d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
Size

45KB
MD5

cd19f7c8f4e4faab32ab07ab646edb20
SHA1

e468c22d64104597791c84ac7e08db88145e643a
SHA256

d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004
SHA512

2860950d154145f5f5bd00e75ee18b08ca8d63c0b621b2e7fccfa0e3326874b6c55603e77fc694a9fc7ca1bd1d7c50f6d5d07e3c6e13c8976a91761cfe7c85a1
SSDEEP

768:DqcLbisi8Pl+dekQmEUV8QrYNntVALbhpfyrgOMp8Bacs8ArA/1H5k:DbLzQdfDy9ntChcrlucs8ArGK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 64 IoCs

pid	Process
4116	Qfcfml32.exe
2868	Qnjnnj32.exe
2316	Qqijje32.exe
2724	Qcgffqei.exe
2632	Qffbbldm.exe
208	Anmjcieo.exe
4224	Aqkgpedc.exe
4832	Acjclpcf.exe
1888	Afhohlbj.exe
2308	Anogiicl.exe
3892	Aqncedbp.exe
2404	Aclpap32.exe
1448	Afjlnk32.exe
4368	Anadoi32.exe
4964	Aeklkchg.exe
4912	Afmhck32.exe
4468	Andqdh32.exe
4016	Aeniabfd.exe
2328	Aglemn32.exe
4940	Ajkaii32.exe
2920	Aminee32.exe
2844	Aepefb32.exe
628	Agoabn32.exe
2924	Bjmnoi32.exe
3528	Bnhjohkb.exe
4536	Bagflcje.exe
4868	Bcebhoii.exe
5052	Bfdodjhm.exe
4480	Bmngqdpj.exe
1108	Beeoaapl.exe
5008	Bgcknmop.exe
2836	Bjagjhnc.exe
1500	Bnmcjg32.exe
4944	Beglgani.exe
640	Bgehcmmm.exe
3588	Bjddphlq.exe
4296	Bmbplc32.exe
3420	Beihma32.exe
3168	Bhhdil32.exe
4380	Bjfaeh32.exe
2864	Bmemac32.exe
3980	Belebq32.exe
1248	Chjaol32.exe
4072	Cjinkg32.exe
3428	Cmgjgcgo.exe
876	Cenahpha.exe
2320	Cdabcm32.exe
4740	Cfpnph32.exe
1564	Cnffqf32.exe
4916	Caebma32.exe
4364	Cdcoim32.exe
4344	Cfbkeh32.exe
4904	Cmlcbbcj.exe
4292	Ceckcp32.exe
232	Chagok32.exe
2588	Cfdhkhjj.exe
2208	Cnkplejl.exe
3948	Cmnpgb32.exe
2888	Ceehho32.exe
3232	Cdhhdlid.exe
2728	Cffdpghg.exe
3140	Cmqmma32.exe
2628	Cegdnopg.exe
3728	Dhfajjoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3624	856	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4116	2228	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe	83
PID 2228 wrote to memory of 4116	2228	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe	83
PID 2228 wrote to memory of 4116	2228	d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe	83
PID 4116 wrote to memory of 2868	4116	Qfcfml32.exe	84
PID 4116 wrote to memory of 2868	4116	Qfcfml32.exe	84
PID 4116 wrote to memory of 2868	4116	Qfcfml32.exe	84
PID 2868 wrote to memory of 2316	2868	Qnjnnj32.exe	85
PID 2868 wrote to memory of 2316	2868	Qnjnnj32.exe	85
PID 2868 wrote to memory of 2316	2868	Qnjnnj32.exe	85
PID 2316 wrote to memory of 2724	2316	Qqijje32.exe	86
PID 2316 wrote to memory of 2724	2316	Qqijje32.exe	86
PID 2316 wrote to memory of 2724	2316	Qqijje32.exe	86
PID 2724 wrote to memory of 2632	2724	Qcgffqei.exe	87
PID 2724 wrote to memory of 2632	2724	Qcgffqei.exe	87
PID 2724 wrote to memory of 2632	2724	Qcgffqei.exe	87
PID 2632 wrote to memory of 208	2632	Qffbbldm.exe	88
PID 2632 wrote to memory of 208	2632	Qffbbldm.exe	88
PID 2632 wrote to memory of 208	2632	Qffbbldm.exe	88
PID 208 wrote to memory of 4224	208	Anmjcieo.exe	89
PID 208 wrote to memory of 4224	208	Anmjcieo.exe	89
PID 208 wrote to memory of 4224	208	Anmjcieo.exe	89
PID 4224 wrote to memory of 4832	4224	Aqkgpedc.exe	90
PID 4224 wrote to memory of 4832	4224	Aqkgpedc.exe	90
PID 4224 wrote to memory of 4832	4224	Aqkgpedc.exe	90
PID 4832 wrote to memory of 1888	4832	Acjclpcf.exe	91
PID 4832 wrote to memory of 1888	4832	Acjclpcf.exe	91
PID 4832 wrote to memory of 1888	4832	Acjclpcf.exe	91
PID 1888 wrote to memory of 2308	1888	Afhohlbj.exe	92
PID 1888 wrote to memory of 2308	1888	Afhohlbj.exe	92
PID 1888 wrote to memory of 2308	1888	Afhohlbj.exe	92
PID 2308 wrote to memory of 3892	2308	Anogiicl.exe	93
PID 2308 wrote to memory of 3892	2308	Anogiicl.exe	93
PID 2308 wrote to memory of 3892	2308	Anogiicl.exe	93
PID 3892 wrote to memory of 2404	3892	Aqncedbp.exe	95
PID 3892 wrote to memory of 2404	3892	Aqncedbp.exe	95
PID 3892 wrote to memory of 2404	3892	Aqncedbp.exe	95
PID 2404 wrote to memory of 1448	2404	Aclpap32.exe	96
PID 2404 wrote to memory of 1448	2404	Aclpap32.exe	96
PID 2404 wrote to memory of 1448	2404	Aclpap32.exe	96
PID 1448 wrote to memory of 4368	1448	Afjlnk32.exe	97
PID 1448 wrote to memory of 4368	1448	Afjlnk32.exe	97
PID 1448 wrote to memory of 4368	1448	Afjlnk32.exe	97
PID 4368 wrote to memory of 4964	4368	Anadoi32.exe	98
PID 4368 wrote to memory of 4964	4368	Anadoi32.exe	98
PID 4368 wrote to memory of 4964	4368	Anadoi32.exe	98
PID 4964 wrote to memory of 4912	4964	Aeklkchg.exe	99
PID 4964 wrote to memory of 4912	4964	Aeklkchg.exe	99
PID 4964 wrote to memory of 4912	4964	Aeklkchg.exe	99
PID 4912 wrote to memory of 4468	4912	Afmhck32.exe	101
PID 4912 wrote to memory of 4468	4912	Afmhck32.exe	101
PID 4912 wrote to memory of 4468	4912	Afmhck32.exe	101
PID 4468 wrote to memory of 4016	4468	Andqdh32.exe	102
PID 4468 wrote to memory of 4016	4468	Andqdh32.exe	102
PID 4468 wrote to memory of 4016	4468	Andqdh32.exe	102
PID 4016 wrote to memory of 2328	4016	Aeniabfd.exe	103
PID 4016 wrote to memory of 2328	4016	Aeniabfd.exe	103
PID 4016 wrote to memory of 2328	4016	Aeniabfd.exe	103
PID 2328 wrote to memory of 4940	2328	Aglemn32.exe	105
PID 2328 wrote to memory of 4940	2328	Aglemn32.exe	105
PID 2328 wrote to memory of 4940	2328	Aglemn32.exe	105
PID 4940 wrote to memory of 2920	4940	Ajkaii32.exe	106
PID 4940 wrote to memory of 2920	4940	Ajkaii32.exe	106
PID 4940 wrote to memory of 2920	4940	Ajkaii32.exe	106
PID 2920 wrote to memory of 2844	2920	Aminee32.exe	107

C:\Users\Admin\AppData\Local\Temp\d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe
"C:\Users\Admin\AppData\Local\Temp\d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\Qnjnnj32.exe
    C:\Windows\system32\Qnjnnj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\Qqijje32.exe
      C:\Windows\system32\Qqijje32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        52⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 404
        81⤵
        Program crash
        
        PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 856 -ip 856
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
45KB

MD5
5afa39ea3b1cfdaa01ad088979e6fcbd

SHA1
86066a0d2a63cf19c8487955fc5f0c0f03ed294b

SHA256
bf482be613a14e4a8e2616101bb7d2fe88ea5163c5e9ddfd6fbef9e7d8613014

SHA512
b32844631c0d6ceb47b577c17bd92d22e2149ae869fb10f9f183e1f6cbca5da6609a9215bbc48a6004bdee2b7c975606c56aab4507abd6df2557e147241de675

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
45KB

MD5
fd3020cf56b65424755380f90f473cc2

SHA1
c5bebf380de55dbb1d7b19bb27cd40082e561ea2

SHA256
f52a0afb571687f9791cad5e7ce6f3102e5da4c28ab77e7f675a4301d6c39e33

SHA512
1f149823609edf3b9809d9776df909b2ce193f42c6c1242b5f05a84b97fb22ed337a4feae9b28bb17b2197226d1005b6f3745a33b4653523f6113fffc1b3d2d9

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
45KB

MD5
39b2c492f82ef175827b0b423322f65f

SHA1
90d539f81cacf0a79949c1e1298215733e4b5776

SHA256
d33dfc9547cad70df546401c6bc1f69e65d4e5fec4611fc288cc4731683bb405

SHA512
1ecf840f844892023129f73dd475c56c0b24c427a3573cd609598a6109aaf6da4d50910579ee2a1146ede40591712a9243c0d371a2a64860d99a589555a08b2b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
45KB

MD5
70183108fa2cbaaba2d056ea4ea7e39b

SHA1
fead1167cf8682250e41a8ab4efc2921e80e47db

SHA256
b4de6bdf83e9ee681cede61ebdac6f38aa6587306111f0c5fe919af226ba24a0

SHA512
51a835b472cbd36d596b3314dafaf0d1c1d24fef8222908cbe386f7448a52efaa5cf2468fcfadc48941ce78613b39e2fee8c5e2a72e9db318d304b6a774cce67

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
45KB

MD5
58a604baa7a7db3e2fd77a45b54eb874

SHA1
757093d815a149a98149da35ab38047c6f9d6d7f

SHA256
3d30a3c266002e3f1a90576ff6c78b0356f083b8a853327c16e57e5d52cc40cc

SHA512
71305f0cf7a256138764c1c609ae7c27a22b6b5fcd269e8850d45a0fa33986183e8a6ef9053a28c89f1e66561f888d05c0e49316404471968431a68402b89225

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
45KB

MD5
8e676ea54755ea9653dcea21fc2c0a23

SHA1
89240319ba9272e50d8d48d6cbf161e6bf6f8586

SHA256
970157c0f5b9da39cd03169e8eae407d139447ddc6e3b07d6c57f2ab569dea05

SHA512
06a3a744c907cf21e21e248af6aa8d1e9382c7070a124955263f343d4c81a00fa5a23b50eaaf3c252ae23e19a8c9c5648aa0d89456da9118e201358990fc09b7

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
45KB

MD5
3c07b8becf3c4d6ad6ebaddb5186fbc8

SHA1
9a0b95fbf6ee6be7aa69630ea3096425a03a9de6

SHA256
20ce8a14621626a7ea922a05711e57919a39120efbd0e7dadc118e31522bfcee

SHA512
f75eb985394179da4d6d66429569c0c6d96b3f9e6c71cff7ae3a2955bdcaab616ea3ca775dabd6f19cd9ed5f52eefe3640127322fc16fcd3fab6f505075d7086

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
45KB

MD5
05b02f009fc58f86dbe90cfbd98b1140

SHA1
3298cc738f2c621b40066d9fce3309aba7831133

SHA256
bc125e2b5673da5823b8f6e2f88fce812f8a59a26c7f4743acc58dc57fa4322b

SHA512
05e56d89d821a9f5a724c31b0d7fe0142861fb6c8ddad35dc9ac087ce48157d8c7a4ff8918076e6bdf90132cc7c3624d425387da39f0d63dfb3fb68e31cf4734

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
45KB

MD5
84629fdd6e980dd1c1d47867c7fbcf34

SHA1
2cf1c99d81309a2e2f04a91747588946a64beeb1

SHA256
63d470da3783a4cef333e10ec271f72884e224ffd8c3bca108968ad9fefc2cc5

SHA512
2a6cb6bdb516e521d1e4a942cc9013d8780bd45de6ecde7e27cc1d27bfddb03f942609c40a48d55693dad8c179c87023c4d192d026204ef65b0e589f588e9dd6

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
45KB

MD5
8bc47ead384fbb096aa8dea0ebf59ffc

SHA1
bf63e2c28fb5117682cf16e39d917da78e86d819

SHA256
14a74d0426e5af861757a6ee095c5f033e2db6c09c60bf7afc788d2f4a89d044

SHA512
f67749f23f30fce990524cb07f72326843f4dd5c7bb642967460c04f4627f22c7e76236744f5097df3917cb53311300557dd57dd52609755cc6ae98eb38f1dbf

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
45KB

MD5
9c7ca54fcf8f01933574c138093cfb17

SHA1
a6a07b5cd7c7f74a29be102cae17995cde1ec8d6

SHA256
93421b9c4480c866cb82d94afcac48094b8866bcb27aa9bafb1948ce641bafb0

SHA512
05a21cc62e2dd73fa6cb10fc02583d74d7594a7febca58f73b3aeae65926f096d6995ce408c2a819c4dd64ee7f23c2d054a8cde4fdfebe261cd5f57664717a3c

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
45KB

MD5
656df7a39d197e18d17ba1d6045a4f26

SHA1
6caf02422fbefe3e793de68a1856d726e5a006e6

SHA256
e68519d44b008b3b5e6fc6177ffdf46eadebc928072c8be16282d60e26998070

SHA512
72da2612fde81f07430fd789122951bdca1c0df9dbf59e3dee5862436a0a258a3b9c57ea05ca8a1739bfc67c3c219d97915472a7898dd87cde61d2c5f0b95f07

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
45KB

MD5
1b07906dbee1ecda1c3f698eb76bc06e

SHA1
e8166149d52e03396498eb49f6b12b29b8639389

SHA256
c0e87394c48ed06d309648673e85bd64012d4a6b8ac646734841cb57ee8187da

SHA512
fdeb5b984b82b4fa1bb25009648c4120014ec424de3dcbfe6757320f0766e759a30df88e236bf322df3d16563e093b0d1bf6ab26db541c4d09d79a46d5af43fc

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
45KB

MD5
3385c04f127ee786a9e27c47d2dbe8be

SHA1
c4dbea6bf6c6f518131ca1a1fc545fd2878eb479

SHA256
2954cc3e21a42b1d50a76758f955c7fa93c23e6cb548229d8257698f82678d47

SHA512
ecfaeabd3a8537425a4f2f01e2c77293f37c5f69c87bef627d60fd6688fbbfb251221c8e5671ee74f24bcca8f7afa05ef66b8cb57160eb0bfb17212045eb10fb

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
45KB

MD5
f23aa52b4e02d42f2b534c00a611f345

SHA1
cd4cafbfd15b68195c7e0c0b4233c9183204743e

SHA256
816eadd7c59dccffe1f3e882714c1c0a27c7e0edbf07410f74667f82346bbfaa

SHA512
30f3fb2d61d6c68e7975f9b2f0f54ffe4752cd92fba758e5b769c0a083ce9eca47041a6b7f2ac450cffa7169383f0edce86360fa90ba248bbb736fcce49a81b1

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
45KB

MD5
7ffff0c453376fe36a23fc7404eeb9b0

SHA1
2d1fc7efe24ba9dbb922940e47b253caa09247aa

SHA256
0f93299d8829411f1a274207d3b4c4f42b6abe8b3c78d5876d705fc22a1261f1

SHA512
cac917c3e363015753ce577a7b4d5594ebf4143d010031afcb9dc5b43777414f7306b4cab8fccad938045690768793f98f0ccf4b7127c8adff719abe1940276b

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
45KB

MD5
cd8444f88ccef71878ebaf63ed47bfa0

SHA1
2fc2f4f00a75c94a6af118723a4850f05efba1a7

SHA256
1adee60ad10e240a03c1cccabf2241f541cbbc9fcc55a78ca9bb8190f79dafe3

SHA512
183e7cbb736628c7ee1b291467d69180f81e5c757ffef48ea056db7b2ded0570bc7b8a749d8d9d1dfcc57e47fa9ff4d1fc8fed749168c8085440f1e2f09335e1

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
45KB

MD5
3c57ac552f82a9d68de0fa4854b871ad

SHA1
7450666cd29fa78ad338a0bb7499081e0ba42d11

SHA256
08d3189e12683ff3ba0328e8f1b129b26ca7ab018210156c17d25272b880a455

SHA512
9273352f2dca530193ab59f9e692a09b16f3b88c6ade428af356fae2f7d464b55ced80dd6d382ba7e65318db65c288c0229cf3e40d72706ea571d942ab28edd6

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
45KB

MD5
e826559845aba4c1096c4d386d74b3c6

SHA1
e293c0f5868865f11d7b56bb621da1b137f21aa4

SHA256
72386f1271b3b417ec1e6b862abc9a08eae21c43d44f7ddfb01cb5a9790b7d77

SHA512
bd038a4989c3cc73726d4f3469c5286656202309553e1254b9c35d8441e5d1a7e2c7c00090fc6086365609dfafc6d3509f22eeb41e9fcde0df3fe5f364d9b748

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
45KB

MD5
b68c468201d1bb569d9090f345406d51

SHA1
7622a08405e7564b208360ec4b7d0e2e65612522

SHA256
514f4980052dd78924a63be8c74154532d921b6e5491ce9e6b7237e3bcb89978

SHA512
4e218e9a62f4838f44e366f4d996c82118c86ca017726799684fbfb337ba6b3fce69d4b1e4682efd655f2d6440487a3afedd5f162d484bc51affc36209fcb3a9

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
45KB

MD5
d7d7bd525dbd8a191a97d368d5693bed

SHA1
0129d1cbd438fe2cf9441c66c7837ae521d4a27d

SHA256
e0c5731ea290ee5cc3ffbd2fd6d0dc62377d5871e16f67c140c592dc94df7ebb

SHA512
4573c5675eb4823090f9931c363edfced1b1baf56e05087aaa8d3c0b1a2a2a399cbf91df626e112f068a281fb5dc411547a5a8cb9bc55aa239635a5f1e9ff952

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
45KB

MD5
5a0897926b731e1027e4abf1125d1b19

SHA1
edeb4cd4e1da4dc4a7e949c51644d634559e33c2

SHA256
90c990459cb036fd4813dcc9eca315b5bfed40b555fcc6b7e878ee75db244e78

SHA512
e057f80ea4e69243a465d1f5a117cd15713620235424d4f3d656ddc739be9b0773c37969eea4ee99ff34ebe4c49c2f3992517f3de3c640d19178c9905f6e9211

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
45KB

MD5
8b61c8d39bdfe960c6eb47d6decd0216

SHA1
6359ee0e656a8ce17a0dc86b667133fe603bca52

SHA256
279a2e671d20123b30c7eac6a8ee54b56a67b53b9d648b04ceec85fbabc72d42

SHA512
a6eed559811ef98f06a41e351d6ddbd70c5852c948fda85b55a12f823eedc8a037bc2fba22c1f6391f1813f8cd476d0db455e0210153b74570aff7ea1cca0dcd

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
45KB

MD5
5b0e6ea8fa50c3761b75dc555544410b

SHA1
ab2210e026b5088379265b623389ca8b188652e9

SHA256
154e8f371c775ab2a126de0866cf9c98802854dce333c1b73b29a348624e6594

SHA512
42dd95f17988230aa8186ca42d521217988a62738f467445fc95e0f163424bd5d4ab076245a4f960265743c409ed4a05a2e9d42aa32b3b6beb6b669f32f7d472

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
45KB

MD5
d42098ba3d0ef4ec921ddaf0f4654d3b

SHA1
c6498a82c0f67342b2a04d38a53d3afcccdb91ee

SHA256
bba66fc547fd97fbba18037d777968d04b5ed4f9143f44fafc339eae609408a6

SHA512
5e923fb7154293ac7f81ec79d85dc6a5a4ba2fbdba1c186efd8b6ae9baec109c2e5106a71de9b40024a292831cd98bfbd55400836baae74acca2204e1a30ae92

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
45KB

MD5
bf448ce32af572386fd79b77439af26a

SHA1
042a10a0d4e87a57c77fe7b9cb4220701d04149e

SHA256
34391b15967314ca6213de5fc1dbdb8f8e8580c01253f0f20067d3f78433fe73

SHA512
4aaed8bf42a64b33abfdcb04a8e5991e358518526ab0805de6764760762d1020fa2d5d5d8d29cb3fb1666703c9ddcbe95c47997c6a022324bd8ed10984cc6ba5

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
45KB

MD5
d102bae593a0dd1819b12aab794fb7f7

SHA1
7955343a3146ced9faa45d89ca0abfee3f55e7bb

SHA256
13706d71a88c5800cfebf867106ba8bfe2500c69324b2e4dbbc12cb17192ff88

SHA512
782ca7b9863bee2d79c3ce62073cf2ac4ce201a9a6ddcc579371b639966b190c717a3af3eea33317da1bcdc455fb4e5ce3ea5ad9ad59c925d6392021ab4ac992

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
45KB

MD5
40933c7fcc87aedfafc041ffe411c731

SHA1
074d7112cadd7b98bbd3c2b3fc3071d8aab532f4

SHA256
108ae73809a45beb34f3f98a72b52e204c3cdf5d2b5cf8e6a6ba0293179dafcb

SHA512
90e8575bd3c7abf00b85b172f6c0fbf3d0fddc37323ec22d8a75c1556ecd5ae68391b94b22b5c4d810e4f48c19330f0dc819d6ca06adcaf42e6281ea63801e90

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
45KB

MD5
af013db6678cab8438873f65fcbd317f

SHA1
8924a71ab5b0445e63c092a927608907b3c9ae65

SHA256
6cfde88236bdb5504eefa174e6e4d183a05284af79804364becec0e07cbc7824

SHA512
78bf07d267cfe482e1b11ac669d51c664219b083756596c322a7fcab69cbdba5a2f83ba9380cf79cb197c79e756eb31913a673d7cdc3b68adcf9fea406ac56e1

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
45KB

MD5
36dd6d882e09fa9d722d669fb5e8f70e

SHA1
17435409a51b83fb546f571088171fce399f181a

SHA256
c3d9a49e650c4c3b6b54bb1eec849cc2cf66311c264acffb84289cbf3e00a048

SHA512
661eb4fc83e1e4170e32ac5d38e72d039cd4c8f59c2af6c3a31eed122473d5673f98d254c3a58a2eaeba3c73437dbda278d26d5a07461a5c53a9869866a7988d

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
45KB

MD5
332261806b04f2fcbd32f83d3d98ee87

SHA1
f55a71824eca5ca3d5d73d446ed77b925fe147c2

SHA256
928bb139832c5fd6aedb45c3f51787ebd1b4e3ae872339b0acc5f62950433eda

SHA512
981b0f2bf8eca741897c02cf2b4f2a8820175e5514b882524d0d79629799407de51fcbe09386e5e296630e585cd35a27e63aa072dcf210713ef0a93d5c55fbbf

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
45KB

MD5
891abef7f612f3d671bad02ce0143606

SHA1
64efa5730cc4027e3eb553b5f5212651b21f974c

SHA256
07809c4856759e250f52ace02c19289ce4d276d00b9a44e19a54ba3f6b08ad46

SHA512
c7b0f505a85aa89b650e6cbf5870b2e1e51a72aa64b4f567b9368f8ade5bb6bde03b41d6d3d1ecf2859cfa22614ecdc0128afcb2a211faa4fc5e73c2b846ee50

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
45KB

MD5
68823c66f2eaa17d695df08e317e740e

SHA1
8022ea7aed3e11702d561bbbe057a46ee7521de7

SHA256
81054b6f33f16f7ab47775b4f6091f26400fb4fc5dbe88da366930ebb12201ae

SHA512
ae661ec5bfd5da74b78d355e44e2bee3a9cef89733238d82dc838605a074b6e0a731183bc4a89adf8c7d22e544456a6acfeba616edc35393e2a0fb31802b71f1

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
45KB

MD5
834f95f11f00aa79a23d0f06f902a381

SHA1
94368d6c25b4f5edc6a21f785d7b774fb6876f2d

SHA256
ca0a40b4120835b7ad0a3cbce686b608716479bec8337a4ac83f70485a59a00a

SHA512
410e62bc873aa56ba37f15d7fdb7ad55a8dd09a7d883fee4047287587b0978bbfda776747aaf83398a36fafef1eb344e162ba589ee2460ef4fdfa74e040e7ad6

Download Submit
memory/208-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-611-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads