bfkedibe.exe
1924	Bnbmefbg.exe
3168	Bmemac32.exe
2580	Belebq32.exe
3584	Chjaol32.exe
3204	Cjinkg32.exe
2436	Cmgjgcgo.exe
3284	Cabfga32.exe
1708	Chmndlge.exe
2332	Cjkjpgfi.exe
1620	Cnffqf32.exe
1828	Caebma32.exe
3152	Cjmgfgdf.exe
5108	Cmlcbbcj.exe
4104	Ceckcp32.exe
728	Cjpckf32.exe
2956	Cnkplejl.exe
2348	Cajlhqjp.exe
2268	Cdhhdlid.exe
440	Cffdpghg.exe
764	Cmqmma32.exe
3172	Cegdnopg.exe
3348	Dhfajjoj.exe
2036	Djdmffnn.exe
224	Dmcibama.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	1cdc8a67291632966eeeb898b1ee98e0N.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5160	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1cdc8a67291632966eeeb898b1ee98e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1cdc8a67291632966eeeb898b1ee98e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1cdc8a67291632966eeeb898b1ee98e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 4048	2684	1cdc8a67291632966eeeb898b1ee98e0N.exe	84
PID 2684 wrote to memory of 4048	2684	1cdc8a67291632966eeeb898b1ee98e0N.exe	84
PID 2684 wrote to memory of 4048	2684	1cdc8a67291632966eeeb898b1ee98e0N.exe	84
PID 4048 wrote to memory of 868	4048	Qmmnjfnl.exe	85
PID 4048 wrote to memory of 868	4048	Qmmnjfnl.exe	85
PID 4048 wrote to memory of 868	4048	Qmmnjfnl.exe	85
PID 868 wrote to memory of 5084	868	Qqijje32.exe	86
PID 868 wrote to memory of 5084	868	Qqijje32.exe	86
PID 868 wrote to memory of 5084	868	Qqijje32.exe	86
PID 5084 wrote to memory of 1684	5084	Qddfkd32.exe	87
PID 5084 wrote to memory of 1684	5084	Qddfkd32.exe	87
PID 5084 wrote to memory of 1684	5084	Qddfkd32.exe	87
PID 1684 wrote to memory of 4232	1684	Qgcbgo32.exe	88
PID 1684 wrote to memory of 4232	1684	Qgcbgo32.exe	88
PID 1684 wrote to memory of 4232	1684	Qgcbgo32.exe	88
PID 4232 wrote to memory of 1964	4232	Anmjcieo.exe	89
PID 4232 wrote to memory of 1964	4232	Anmjcieo.exe	89
PID 4232 wrote to memory of 1964	4232	Anmjcieo.exe	89
PID 1964 wrote to memory of 2112	1964	Aqkgpedc.exe	90
PID 1964 wrote to memory of 2112	1964	Aqkgpedc.exe	90
PID 1964 wrote to memory of 2112	1964	Aqkgpedc.exe	90
PID 2112 wrote to memory of 2636	2112	Acjclpcf.exe	91
PID 2112 wrote to memory of 2636	2112	Acjclpcf.exe	91
PID 2112 wrote to memory of 2636	2112	Acjclpcf.exe	91
PID 2636 wrote to memory of 4092	2636	Afhohlbj.exe	92
PID 2636 wrote to memory of 4092	2636	Afhohlbj.exe	92
PID 2636 wrote to memory of 4092	2636	Afhohlbj.exe	92
PID 4092 wrote to memory of 1052	4092	Anogiicl.exe	93
PID 4092 wrote to memory of 1052	4092	Anogiicl.exe	93
PID 4092 wrote to memory of 1052	4092	Anogiicl.exe	93
PID 1052 wrote to memory of 1656	1052	Ambgef32.exe	94
PID 1052 wrote to memory of 1656	1052	Ambgef32.exe	94
PID 1052 wrote to memory of 1656	1052	Ambgef32.exe	94
PID 1656 wrote to memory of 4960	1656	Aeiofcji.exe	95
PID 1656 wrote to memory of 4960	1656	Aeiofcji.exe	95
PID 1656 wrote to memory of 4960	1656	Aeiofcji.exe	95
PID 4960 wrote to memory of 3864	4960	Afjlnk32.exe	96
PID 4960 wrote to memory of 3864	4960	Afjlnk32.exe	96
PID 4960 wrote to memory of 3864	4960	Afjlnk32.exe	96
PID 3864 wrote to memory of 4488	3864	Anadoi32.exe	97
PID 3864 wrote to memory of 4488	3864	Anadoi32.exe	97
PID 3864 wrote to memory of 4488	3864	Anadoi32.exe	97
PID 4488 wrote to memory of 3940	4488	Amddjegd.exe	98
PID 4488 wrote to memory of 3940	4488	Amddjegd.exe	98
PID 4488 wrote to memory of 3940	4488	Amddjegd.exe	98
PID 3940 wrote to memory of 4060	3940	Aeklkchg.exe	100
PID 3940 wrote to memory of 4060	3940	Aeklkchg.exe	100
PID 3940 wrote to memory of 4060	3940	Aeklkchg.exe	100
PID 4060 wrote to memory of 2784	4060	Agjhgngj.exe	101
PID 4060 wrote to memory of 2784	4060	Agjhgngj.exe	101
PID 4060 wrote to memory of 2784	4060	Agjhgngj.exe	101
PID 2784 wrote to memory of 4920	2784	Andqdh32.exe	102
PID 2784 wrote to memory of 4920	2784	Andqdh32.exe	102
PID 2784 wrote to memory of 4920	2784	Andqdh32.exe	102
PID 4920 wrote to memory of 3088	4920	Amgapeea.exe	103
PID 4920 wrote to memory of 3088	4920	Amgapeea.exe	103
PID 4920 wrote to memory of 3088	4920	Amgapeea.exe	103
PID 3088 wrote to memory of 3520	3088	Acqimo32.exe	104
PID 3088 wrote to memory of 3520	3088	Acqimo32.exe	104
PID 3088 wrote to memory of 3520	3088	Acqimo32.exe	104
PID 3520 wrote to memory of 3756	3520	Afoeiklb.exe	106
PID 3520 wrote to memory of 3756	3520	Afoeiklb.exe	106
PID 3520 wrote to memory of 3756	3520	Afoeiklb.exe	106
PID 3756 wrote to memory of 3148	3756	Ajkaii32.exe	107

C:\Users\Admin\AppData\Local\Temp\1cdc8a67291632966eeeb898b1ee98e0N.exe
"C:\Users\Admin\AppData\Local\Temp\1cdc8a67291632966eeeb898b1ee98e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\Qqijje32.exe
    C:\Windows\system32\Qqijje32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        45⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        59⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        70⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 416
        81⤵
        Program crash
        
        PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5160 -ip 5160
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
88KB

MD5
0112aeae9a5dc7e9f99eb1b3323a68e1

SHA1
4b0c4cc19ed8c49896057bc331135273d8a68672

SHA256
8a81f5d03ecf38fb96f563e7911038a40aeb283ab93f7cc77e82c16597dc2427

SHA512
2f478be6f75ae876e4d897cd867e41c56927ff2df79e8ef68d59d74571a3ac39455d3e6182735675ea388a50f59b23fdfc3ec545e9a39f91cf02fc59fe716627

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
88KB

MD5
352b9ea1f96cc5b5a79f6c1abc7d1351

SHA1
de40c5693f0676633f49d3e50576a412b676a38a

SHA256
b34784e9158ce8268557c35ddd03927d8e8153a78d5d70bf5322db5282d48a5e

SHA512
843ee32d4aedd803cf8419e8174014f50e5777d4d3892dd11a495bb66d593e17d15687aaf79911d16bfddc77b885d941c611d22bac85e8067b0d3acf0b616b38

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
88KB

MD5
b388482e5a4cceb6d5293c6710d85c4d

SHA1
7d1602f39b44dd8273b9d02199a33c3e02ccfc29

SHA256
a43ec8c248ef87da64ce20ae02cb921307f42090d89124e1d279d303e5c1feb6

SHA512
cf6ebc09885a515a237ed1ba47aa5d398bcf8362c191b074af66940deedde15c1406a4695df9a0596128854b4af0f67f81ae4044840eab6ec1ca4d3a2dd739d5

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
88KB

MD5
09ffb5464a22ee835c6fce720776195d

SHA1
a86c1328a805a71bf94a5486563e543116d594fc

SHA256
0725558113a77f17c135a83bb9f8cf45eb40c4cf09a725dc6859d486b2a90770

SHA512
03f4028b664b18d14d729b65aa65f3f855a3ca8c9de6c356e1a4c2e1c2c9bb91fa47c776066ca5ec63c009fc72ef95d15a597c0376553b685b6c36d82bf92459

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
88KB

MD5
f179b95e129f3f17928bfeda581a0dd0

SHA1
a4b270f58d6a17c61bf98b8a1bb4a971320b257c

SHA256
bebb1adfbfa2f9dc52cba614bbdd82a7a7e23f8dd05ea2ff797aa8957cd668ef

SHA512
8ba24f8c880dccd534b70a5ac4fb51f3cc463c14b7c969813b8314bb8d4fc215d0b8c4bde458bbc2957c4739f39e410370a34fd50f69a643575994b30d05afef

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
88KB

MD5
4dfc2c65b54ffb7364b85ddd2319ad62

SHA1
0bc0e90461df24bbca894be5781be7a5c149b577

SHA256
02e5a2d5a7ec612b8e227db59c3f2946dbd3ccc1a696c374b904e12c38a082c2

SHA512
339d20c30948974332dc613b6281fbf26ceb7ce336078135c11a47fb5c6579e811015ad647bece798efeb35af7678b9dd75b0f3fdac904441e4c67dbd7c8fec9

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
88KB

MD5
f0468dab2edafb87ad072348c304c128

SHA1
3fe0f0391c57edcbdc2d42b49c358ce76ad0487a

SHA256
f529dfa23c889ea8b3a9c95ced352553d777e1de92790f205c31cfb33c96b3a8

SHA512
b4ddd605b2c909a9f15fd122c9537468a4a28e2a0f3f69286612a1064ddaa44bc008fe4912cb015b244e78e521787c9b6db3af5ae81f23f0464de143424a5e3d

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
88KB

MD5
d2d2655c17547361a025bb6fd8066ef8

SHA1
d4edca27d11f1db208392286bb109b9e8cbee522

SHA256
fb2cf4444f6c6185bae6b438db667c9a698fb1bda5e41fcf6b4e7703de7534c1

SHA512
b8b1d67c882cc80a014c7ca898fd0d0f4ca8fa9870b0fc519ea58c21e0db6a28f2d5ec1cbc509a608027ce02c278861e9997f4d4e4cf7560b9bb1947ea31d1b8

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
88KB

MD5
c84ea2567366d8ebea59a13429086f84

SHA1
fc12f8c318f04f17221ec6decc24285f48ab532a

SHA256
8754fc7fa6daeeec8f7c8f1c0d37305241c7e966cee46b725b99527598b6e356

SHA512
583a328c921182f0babeccff43f95d97be0ead104fbeb5a9ad48a9727aa46c2c8d396821797db164b4064c0ca88b2f68bb3c38abdff6e72a1c74531f2e211bf3

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
88KB

MD5
cfc29ec8b000b3eabe4075554f01248a

SHA1
1511f81d7e056ddcdd97ce25bcc316bc4f2ed087

SHA256
13292fb39aaa37e348a812b4eb602e31ac095839ce11a94d1871be0905d9a909

SHA512
86320c6de32ca6536ff44587941de6ab4bf333176f5cdd9fe4a32d89f50868d52871a7d3422b42d4bcb211a22c8b983fdef0ad7e3c0d84f3780ab8c8637e0f61

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
88KB

MD5
b99bc55244ff1d77e0760ecf2a953a44

SHA1
c451515de1872791f23fd713cc60ffe85d8c6866

SHA256
06060072c302aa3b9b5c9a2c530a1ea47b30869d6f31989298422f6275aa5708

SHA512
430fe9d4532ffc47f3390d4256282ee87ad90e3d60e4a060ec3ca00bbd31fb5f7898cc5f202e943b92e3569cdd574e98b2a222547d9487bb7058901277798dad

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
88KB

MD5
aba6d0d9ff391d8f79ed46ff9ad67c9b

SHA1
3d56928d8a6e802eaef4ab663435cb74322a03fe

SHA256
1246974d1923d0e82a38b9257c467192bed4714e3812cbb26f66be9b6468e3d8

SHA512
61b7e28659b93af090101b2618fd3ae0c9800160641d0d27e1b4c276c04c47158c94c246410d79764522f624a26eca24cca6465eaea90590ed4cf1554b1e95be

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
88KB

MD5
59487d45d28c3229a72f002da9d7ffb0

SHA1
4bc71764eb5061e0733665ecb608cc69a6bbc261

SHA256
92b50988740349ca2c31a71e000f676572c51e88c15239da08b8bc0eea7a865b

SHA512
a340c717633c3bcd5c456affe14da79567b836a014a6e6eec1d61aa6c4e2151d0c4ac649a566f68309441f7166d5f427d9b71588970b62604283bf70579bc549

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
88KB

MD5
7998bfc23104d2129c1c5e38b4fd47d0

SHA1
f0a1fd47db85ec06406b67328548f9d67624ac29

SHA256
c0f77d37c43d986ecee14102fb5528df9dc3e6175dbea4aa7a0076d561ebce04

SHA512
fd47f747d093d52eabd40cf12ead740a74a67e0a369a435e85bf97755a483be11d6ce7834cd28b816f6238501fa0b180fe57a66065daa9ede13b37f6c14fc2e5

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
88KB

MD5
08725d823b01b4aa8dede712d4afb434

SHA1
def8673f94b6acde64c54e1fd0ddd20b3558491f

SHA256
97e2345cb0151b0542aaf96b25d4b8b65c32712230acaf05a73ed976c845b2b1

SHA512
f97da1bcfa61a401481d0d136c685ad4e1ae5df74345424245179aa3552faedac104578529a13c86fb1993363dec636b30d6ca95f37f394ff1a1be33fb069e33

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
88KB

MD5
b50b31e4e74dae1fd3e52a699fc37c17

SHA1
905ac14fb4fee4f8466fec30d6b3e8eabed88a82

SHA256
cb8175a7ef2689581a1817d3001a95c11fd2162984d6dc7d5fa41a54dc10d98d

SHA512
ff1aabb7b63472bdddd4acba3175efc99a151b9e76b5b4701349d6d59b192e879131cf96fcbd852b8f221620a7d908ffbd51e88622761fbd3a4b03441ad86e40

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
88KB

MD5
f080f6a7c2758f53765ef68672865048

SHA1
b83506cf286785a0ce52d0c174673812d7a547f8

SHA256
5d7f6ed410e9c3e68f7f7ca056ae80ed28542eb8626c4cd6e07d2cde7e7efc4b

SHA512
9eb526a033dc81beaea464966d2d7942c7bcc626c476cabed228d9164d53e5a1a6ff9d95078f4a577a68fd4f4757285261d6a3466eb39ed36800cb4d8ae294fb

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
88KB

MD5
10a7c9d364fcf527a5a1986530f1eeda

SHA1
9cd11f441bf05651efdb263156a3cc2105277620

SHA256
4034302d7a28248fe8a9560c0000869c30df8551aab1d20df0e82b69fabb341e

SHA512
05f699bbd9683764eec167da4aed75d66577f886f0313589b3b22c2d6a228ad23373a65c383d464ebc6069f17484295946702fcc181dd67ae72318aed50b29a0

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
88KB

MD5
c3fbc7a0a852e4df179acda4ed047e95

SHA1
82b00bd92f448c6f6947f1265e682f5badd28a72

SHA256
72620c03dbb610a35211561a9c2d09368acb57d5e6e56a11923df64af6d89c4e

SHA512
2a95625826b92a98c8f64d0604ec1f530eba83265a3b80cf168a86aedd53a57e071a6a32246125ad40d810f08c8be695ec361d8958c245b5dbb512867b1775c8

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
88KB

MD5
8ea0966e7361f75eeba9e4528c02e8d8

SHA1
ce0e25efe9158862a8ae170d673c23f4f494aabc

SHA256
4742bdb57e46a155f14f8d571cc9b410967bef96fa92d4c7f1589edb8f95323d

SHA512
2be25284d99b5f5d2da9f231ddac01107f2652b81cddc655042dcaea7d01745a0751a86f14581f2e4f8647193e63672114f8f2f6c70b13ec56c5c4434cd3deb1

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
88KB

MD5
0efeb4a140d4829830025e5e7fe6d2ef

SHA1
09bbda007d22256201c1f48354e7bc95e5c28fa0

SHA256
5807502f8181bd799001c5f47567c5f3c9dc0e398866a964a880334a73e87e09

SHA512
567f97d1622d38a0a6c8af85430b91111c78defdc84ffa2f5ee17f19d1de83658ca24bc62419908b07458c5995c04d1044047b6787215b36e4d497247f1407da

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
88KB

MD5
5bb4f0571f44b18bc10a17a8a4258b85

SHA1
32bf20c2318a7a2f345364ce8417fdf2fef48e67

SHA256
db0671038a3338cc9b688947a534e947b52054b69042fdd4d4080c91c739d804

SHA512
c6c923377014814eb6ecae065a32822734382b2c1bdfbefb5cd913b810aca3fd768cf4eeded7fc507f88cabb7a2b05886c65b2c0c4c22a9f6d2c92dc7229b39e

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
88KB

MD5
14032d2836abe4247515fea155d608c3

SHA1
d3a6f5221056c120d0bed4d813ab3651c0b810f8

SHA256
dcfbaee96da71b861343ca46880cd3b23c11f845eff9634bf904f750a0712c6a

SHA512
e23a20b1cb8c53878b4a589f0f091b55fb9b4f40cc2d2286638c3ce78e667239d299f7519bf4c6eb3ac34dcdb3e80d8da02e77989e1d12f9ae78f181d89e1118

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
88KB

MD5
2f1645e5741c46cc6e70b84c702b1d10

SHA1
c8a53b29b294d31ab77364936febefdaeb8d69b6

SHA256
0290fab391c894065aa7d9a65cd7a033219de3af718b1e2185acecae1a7262f1

SHA512
3be6897fd6e998290aa9dbc7ca7d34f9b4fa75b63da8f3975f4787413d62fd268950efcedf18ccd63f77ca1155bdc687f8aea03b2ec8b5d042d60e3fc88860c3

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
88KB

MD5
8e9f5cf7b5c86588c643f79d36ef009c

SHA1
b695a6efac3f08a4b1776d41fa19aa73fb00dea4

SHA256
fdabba2062660450acca2bf10f57e82c79829bf05835f323d681a9f897da9efa

SHA512
ce1dac523e2f93f1d770a9a5d26cfb0bfb8b1d0d9ad49bf0872606a149d240cf3cbfe6e2b6f0d0a96c3fca2eebb9785fce8ec9768680b7e9631884a493fa74f6

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
88KB

MD5
bc2f0a97b6656b6ce158f4617cc9751b

SHA1
d0a0d0b4a3e774003857cfcc6ce2803ffcd3a263

SHA256
3d1d01bb476cad035880e53f365c390e37b6fce1051080916f9d5134d49144b3

SHA512
d444f664a334e3a34298ac1a362417736a94b8cee4f3f68e85b419b77a8f21640c4201c174f4670322ea9d498452225c157cd5e8a1e73d3f8958c5e12a547a1d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
88KB

MD5
f684d6825e50a2100e13449f60a2310f

SHA1
eba8edcaa04eb994ae165aa7455deea017c3c827

SHA256
bdcbd594999cb1310b866ea3e4069a7f37ed56f98cf24477102a5dafcefffda8

SHA512
b1049bf595334ba536a0e5d3b51d99a76ce83b77c7b6062207faccb2b17d305a802e86204bba1418131d876ceb3fa7fee1210f15d043bdd4a7a017020d90ab2a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
88KB

MD5
114a7bd0cbd25f09c55ae24d36f6411f

SHA1
b94a51ff85137de21d4f288b796633f9955c1fdb

SHA256
7b696ad2704dd8b4185385d033693ce1c07335810d02c84545b2e63640d2707c

SHA512
312bc52ea75c663ee323e644aa0f2e8818a3f98958070d4a1b376e04a0c2f3a9c991fcd9b5d62442fd3bb35cf32e20a00a5c33d4a839a257ac27a3189bd98d4a

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
88KB

MD5
68f3eba796a41277b77d10d6642dc092

SHA1
b4552425098f67811beb1c75e824205cd1418752

SHA256
5cdaea7f649670d3ccc3ee41f8ccc50c28c3b07fed15e2208276bd65d97261f9

SHA512
fe8f780df36f324d3b7bf28f5fd9014ff9cb0552818509e5807c9afb34064cd5752e3533d556cac33d38aae3ba7766e35ba4e4c37571f30307f60796b5e8977e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
88KB

MD5
767344420e3f08358b80538dbcdd5f1a

SHA1
89d2b86be85e8101371c1400f46034f934a0837c

SHA256
5c69fdbd21a303a49f11271adc24a3c9577cb0758996b71f9f10b857e861769f

SHA512
5ef3c7a6d0666ca542f7aa846e138ed5cf9feaec3aac46930718f67789288029d2d092e99c5ba7f9e345935dd214190fe650323d250b9505656b33754ac6d910

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
88KB

MD5
4300d66dc6824613818f71455574365d

SHA1
85545c948fe7c3c10d3d65ce6f620762230d78dc

SHA256
95710e0162332d3b7651f5c2bb01783d7a2ba002f2c64dd46946b044b1426321

SHA512
3ba82557463833d456233f8846fd8bf521a7c44d2817d83ea3c394bfcf6fa9153eece663ab0abf31b02595839a9defec941b89a85c520d35c2121330a7f2b412

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
88KB

MD5
302ce944618257c7f43729a4682334d3

SHA1
ab8d0c450ab228afd582cb541e0be6536e1754cd

SHA256
761884de486179854d76e6dabf359d248c011cf139522239fdb79d8d123ec846

SHA512
2120ab5bd47d89c2a62f2a76b868a899c2d60abfd6d38bba55e35ac86e461120a9f77e596a15a5c9cd352056b8737929de1bff3a56913a58c9927b2e2bc575b2

Download Submit
C:\Windows\SysWOW64\Pkmlea32.dll

Filesize
7KB

MD5
3c0af34148c7c22f3b43ab3e8ee844b5

SHA1
b8040eaf68dbfa68b9a5a98549b01878be08b399

SHA256
ec13667f2a7539075165d33c78d75ca7ce0ea6f40d9006c2b7152d9f1ba7330d

SHA512
0a26eec96b28f37491c68db348e1bd7dbd81c8bd9e5bd5592fb2def32fdc110c9e0d6cb2ea39169c0aed331b7ecf8605dff50182040abeb79115e9f470538ba4

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
88KB

MD5
bc7d11e3cf11eff4d1363a12945ffa77

SHA1
c33cf6688be08586fc0243ca8ad8d0f16018b9f3

SHA256
28d97737dd77fb7db55c719487d15cea81c6f200978713ca680775bf38569bd3

SHA512
7c4ec5809bfdf2ba1907a722aefb438d3cbd12c31fc37f3c12baba5ed700d90da1cbdef38916dac9dee1d157f0184f49341658cecd6b90337180c5d25338c6ac

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
88KB

MD5
7bf04622910a514ac02a1c2fa0cdad11

SHA1
cb3bc5b44261b122012aa20f9b916c8c50bb4d2f

SHA256
26addd35da4b6676b805a112a810d29a3544fb0440df3aecd2f88da2f8f221c5

SHA512
63077ab1af166b3b5e1d9b872a684e885c4383383d10a04ac1da4b4c41f6286536cf99d602e90423048c166f1efe1406ce6728c39d181ddecabbda5fee461bc4

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
88KB

MD5
0a0bbed596baf2d791c8241e3c59943d

SHA1
43d844d83e70e71ca441ac76a07ff307e243b9d0

SHA256
64322b1088516906949ae2dc11b621be35f9a0bbf8abaa44a08fd59ea86ff12d

SHA512
7d33cb3f5e04ed62bd2f821a0e3d7a4f8264ab3b1c25b554a0be12dd8bb95f8d8f2db1331f7c602d0557fecd6b9533f062992ab4ed2b3f70cd63fdf7ccc384cf

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
88KB

MD5
1aca91def4154c2200ad31ecd806fc26

SHA1
2f698e18967e142dbb6d17a5750ae5e494ff5dc4

SHA256
115292b6483a0cedfc7c5e8e3995df99f7eb341c65eb701948661a68f79dc676

SHA512
a02d65373fc761b9b7dbe66963ac47402b2f3214d10cecdeb765af01bf013daa4fcfa2a779fd6f7250ec1ff13ddc824eb2da6aa92320c67a8620b016c73bf90f

Download Submit
memory/224-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-647-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads