97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
Size

512KB
MD5

c00d01b8a7ca89036511a083445fc37d
SHA1

0e6930f557cedd47068b2a8925266bbe5574378d
SHA256

97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e
SHA512

0df272107104d126ec0f1f1faf64f2bdd473f6f2fda6e13da94498d5e0106f39a293f427328a75ce798c80532657e0fa543ced970d0ac4bc2c18a42dd6134c69
SSDEEP

6144:Tee853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:nQBpnchWcZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe

Executes dropped EXE 64 IoCs

pid	Process
948	Qdbiedpa.exe
4548	Qmmnjfnl.exe
2300	Qddfkd32.exe
2904	Anmjcieo.exe
976	Aqkgpedc.exe
1452	Acjclpcf.exe
1576	Afhohlbj.exe
2612	Anogiicl.exe
1504	Aqncedbp.exe
2008	Aeiofcji.exe
4564	Agglboim.exe
2124	Ajfhnjhq.exe
3568	Amddjegd.exe
1696	Aqppkd32.exe
4940	Acnlgp32.exe
2956	Agjhgngj.exe
3632	Ajhddjfn.exe
464	Andqdh32.exe
1976	Aabmqd32.exe
2984	Aeniabfd.exe
4024	Aglemn32.exe
3648	Afoeiklb.exe
3968	Anfmjhmd.exe
2332	Aminee32.exe
1836	Aepefb32.exe
4788	Agoabn32.exe
3828	Bfabnjjp.exe
428	Bnhjohkb.exe
4368	Bagflcje.exe
3084	Bganhm32.exe
2436	Bjokdipf.exe
4052	Bmngqdpj.exe
3880	Beeoaapl.exe
4572	Bgcknmop.exe
3924	Bjagjhnc.exe
3112	Beglgani.exe
4384	Bfhhoi32.exe
4752	Bnpppgdj.exe
3484	Bmbplc32.exe
4500	Banllbdn.exe
1348	Bclhhnca.exe
412	Bhhdil32.exe
2000	Bjfaeh32.exe
1972	Bnbmefbg.exe
4356	Bapiabak.exe
4620	Belebq32.exe
4092	Chjaol32.exe
4484	Cfmajipb.exe
1384	Cndikf32.exe
4988	Cabfga32.exe
5148	Cenahpha.exe
5188	Chmndlge.exe
5228	Cjkjpgfi.exe
5260	Cmiflbel.exe
5308	Caebma32.exe
5348	Cdcoim32.exe
5388	Chokikeb.exe
5428	Cjmgfgdf.exe
5468	Cnicfe32.exe
5508	Cagobalc.exe
5548	Cdfkolkf.exe
5580	Chagok32.exe
5628	Cjpckf32.exe
5668	Cnkplejl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe

Program crash 1 IoCs

pid	pid_target	Process
6012	4556	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 948	1316	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe	84
PID 1316 wrote to memory of 948	1316	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe	84
PID 1316 wrote to memory of 948	1316	97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe	84
PID 948 wrote to memory of 4548	948	Qdbiedpa.exe	86
PID 948 wrote to memory of 4548	948	Qdbiedpa.exe	86
PID 948 wrote to memory of 4548	948	Qdbiedpa.exe	86
PID 4548 wrote to memory of 2300	4548	Qmmnjfnl.exe	87
PID 4548 wrote to memory of 2300	4548	Qmmnjfnl.exe	87
PID 4548 wrote to memory of 2300	4548	Qmmnjfnl.exe	87
PID 2300 wrote to memory of 2904	2300	Qddfkd32.exe	89
PID 2300 wrote to memory of 2904	2300	Qddfkd32.exe	89
PID 2300 wrote to memory of 2904	2300	Qddfkd32.exe	89
PID 2904 wrote to memory of 976	2904	Anmjcieo.exe	90
PID 2904 wrote to memory of 976	2904	Anmjcieo.exe	90
PID 2904 wrote to memory of 976	2904	Anmjcieo.exe	90
PID 976 wrote to memory of 1452	976	Aqkgpedc.exe	91
PID 976 wrote to memory of 1452	976	Aqkgpedc.exe	91
PID 976 wrote to memory of 1452	976	Aqkgpedc.exe	91
PID 1452 wrote to memory of 1576	1452	Acjclpcf.exe	92
PID 1452 wrote to memory of 1576	1452	Acjclpcf.exe	92
PID 1452 wrote to memory of 1576	1452	Acjclpcf.exe	92
PID 1576 wrote to memory of 2612	1576	Afhohlbj.exe	93
PID 1576 wrote to memory of 2612	1576	Afhohlbj.exe	93
PID 1576 wrote to memory of 2612	1576	Afhohlbj.exe	93
PID 2612 wrote to memory of 1504	2612	Anogiicl.exe	94
PID 2612 wrote to memory of 1504	2612	Anogiicl.exe	94
PID 2612 wrote to memory of 1504	2612	Anogiicl.exe	94
PID 1504 wrote to memory of 2008	1504	Aqncedbp.exe	95
PID 1504 wrote to memory of 2008	1504	Aqncedbp.exe	95
PID 1504 wrote to memory of 2008	1504	Aqncedbp.exe	95
PID 2008 wrote to memory of 4564	2008	Aeiofcji.exe	96
PID 2008 wrote to memory of 4564	2008	Aeiofcji.exe	96
PID 2008 wrote to memory of 4564	2008	Aeiofcji.exe	96
PID 4564 wrote to memory of 2124	4564	Agglboim.exe	97
PID 4564 wrote to memory of 2124	4564	Agglboim.exe	97
PID 4564 wrote to memory of 2124	4564	Agglboim.exe	97
PID 2124 wrote to memory of 3568	2124	Ajfhnjhq.exe	98
PID 2124 wrote to memory of 3568	2124	Ajfhnjhq.exe	98
PID 2124 wrote to memory of 3568	2124	Ajfhnjhq.exe	98
PID 3568 wrote to memory of 1696	3568	Amddjegd.exe	99
PID 3568 wrote to memory of 1696	3568	Amddjegd.exe	99
PID 3568 wrote to memory of 1696	3568	Amddjegd.exe	99
PID 1696 wrote to memory of 4940	1696	Aqppkd32.exe	100
PID 1696 wrote to memory of 4940	1696	Aqppkd32.exe	100
PID 1696 wrote to memory of 4940	1696	Aqppkd32.exe	100
PID 4940 wrote to memory of 2956	4940	Acnlgp32.exe	101
PID 4940 wrote to memory of 2956	4940	Acnlgp32.exe	101
PID 4940 wrote to memory of 2956	4940	Acnlgp32.exe	101
PID 2956 wrote to memory of 3632	2956	Agjhgngj.exe	102
PID 2956 wrote to memory of 3632	2956	Agjhgngj.exe	102
PID 2956 wrote to memory of 3632	2956	Agjhgngj.exe	102
PID 3632 wrote to memory of 464	3632	Ajhddjfn.exe	103
PID 3632 wrote to memory of 464	3632	Ajhddjfn.exe	103
PID 3632 wrote to memory of 464	3632	Ajhddjfn.exe	103
PID 464 wrote to memory of 1976	464	Andqdh32.exe	104
PID 464 wrote to memory of 1976	464	Andqdh32.exe	104
PID 464 wrote to memory of 1976	464	Andqdh32.exe	104
PID 1976 wrote to memory of 2984	1976	Aabmqd32.exe	105
PID 1976 wrote to memory of 2984	1976	Aabmqd32.exe	105
PID 1976 wrote to memory of 2984	1976	Aabmqd32.exe	105
PID 2984 wrote to memory of 4024	2984	Aeniabfd.exe	106
PID 2984 wrote to memory of 4024	2984	Aeniabfd.exe	106
PID 2984 wrote to memory of 4024	2984	Aeniabfd.exe	106
PID 4024 wrote to memory of 3648	4024	Aglemn32.exe	107

C:\Users\Admin\AppData\Local\Temp\97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe
"C:\Users\Admin\AppData\Local\Temp\97b4ed4e9ed60236208eb4fac087f46c6f862a92a9878802b0c799004037135e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Qdbiedpa.exe
  C:\Windows\system32\Qdbiedpa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        47⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5228
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5388
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        61⤵
        Executes dropped EXE
        
        PID:5508
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        85⤵
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 396
        97⤵
        Program crash
        
        PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4556 -ip 4556
1⤵
PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
512KB

MD5
0e068ac103cb6388d7e65cef79c72968

SHA1
6b383df65e202a85f19a517c729eb6ee630111fd

SHA256
092ef93ba67e254017065a4b99518db9de944ac1c354c813a1063d3eea68fa08

SHA512
58d5f88b61cfa74be884c6e26283226534e43fa54664a1d6aebb0ab3a13fb818e2e65a66051429cf5a913f5e8739898f324bfde09a769b790949e56a17e1784e

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
512KB

MD5
57fc35ff24ea02d85da886049b449a5c

SHA1
4b2e8373969ac43b7730cd351aa0d3f8721f22bb

SHA256
4be4083ee1e1929c4d2b038d8d2b048c450e0a050262b26145dac6f40f7fe8e3

SHA512
cf979e08ecfdeee7df8de5a67f58b26595419e55c40d3c28483758c6d46f463961c09032c6ddd28698138916befbec38259adc1fb7b697fed3919cd2a85de534

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
512KB

MD5
77eb84c4bc553c0ac3eddae9f76eacbc

SHA1
4a2cdf27a572df297a2524de4a734c39812453b6

SHA256
81e9f5aaa26def540628ead6b4c17e860f5a78da0c2df0ff12c17cefa5c2b4ba

SHA512
3c12bd79b7ce0e95029470438999e9fee47c69c9ecb75c4bfa56a4d3233f4590a4a86da8157b52da3215dc3a7ea27193412a08a9c7b1f3555dcb5f267ce05e4d

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
512KB

MD5
2919f65f67fa753cf0cc7939c661f16b

SHA1
3d251be1c4047a1fce51f201a7509b3d786454c0

SHA256
5102a2e93153f6529de1fd0d75549c6eca3274e908bcf98f4a3ed74f2f832d72

SHA512
2e55e6560d50220847c2f824f388227a96ec0a803a28d0fc67c21a7cec202d5130b4327a768d04334162736b9b1876b6d8988b8d53b9b265940b10e7fe338d04

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
512KB

MD5
22e492001baaa65db0c2124e0c8d9f9e

SHA1
472290369be60e4dc928a1a6563d915e316b9355

SHA256
a8f073f1ac81bf540408d71c52687ebae9d7a90e764821dbd8a3e196b2aadf3c

SHA512
f4de553f0c9786a9228b0be0caa5cf1ca38ea0f44ccfc66986b221aec6a3541d9253d1458324a353a376046ab8036112f59d20fdc5b1638f248010c02e17afcf

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
512KB

MD5
0cf5b9b4d45483fed4e31aeeb737f8d9

SHA1
32a61a3529ab4a22a60b8e0eb0c07a8e0b6dcbfd

SHA256
7280a38bd391e17801614af3814873fb456b007c383906ccd1536f456ed388bb

SHA512
b22474001517c35894072cc39997a767c04c6c27cedff2b3b4d0d6fa3ce19622fecb1db2b9f61eaf2d3dcd1c322c559417957b69668d777fcd56fe4175db42db

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
512KB

MD5
6ce27919d3d1a40393f79befcf62d8dd

SHA1
d45f301f8a943f03f69677b8eb193fb2a6fb4ced

SHA256
fe635ddc2136405ad74262c4a95fe044829c1f0a49c740afb62d394b142d1c3c

SHA512
6b8797eb526a3f3c380372299fb7af8b594f22183e98ee9eeaeb4388b7cc911f14f91a53a2d99698f0039d9b627bea7fea81eb8de05538f88636ad835dfbbe01

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
512KB

MD5
02977a7c3b042f0cdb8e8a123c560169

SHA1
fe6c8247c4a89270f407fc3d872a3a31e7cc0bc2

SHA256
632efc5d1231969645ba787e677a7c5f9cef117d322ae4aff2355425f6f82330

SHA512
e0c0220370a3c2b2de324bed0df9f8e62401726b6ca85984c3c70c89d33f3908a61eb0400876d083b1b42b72b9eba5f33b7cf7ebe32b82db610d7b59655333d4

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
512KB

MD5
4707f6bfa77fbb17897cd4807174db69

SHA1
dcc535e43a2962ed13fc07ce905bed3e3a7c493e

SHA256
0452a7342ab7658526cfbf3c8c304eb75c696b7ac81d2677d11a1ca49ce2719b

SHA512
f8d0443ac004ce8a870f726c42c0e19ddefa1e08dd782a3625219994cf60d5c31aa0426c4b570b2dedaf21bc65e1afd78ec0ba6536ee544562be24cb0d13979a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
512KB

MD5
2378bd2f85356c89087e62aca3439316

SHA1
88e4fe24daf932606e282a9618059f25c94abea5

SHA256
b603195a6338de10e2e77c6e4fa1170fc3a7182eb455e9af17809d14a2501547

SHA512
44654a9257f8a7ba32d88096c4f6e011ac83a5f577b7f7b19715e64e729c8c63cc2dd0532b57a39ded9f68afdb402d2370eb2402f19ca95ce6e750b45727f6ca

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
512KB

MD5
0edc6157b20c1e648908ed369f559e32

SHA1
0f859026a455bea84e8de26b6276fa448f4cb06d

SHA256
3c44eed0c5e96eb23ab16dbffd914697ac0b327a15a2a602a3762f6d37bd6c25

SHA512
cb8afbb21195d0fe459a06ff0dd8008ffa3fdaf490c86f9e25687c47df7e4bf5b05075ad9b031e51b1f632e82c32d557eb9743d7b5d677fbc785dc1669144131

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
512KB

MD5
3edf2fe1bd17d6fea569435810dff309

SHA1
ee00cdffdeec59e8211cfa3fe0d11455fffe527a

SHA256
e0e6a782781fc09ed8e54fbca80ab35a857d7064ced0a66167e8f35b8822bda6

SHA512
0e8712cc06ead73f1fa0660474bce45e9e64404c04ea6cdb6a766c16e0e914475bd54be3c3038f87f5c081ef9d46d31e87782195be2e975274ec9d411311fa33

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
512KB

MD5
b1a8ee8885dceadf89ded3a67e08f719

SHA1
761646b9c9a80f43ff8a543dd73a3d714bed884c

SHA256
4ea1ee541f26a2ee03db52bfe610ee1f1a4fc6807f53e7670752e9a75fadf2b0

SHA512
ca1b4909ba923fb1a3decd9c49c959fd7508dc9d7504aa48d6fe0d57854071dcbf3bcfed0f5cd6a89444df5e4d87cefc29ea87acd571ba2eee53260e556fc567

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
512KB

MD5
04a6285cf25b9b617afefd99bbea8382

SHA1
ddb137f454410930dcbc0859490a2ca952718a87

SHA256
97b9d06a41616780902df3b87b87aa250c5cf2f974dbc3b4cd842028e5f31389

SHA512
8dd1da93bf12dddeee4e7f203a1d7687c85d969d66db5c0822dc5ce163e015eb46434518b512d24c2f481ed61f8185d9dcf441d7196bb6b25a58890b158734d1

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
512KB

MD5
c4e6b2d6c375d484c77d64a66d159b36

SHA1
a008a4b666c73bd597fbca9cf46b78a5274c3c6b

SHA256
66e3352e0d6cbedfb738341d884b9811430859fc3d2bdd04e43742b94baaf791

SHA512
d4eacfa8a800149ae4ad46989429915f45794600e1fb3912cecedbe32a85073c96de235d7dd653726e6d871d1a8d5103bfcbf65eb85e9f5a4a89cbf9b6bee4f1

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
512KB

MD5
82b9acd31dd78ec05ba934abff6859dc

SHA1
ff02c095733033eb210e9b75b6b633a1583b69c7

SHA256
3797fa18d102afd04c9128a054994d5190b4db56a015c7b978a72c171445db3a

SHA512
08ddba6f558eb8728dad1340cf470e27fc90090652a3b05329646ea30d4a7420a35e006bc6084e3966fde9aa9bb2cde5bfbca224888046a793af1405e94c8190

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
512KB

MD5
982025e525fe8107428562ed09762fab

SHA1
8fb816bd9b90ba9e986cdfbfe5303fd19fac5250

SHA256
1a36a11e11444cfcda6c14053c909bfbed82c92a05cbf241358b72063124f5e1

SHA512
7b2684b7fda4d11b04308a220ad2812596fdb716df7b77b7be698d8fa29438d64083e815877d17c3c135f081e2189f870f135e1cbd3b94ecaaadc8e637bccd2d

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
512KB

MD5
b26a6fcec5d084f300db0819ad822eca

SHA1
6a8e1809a9b022b9b6ef2c023493ec383438a94c

SHA256
e004ef9f8e6cc450ac342795a322b603b2bf352757b10aa568710de63b43f5da

SHA512
4c69cae015fe894af5b21fe7ca5f6fcf6523cda14fcefc6dd4199727cbcdc2cb5d36fe283d1dc3d02aa2175a69af26074b504313bcd2857541d9191c89c11f67

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
512KB

MD5
ed6bd22b997d74042dec4202ae5228fa

SHA1
0b34084cf2d17e70857ce9db1a99f569190d49bb

SHA256
4b07c51af10d792bc4cfae4bd86c21032bab4a5e1baa4eb203dd44e0f223d7dd

SHA512
9c5220d7630970047a4ad08667786beb0c09c6b840cff63e008b2377610d8354d3af846032f2e0c1ef4d91fe72bc21497842e0999b69dac3d4fd6d0a24b0cf07

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
512KB

MD5
504697afb37529cd91e22e9b76460ac8

SHA1
a6b8544fd5aff74db7bfa9b973e8921e2ef0c2ba

SHA256
c5ac1cfc8a822a500dcafdddb712ca70b8f7982414bf0766593311811bb16fff

SHA512
ee04f14863e615e53fbcdd22d23b45030101e24492a937b75e4cd1ec1a51347da7a91ea60c89ad94f7aebbcc2dad01a5dfa04d0ad0a748ca3dbb8396898773e4

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
512KB

MD5
f7c8b7231276047887c5b8bdf0ee5925

SHA1
56ca1b5c0c0382b0a6bb226871e493affda8c69a

SHA256
c6e2fff1c784a2c31468de947988ac37de7627f9a443065c43ca30f706dc8365

SHA512
29146c7ead6315acfb07e92b93637208fa966947ffb8362a6b9d6fa8f73bb349c79e30bb9e9d41ee91eeab95a5b0efbc04970b52a199b11cf5ae20a9f7b57e36

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
512KB

MD5
7d96d9ceced92a9907688763e77d0a69

SHA1
3c86343b83c67676e4dc4bce43e9830ac93be869

SHA256
3d25301e6f664bf1a4a22d633bdb601f8203de7b1d3787d16202104ba33e012d

SHA512
e1691e73c5bb25f021aac3240f65430550b45fe148ade249cfedba761c8cc2d86f34c593d0956082fddb6d6048abd6c769be4df525e46deff1895d5f82b71970

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
512KB

MD5
9a409aaef1bd12965f56891ad38c2ae5

SHA1
ac0fe1baaeabba45342ea8e4eaf1ff9e56aaac92

SHA256
06812a91682712a56e0247a900b9142f78d417bdc23d8438bc2e3e89459ad07e

SHA512
7d226eb1341252751f17f726ec53c6f53c26e5dda2069cce975f734c7199228951b0a02db51259acf28cc50457438823b985ce4ad92576d106afdd384f58aa97

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
512KB

MD5
8a3c3db9a646ec2334f4f08c292eb984

SHA1
efd095c354e90c128a221334d0ce8a971a3d02fb

SHA256
e1e989ca670e191ed9fd751baad51f1a6785768552b427a2702882950098a598

SHA512
908d6c99d1d6c1b16563957409f63dfbc3bb23789b99d074f515dab0d9e328709f57b4e585d3f1f192b2516eac8b71b70c0d701347502af9729e3a3430c4afc1

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
512KB

MD5
4b1c52feb94b99d2885c9a41d59dde52

SHA1
d8117165b8ec83c907c73b0eb466cd375875363c

SHA256
97efc91db798843c45f45ca97ee6cd1c2ef890f4589bb15338e8b87e7ef8e00b

SHA512
f8a9fc982da0b0a7c3a5703fe24035bb4c9ec100c0f9f9d94eeb2fcb81b48385540b9be2115a15775feb0a7373631bba0f7643cab4678b50823eaf082180c185

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
512KB

MD5
a9876581c742b605c0df794e190ae522

SHA1
4be01ce13ca9923bc4aa105d40f028b9a5220526

SHA256
5772e5b999d2d5d35f32271432cbaa55ae5a6125f7c0628be667d3eef7b711d5

SHA512
cdfe010d4426864f49c53b42a10310249a5597de6ef6b285028ac5bd67c8dec2f63f7111d812b1b1c52dee82ad7c9b3e40fd4fbbbbaad14af07699e6f516c559

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
512KB

MD5
9e5bac335c6504855c81473de76aa9c8

SHA1
e593cef4c52989c8ebbddd48fb113bb668a5f6f7

SHA256
2f984d2ead29f79c3488c142f9521b944ae4159ddbdee0577a1cb6abf96f03e5

SHA512
7b6df2b46c780855bacb808c31c20f6ee8272518a3f24228450522cfa4fbdf7872d2a24bc39a67806d402094376e72208c1bca19a8a7729f9ab451facdeab835

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
512KB

MD5
e35b0a17cb8b312442635dfaa45209d0

SHA1
67505a9e64cfc9f21fdd478e412a45641089cc44

SHA256
ce8cc94b2a37174df143230b15ae4d14367a9868a1ac48f24cf7b25102f5e169

SHA512
2f50922b012d9cab8f9fa98deb1c04efdedceaf201193266a0b3714a60913bcc740efb093f9990bc2919593024d4bedd7cd80960358a61e61cc3a0922cd25ef2

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
512KB

MD5
bc5831c509594b861afe53b11f241fd5

SHA1
01bd1290079d647aa6bcf96ad1d21724ab0aeca9

SHA256
879479ed5b39429e5bd67a6f459159bc13696fd279721880022802e2fbd4e775

SHA512
7772efb04aade2432f2521b5fda18a6754eed4e7bb2e3e41700c52efddfa76d0b4ad095941a66df3ff66c9efb6e9c4c960f4f187054df576bfb1e438bbd62628

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
512KB

MD5
cd925713d305da49691cc3487fdcd96d

SHA1
dead11746d04502d1ecc78b63a230bac201e5b00

SHA256
09339cd136c3af2e1df3ebe19aa9881252ca1b079dc090842fc995f25380928d

SHA512
134561f2f7818b2d318249f23f65e7f8f7938ab0f64ab55afe2c6ba9f11264bea18759f00d743f16359322fd52a7c4d0aa3ca7bd1e6f573ce466a984fc46e8db

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
512KB

MD5
568f7b14557c99096e100b1a7f6d41ed

SHA1
73409ad307e6ee37c9732e0369c80f183f8bc756

SHA256
f421a71165523ef402e12655e47efff6e888581b03ac1b59d286ac1ab294e6b0

SHA512
74252eba6d679362ad47de734427e532309ff19f1c724f2f7ea8f2d886ccaf6334521437e423599b5505ab79ffe9a8fe8509cde3b5cd8d2948853b323b7db2d3

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
512KB

MD5
fbf1c6939c9fdeac46ffbd09ead67fe3

SHA1
54e60904eab52fef41adb921829176092267ead1

SHA256
001d0768e130e085e2df75e109ec5b9f00117d58b89c0bdf2a624f50950f8ef2

SHA512
b38121450f4f07eda3436fb8187a84fe11b17a1b7f1b0a20e992f9a21612fcc56b90443010c80189383882123d45a5e0b19046c8e227a27fbdb5540bd7f2d7d2

Download Submit
memory/412-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-605-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5148-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5188-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5228-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5256-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5260-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5308-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5348-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5368-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5388-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5428-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5468-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5508-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5516-611-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5548-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5580-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5588-618-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5628-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5644-623-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5668-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5708-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5740-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5788-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5820-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5868-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5908-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5948-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5980-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6028-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6068-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6108-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads