7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064ba

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe
Size

59KB
MD5

dad9af0c1518278fed1292650cb3c610
SHA1

5c3ab374701e18247c37f870f0fa36e04ecff44a
SHA256

7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064ba
SHA512

f2830b5671bccc68dcc1b4d5f2e60c583976ecaa946261066dec899820fa6390a9f061d3e3627054c9f97d385d57b35dcb5ad4aadd245b024f6fea2fcd770cc8
SSDEEP

768:RFg6MM5jwlflosDyYoOyGuFexFbERYtj3eNYDA79b4VhlQ4/gMVXEmcO2X2p/1H+:RLMhlloZZyFbEGNeao4dQ4/gMbG2LBO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe

Executes dropped EXE 64 IoCs

pid	Process
2812	Qfcfml32.exe
2528	Qnjnnj32.exe
964	Qddfkd32.exe
3832	Qgcbgo32.exe
1084	Anmjcieo.exe
2156	Aqkgpedc.exe
4396	Acjclpcf.exe
2272	Afhohlbj.exe
1152	Ambgef32.exe
3708	Aeiofcji.exe
800	Aclpap32.exe
4212	Afjlnk32.exe
4980	Anadoi32.exe
4132	Aqppkd32.exe
548	Acnlgp32.exe
2612	Amgapeea.exe
4580	Aglemn32.exe
1116	Anfmjhmd.exe
1512	Aepefb32.exe
3856	Agoabn32.exe
5056	Bnhjohkb.exe
1900	Bebblb32.exe
2676	Bfdodjhm.exe
892	Bnkgeg32.exe
2836	Beeoaapl.exe
4280	Bgcknmop.exe
2960	Bnmcjg32.exe
4232	Balpgb32.exe
3160	Bcjlcn32.exe
3328	Bgehcmmm.exe
4520	Bnpppgdj.exe
220	Banllbdn.exe
1360	Bclhhnca.exe
4308	Bjfaeh32.exe
4032	Belebq32.exe
4568	Chjaol32.exe
1828	Cjinkg32.exe
3516	Cmgjgcgo.exe
2672	Chmndlge.exe
1048	Cnffqf32.exe
468	Ceqnmpfo.exe
3584	Chokikeb.exe
740	Cfbkeh32.exe
3000	Cmlcbbcj.exe
2424	Cagobalc.exe
1760	Chagok32.exe
2072	Cjpckf32.exe
1768	Cajlhqjp.exe
1468	Chcddk32.exe
5048	Cjbpaf32.exe
4844	Calhnpgn.exe
2652	Ddjejl32.exe
4900	Dhfajjoj.exe
2172	Dopigd32.exe
3192	Dejacond.exe
4092	Dhhnpjmh.exe
4368	Djgjlelk.exe
2364	Dmefhako.exe
1708	Ddonekbl.exe
2756	Dhkjej32.exe
2748	Dmgbnq32.exe
1636	Daconoae.exe
4944	Ddakjkqi.exe
396	Dogogcpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3304	3952	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 2812	5096	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe	82
PID 5096 wrote to memory of 2812	5096	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe	82
PID 5096 wrote to memory of 2812	5096	7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe	82
PID 2812 wrote to memory of 2528	2812	Qfcfml32.exe	83
PID 2812 wrote to memory of 2528	2812	Qfcfml32.exe	83
PID 2812 wrote to memory of 2528	2812	Qfcfml32.exe	83
PID 2528 wrote to memory of 964	2528	Qnjnnj32.exe	84
PID 2528 wrote to memory of 964	2528	Qnjnnj32.exe	84
PID 2528 wrote to memory of 964	2528	Qnjnnj32.exe	84
PID 964 wrote to memory of 3832	964	Qddfkd32.exe	85
PID 964 wrote to memory of 3832	964	Qddfkd32.exe	85
PID 964 wrote to memory of 3832	964	Qddfkd32.exe	85
PID 3832 wrote to memory of 1084	3832	Qgcbgo32.exe	86
PID 3832 wrote to memory of 1084	3832	Qgcbgo32.exe	86
PID 3832 wrote to memory of 1084	3832	Qgcbgo32.exe	86
PID 1084 wrote to memory of 2156	1084	Anmjcieo.exe	87
PID 1084 wrote to memory of 2156	1084	Anmjcieo.exe	87
PID 1084 wrote to memory of 2156	1084	Anmjcieo.exe	87
PID 2156 wrote to memory of 4396	2156	Aqkgpedc.exe	88
PID 2156 wrote to memory of 4396	2156	Aqkgpedc.exe	88
PID 2156 wrote to memory of 4396	2156	Aqkgpedc.exe	88
PID 4396 wrote to memory of 2272	4396	Acjclpcf.exe	89
PID 4396 wrote to memory of 2272	4396	Acjclpcf.exe	89
PID 4396 wrote to memory of 2272	4396	Acjclpcf.exe	89
PID 2272 wrote to memory of 1152	2272	Afhohlbj.exe	90
PID 2272 wrote to memory of 1152	2272	Afhohlbj.exe	90
PID 2272 wrote to memory of 1152	2272	Afhohlbj.exe	90
PID 1152 wrote to memory of 3708	1152	Ambgef32.exe	91
PID 1152 wrote to memory of 3708	1152	Ambgef32.exe	91
PID 1152 wrote to memory of 3708	1152	Ambgef32.exe	91
PID 3708 wrote to memory of 800	3708	Aeiofcji.exe	92
PID 3708 wrote to memory of 800	3708	Aeiofcji.exe	92
PID 3708 wrote to memory of 800	3708	Aeiofcji.exe	92
PID 800 wrote to memory of 4212	800	Aclpap32.exe	93
PID 800 wrote to memory of 4212	800	Aclpap32.exe	93
PID 800 wrote to memory of 4212	800	Aclpap32.exe	93
PID 4212 wrote to memory of 4980	4212	Afjlnk32.exe	94
PID 4212 wrote to memory of 4980	4212	Afjlnk32.exe	94
PID 4212 wrote to memory of 4980	4212	Afjlnk32.exe	94
PID 4980 wrote to memory of 4132	4980	Anadoi32.exe	95
PID 4980 wrote to memory of 4132	4980	Anadoi32.exe	95
PID 4980 wrote to memory of 4132	4980	Anadoi32.exe	95
PID 4132 wrote to memory of 548	4132	Aqppkd32.exe	96
PID 4132 wrote to memory of 548	4132	Aqppkd32.exe	96
PID 4132 wrote to memory of 548	4132	Aqppkd32.exe	96
PID 548 wrote to memory of 2612	548	Acnlgp32.exe	97
PID 548 wrote to memory of 2612	548	Acnlgp32.exe	97
PID 548 wrote to memory of 2612	548	Acnlgp32.exe	97
PID 2612 wrote to memory of 4580	2612	Amgapeea.exe	98
PID 2612 wrote to memory of 4580	2612	Amgapeea.exe	98
PID 2612 wrote to memory of 4580	2612	Amgapeea.exe	98
PID 4580 wrote to memory of 1116	4580	Aglemn32.exe	99
PID 4580 wrote to memory of 1116	4580	Aglemn32.exe	99
PID 4580 wrote to memory of 1116	4580	Aglemn32.exe	99
PID 1116 wrote to memory of 1512	1116	Anfmjhmd.exe	100
PID 1116 wrote to memory of 1512	1116	Anfmjhmd.exe	100
PID 1116 wrote to memory of 1512	1116	Anfmjhmd.exe	100
PID 1512 wrote to memory of 3856	1512	Aepefb32.exe	101
PID 1512 wrote to memory of 3856	1512	Aepefb32.exe	101
PID 1512 wrote to memory of 3856	1512	Aepefb32.exe	101
PID 3856 wrote to memory of 5056	3856	Agoabn32.exe	102
PID 3856 wrote to memory of 5056	3856	Agoabn32.exe	102
PID 3856 wrote to memory of 5056	3856	Agoabn32.exe	102
PID 5056 wrote to memory of 1900	5056	Bnhjohkb.exe	103

C:\Users\Admin\AppData\Local\Temp\7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe
"C:\Users\Admin\AppData\Local\Temp\7015868e17a6c9213e279fd998a40cabc8ab243be0a96bc76576b128ca4064baN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\Qnjnnj32.exe
    C:\Windows\system32\Qnjnnj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
      - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 396
        69⤵
        Program crash
        
        PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3952 -ip 3952
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
59KB

MD5
4e944f6d4a2bffd43990f64b6269fe28

SHA1
215b9a055db2c57113d58da747475c1ee6ef4bc9

SHA256
3e7c95acf69ff000e45d80265e301e66604ea0d3d557eff9cdf463beab4ba865

SHA512
11b5da3dd9a75c447419e1c24f957098c864a7eeacd25ba45a5c17c7e977de414ada20993de6cb79460b562dd39436e6d1ff3a2d8c90ef24ebdecc2de27ee691

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
59KB

MD5
779c58be335bf45ab2683c3964b4ac60

SHA1
7298eead1fe83e4ceabf25cc285fd41bdbbab36d

SHA256
5b2b0d6daf9583a74d42a162103e7786ac55ecd548935c5c1303c88d6e23318d

SHA512
9384e2a08dca06b3878c5bd4c0893b3e63a5d0bb3060577fb0ddb1490eae6ced4e984836f07c58e6b4ae4725d7f3375784dba46352ed649bd2c939ce13730444

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
59KB

MD5
9d2156362b4d73b4776426a42cc8ecb5

SHA1
2a5efd020ea16f53925130d31d8c0d5a70d48b63

SHA256
97bca3729fa8ec01912b861e7d9602d9e825ca542e5f73d2e9eb1c2c2f43a72b

SHA512
5dbff33a39c38a81ddf63b4e6c5ff445041e2a0a9b51b7e648c1e059a1e9d815a1ab1e0a020a92c0382eeb3c2ea14d74871e4fa4dd5221a37754ad1a78a832ba

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
59KB

MD5
5957291740f98954e77a97b502c3f859

SHA1
78d46b2fa37fafe564508a87c07782c279d8b1d3

SHA256
51c346789ea7725f3d5b93dd46dd794dc2fccfa512157f3f69be5e678a17a0fd

SHA512
fd1847687152d2acdac7e9536ed9cf60c66ab6a804dbfb8bca8acfacf0c9f1756463fc11b38330c05756499a279ce60e67c7de80ad2fb241a80c03663b06391d

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
59KB

MD5
7641b81501f6ae93518e3c4156c9e593

SHA1
067b8e9cabb1e1797163820d0507c7030a6994b4

SHA256
709b76040ce8e32ae96565314b73256e5b4f6d6daf958ec26aa0d622628c747f

SHA512
7df81f6ee0c2b9b905d814b25357d3115473b93cd9d1d18181f00f15de91bb2cb41b64352cafb0bbb74dcc680680899e06e0afb58e3cc631c5824d0f9aa02085

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
59KB

MD5
471a6298e4a60812965cc60af116319c

SHA1
c0f451bd353c5f33bb963f23491cf7ca2afdb496

SHA256
a48f19bfe3289c3e32ae8f4ea9e4b5e34d6481df9cedcd8507bf4b363f0da34a

SHA512
b51e7da57267237f40a9df50f4948acc748c2bea60763b0d674c631386ec6248e6cb9c9de16157902819e85f3821defb0e934c26a1931b817ff5d6ebf8d2843f

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
59KB

MD5
de6e879c38da4d467936e440c6cbe299

SHA1
38f9e78bfdfa4a841c9b6726b751bdf425c02b5a

SHA256
1f9d597e697e21e3a4e698235c53ba28f7fce2f3d756e36ee7cc525776b27c23

SHA512
7c06c8d8be7a6539f71b3151598282dec28ecfa2b9edbc16231b3ba3b6d726f15c823248eb89526c46699c8e946bd3d22bfd93b4cd41681cb1f9e3eea21d1f85

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
59KB

MD5
8df58ac9953fd9480553835c3b899a77

SHA1
295456d8fa219e9bedc14b6cf57fbc2da39f40a0

SHA256
fec7f74981db1df9a61283a84fc49444f31e8b2e7ec218e514e1b7f07ccaf25a

SHA512
3b11573eb0b90a01ed702533a1a272beb8056ba05ab8705b5e57547ba1c91cbb58a90936f173e0d9389e6553edf46b9cfcab34296e8b436b878be3a72c4db068

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
59KB

MD5
2f2911ec3ad4bcb2784cdf5364ae6a41

SHA1
120595a7c5b972f48f1eadb8f814778e4c449ecb

SHA256
ac40a20139f8f769fad76dcd55fd0c18de63125cddbe87053a9227b29f0a9f0f

SHA512
86001c25eda6be60c585de89eef9d2b6fbdd221049b928d026e5038e32396d4af0906e8fbb36afb6f6684265aeb56075b36dc7adabcc1c86b76bd47953aeaa4d

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
59KB

MD5
e0a18b66fb29122bfd7f795c0a239ab0

SHA1
0747143642e7177faa6c1d115557cc1024ede082

SHA256
6fed5b52bf7af27dec0f20dea393e0518172065adebaf34b531fe35304b24fad

SHA512
8ed7960b1a64d26fe884a967aab13e85af16e70df905f3155a7d3cdc19ffb304acd76db8280538d47075506a92bc8517427e81e0f30f3b47704f375929fbc336

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
59KB

MD5
1e3bb20482fc5fbc80e6efc503a0d132

SHA1
8bddec82bac58d46416ce19b92a9b4388ea99491

SHA256
85ddbfaf3320d2e0a7127b42f4d642bfacffa9d2ad8aeb84783049d802372e9f

SHA512
a2e4fde6707180c11196835f88c9695740613b9ec0e3273afcac3d0e4871e90407c89f32c18969e61cc63c59cd8e167f591c8c9822f72c99cfd363fddef0f9a7

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
59KB

MD5
8a1c4d54d6dab94d3d6dfe8b5621fbf7

SHA1
51e8157bfacb770fbe82f64a35ab46b492e2e35a

SHA256
bdffa8f61e7f26599b8238293b0df72017dcee6c89e7cfbc6c413912ddb99883

SHA512
86c7ea3d3271b8e125985fe67e5f94fb50856a959ff4aa2ef260ad57b8272dab6991dc9461bb66f4a1e3e3acc8cc39ad68f90b76d4c0a0aced74882592050105

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
59KB

MD5
5a9d0620e87b32b68e9000d9f6c308a9

SHA1
9d2171ad1df3e18628f095bae742ee926bfb6fb4

SHA256
2aa5ae16bafe497945cfb773aceebb295719d7c9c1c403ca781daabc01eb68c6

SHA512
9b01bd7dd72a47e47f682b9218a19b3dfa3ba11b322157436f80f8fb60cf0c4bb33171a9c84860fee09906e1adb35849a123a8693a850753e64594f39d1ed3b3

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
59KB

MD5
08491679c19cad8b6fb65d05ea7f544b

SHA1
280a2277fcdd371cc300f6f4db9db50cba080435

SHA256
58a08594a78b36c8a5d4d2fb69cf1ca85afc9ef3165b01341c3a4997498c822b

SHA512
1c6e5406e8bf79b9e840e3b67ef4c301a69c8cc9bedc120dc572c7a7847895573ce0ac8451b0add80570fa7beb659de0c7fc3a47bfed1bdc8096dbfd6a78cb00

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
59KB

MD5
d81e166854a083033dbbf71ef6fc6953

SHA1
0e810bc857031333469fe9323f8a3e7020feba11

SHA256
71eb9f8bf4787021cfa90bcc5c40687ac181b9185bf58d0a671b4cfe166564e4

SHA512
6a0ec89832262d721ac39cd84e388cc889c1189d3eadda711411dfea00594557ca420261df5be6857885dca7d43a894dad73a222d2888a89e1d5b77d97681575

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
59KB

MD5
48deccf44e2eace2b38f005a9115c679

SHA1
e4780bec12f3d4cc82b979b5fdc758128c20589a

SHA256
2250aee526a4b39cabf2ad10108e31f53652720b91f372dd176134fa5035eaa8

SHA512
471de801cb5ca0c3913a160d581163c58b834ee1d0f72a21fb676a8fdac5f9673015ae04bd7631262a118b5518c19c56822db6787fc97e36234edeee5532f574

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
59KB

MD5
2c09c00a43f80ac2f2bc57554ebd4093

SHA1
b1b12b4e8d44e4f6280fe677edd71a8b382f9023

SHA256
3d01e82a2082b651a82055c8b48f516c0dedef280c13f4160019200343187525

SHA512
52394e72a5e7903ab6bd12298b66d1f1b6a37a32959630cd0e98c80ed57ab8facd3c401e4036d94a1bb84bbcbda8b93d742ac4db48d1c1a22b5cbd37ec153267

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
59KB

MD5
7e4db47a686d45746a3fd2e7a77ce082

SHA1
090a1bc53506ed9c8f9712b2b3daa39e618ee1ec

SHA256
69fe0e5f7ae12fb7d67c3231e97c603dd6501b04026ddd8649da655a3554f196

SHA512
410150730724f38bc7b7d6c21ecdcddde47122a6aed83c2c0887c6df04321c87baaa6bfffca6dab20c19d5187c063be2484de1b9d20a984b5b1d2013b7c4c302

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
59KB

MD5
09922209a80d78de39cec0fb25619af3

SHA1
31c088845a1622331f25fe6bcfad7f599db916ca

SHA256
f96eb811fb94c09cdb9507cfc18d007a154d259a2aa290e23dffa925823c9a2c

SHA512
d2a2afe99d40751c5bdd2ea09d42f792e45306c4963ac7e23f6c73d587ff3e86ab405cc100c89e86bd1baeb3664f681eb65fba28288ef9abe4f0fbeb09ac62e9

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
59KB

MD5
45b768ab6c8674f87303391c763abfcb

SHA1
4fc8a260cdcea70997544135b59110da276929e3

SHA256
87f6146865b5aef5d6ea1225c6d27c8312dddbb184cb7e86a47d1581580159b6

SHA512
6997b817bffde6762e8b77fe6b393b908ace669c94cb3469fa3a92b73d6682869e9d3de161ac657fce8fe86e6b96564524d16ea0647ef737795943f010858651

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
59KB

MD5
c39a41d90bad64785cdad52fe9212566

SHA1
63628f78ba32743cd910e9a26e8e6544ef90cab1

SHA256
c64416c0b57871e32f0a6319509bdbfd2da6e2c491f2b706560c76531d68a91f

SHA512
3f14b8438670c51a341a68982ab9121f1dbc310b75c9a6552a8f52b204447899cafe0b73507a1f211f73c54785b985e960ba452b182ae0521ac3f6f74f0a5095

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
59KB

MD5
6364a2a0fcc6cce9bd384bd22ef7abc3

SHA1
1bc671697c5402c1d3a4456f6850cce2040b7961

SHA256
5c1d867beaa18f41ded48d46785c68f97a78629a3a7174bf3a9e20effa9fcf5d

SHA512
33251811fe6546ba738c8226a02d611a64d7e21c8d8e85a3963e2a7df144129deca5d37db7492df21d2606926ad8d0f2c50c27cc7eaa76795870fc5d075d16f8

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
59KB

MD5
ce41575555e0cce1d6333181f5c1412d

SHA1
e44ad90d6baec7e0a5b3ace5c263cb0d897bf5e2

SHA256
f968134b53cdb8b42e19af6a2500da7767af3e2b0f13a41505e4e0952e594dbe

SHA512
3031df186fb48e4e582b75dbcc6704aa14911c2ccd80ad14de2f9b91b4fb52a7fa3577b6f1e533c194a2fee1bf0f8b697068da8a90a3ef9b8096251907563dbe

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
59KB

MD5
a37f37d5a6cffded077ffbc9d1eac2f2

SHA1
9d0b84089cf8bd52637d510b8e66f3519b6a9425

SHA256
af089bf4627efdde6eb8352fd02d0018234b0b2ca40574867f1835ab8fcc46ad

SHA512
75c9340a9aac11f63e65f945c8d4358132e78183238c6e56d0c274f8f6b3129fa42a033632293fa9bf25210ede682f54db992de4038b6b7bc05ff1a4fffd678a

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
59KB

MD5
e6425d4cc8f668c3fc790b531cb1ec1c

SHA1
71ece1468a000c3b08be4a55efcfaa3cabc08192

SHA256
af38c1f1e435e0204c532fd126ed9a8f6e32eef275480cbbe493918f689d6c0f

SHA512
b50329fd34d10359dc1fa3275a0e95aed14355cefeeeb86eb5745cff7c1a2a7519e0599bfe4573deb1e4c463894c5a4e91e034deb4a1ce63e226ca08d3e73af6

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
59KB

MD5
c716f6a63a22bff68a0b88a4d8a99325

SHA1
7ede27db089dc63bf8eefbbd115c6fb8977c63ae

SHA256
f7d2c1ce49bfc2f25b237cb6e6031e3541d119e3eae70b9bb22b04d0fb0a535f

SHA512
dd41f060c2aa92f565ac75b0ab0db1c2155a2fe8240a4a7209968c7cb7b5568cfc5e9c1c398357c5610b12ca7d132a2cee3974b34da2cd85f37d04bf23f5c333

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
59KB

MD5
aa6e06c72a9401593ee19317e30cb1eb

SHA1
e70fe192e14f98f62fedb2f298380228942f029e

SHA256
89a5c0d6ac1874c9b629df01549ae40cb6c06125e3938fe1d4d719d0ccd411fe

SHA512
a153334bb1561fae2ab39235f862edc0cdf860c0eb20825b22a1694bab240a125f7625c5b9f907a96837f8a40e1f76fb7d56ab74e5bb98fa1e25ec4ea5b42dea

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
59KB

MD5
5396b100591cb85c36e1df2d8f09b944

SHA1
873cc6777283c77831716da26ba29cc4cff5617c

SHA256
cf0256279137acf3a8752549842386e4d668697b7d0d03d2b10d0fdf864b9cd0

SHA512
f209267bf1f10f2106f2ddcd77f5f041248cdc747e55f705c8d632de093667ecb6bc8f85d665855c3d90f482db2bb652530c22f83a33f0f408ccd9be8b45406b

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
59KB

MD5
9014ce370f5501d460661d600b0a2722

SHA1
9bf98fdea93e3d5d7515ca954bf85e634830d5c1

SHA256
e7111372ff0eb7e796968ba03aa70adf80bc5f036f6460d20a32c914cef46d2c

SHA512
a28ccfda0e53fa06856a1930764550fea4e3a32570917708a101e96dc80a00b2f2c9b79d688ba8da7102832e40e7d943594d877f33ddfde2fc61d0f95ab947a1

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
59KB

MD5
daf042b55b6aed80cad0839984d9b8c3

SHA1
2ecf97c7d516693f603f616f1938f37646ecd7bc

SHA256
b4f408cb658803de1214bb9423b6b5270312ebfd5e2a96ff0141caa6f492343b

SHA512
6520586813934fb40f7c369656448139329607a2d8eea2eaa68b9dc9bfe38cf04e338b977625447bbfb82ef100c4be173a9efb2ec6795ef417b7fb97192fe9b5

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
59KB

MD5
73c530851dcd75a831362c14d440c502

SHA1
4276f019de70b833b1ccb3795054378cb8869b96

SHA256
bcc51f6543d9471ce65c59ab895b8622982c179483c07708070a0afe314ce05b

SHA512
d15aad7e6ce269461afa7624887771862b45c62b4fd332217e00de20651763042ff657563b2d2266f7d0c98df420f321782adf03f749e149384302b6c64791e5

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
59KB

MD5
896510571df0bcf8f90dbdd90132544a

SHA1
e25fc56b500f0746f98ce86046eeaa885fbc441a

SHA256
c7fe448c64b9b051246462a19f1cd8283da8a1bfe25cfd65f17f63bd43c63127

SHA512
90b62c4bdaf07e2db7433333ea4b83af125f4caba4a68a0d839fd32dbd75036fae00e6b3f631090e49fd15eb9b678defeaad456e62e738691ede489ce9b9b877

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
59KB

MD5
71b7ecf1ff08e275d2b6ca0d46ecf4f3

SHA1
696ba984baa1536c660b28ff070ee45ddbfc2e63

SHA256
c68eac45f2009c24c08b5d5b881e6bf05872742c6e52cf3d0a4dbc37026d756e

SHA512
036edcb8109aa7368973aaa58afebd8601a0168595b063a89f11d3c8269e42ba0fb57e87989550e136dfc276df83aafb688b49c49d2a247843af480a2a54371f

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
59KB

MD5
7f91bfe784cb5a4ae1297fa2a5535886

SHA1
7dd1d0f86f22143956f35d759a3546ccd8eb833c

SHA256
42e0e5bf024ef3008399e9b495dae05fdd84e729da4cc52eb87b6e276126505b

SHA512
1a07869382792508e4fff83b81f0fbe3da6863a20bdb88d030bd5aeacb6a836b7c4b700d8230f92f4a6319341b869a7ed113d85c3ccde54642b2f33b6f6009bb

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
59KB

MD5
700a6e8518bf4e2b9eca98c330e422c0

SHA1
38f8ba5597db459fa7c0668bd6b6c2829a7200e2

SHA256
1cfa8b6f1f9f6846b115973e33fa388660278b211142959b72c5bd09e356672e

SHA512
513e6ca3b840f3f1823a23406065ba08a3736fb42074125fbde4267da89254b2030ab8e81d96589ff73f025ebea2e067f5557d646d6cec5c1ad63c3e664e4c09

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
59KB

MD5
b625877e96f03802cb417770ba720b84

SHA1
f13b8f29af1372c6143bcb933c3da355d2c35d5f

SHA256
efed9222ff9ca301c88d3ca44bad0c7d3e15689164ddcf62701040228051c69c

SHA512
9f7f5d6231c2d8168ec5fb84718519b431c3c22dd5a3552a2886558efbf4351e01ef1657f1c55f991bbe996c4428136b4207b95ed549e3b5d415af64297c8ff4

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
59KB

MD5
0565bc9661b54bc5491b8162a49eb773

SHA1
4fd4174a1293f9d754ff21b21ae752c7b4037b36

SHA256
d5c52f650f92e9a8d9f4471bec17ec5335bac06126949d3b2f8b5fbc485e02e0

SHA512
19470ab6e6241822e31b0e3c9b574e66ca6f4c7d241c0c9cf747110afe68e54a369739822c37fbfacb5c3c63eacc9c5a05f8571387ff63426ddcde124147a5f7

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
59KB

MD5
9be710c66cedf436b3faf3eb42b2dab6

SHA1
526ededafa9893c765fd50498ae5323abb8c2e2d

SHA256
b45afcd30bfbef2b16cb86876d9ebfde58f28738cf362877b96f5307c82cc37d

SHA512
178c4ed2beb8cc3636fc3d837c4d8960625abe5d8e39361b6f6a2b5cd0890d74f4085fc0a6ce614c5da92578b316e0355999841b18a2db9d49a89dbef9e5815f

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
59KB

MD5
2939811d95789c5e44388a0a322e804b

SHA1
708fb47bf4ffac75e7b3b6e4d9989303d6ec9e9b

SHA256
3d6c3d6d68956e2f33113b12830e3be863b130a96e98a7e86cc1fe8486d58b75

SHA512
98685a9539094cb7efebdc5100d0124e02a9e372770bd4713620af920ce57ce7f41eb08feabb32b7df7c4db50f709ddf0048d7a1a02a636c80d45988099c7830

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
59KB

MD5
1e4e968ebcca1d9594b77d15cfaf6c4d

SHA1
99d025d7dc2e35974ef03f722bd2891f656d7c55

SHA256
2e9e6ffdd063b3908f670edb48623814dafbc12fc4c2a808a7e6bda255b63868

SHA512
f31219f08a03102789f30c3cd49fe24f1185c14d8da512cb1d76838d0ae900c42544a39ee4d7981f516057d493f709f837c7a74cfaee8c2bdb38ed729ed5ba57

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
59KB

MD5
dd8fba55a2690d71db223eef740f68f1

SHA1
e8be50198bbed782257e5c36dcb0a7555c589361

SHA256
70f7b74c3592e30e6e808176281beb74314986ac371c8de1149cdf1c1559ab8e

SHA512
246b543ca3397bd8e8abcdbc3da23bc703d198d5ac4f07e99767d3dba5d7442bfb951a7bdfd153342125c7bfd407f1d90466f10c672edcb2fa00bec7d8be6c37

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
59KB

MD5
408ff0e417693ea0187d3705074a5b5a

SHA1
842ca1606ba016e8d0ef672dad3edf95d46072a5

SHA256
12542b3e407c4f5574b47f76326cfb83eac95dc4b2d3c9aac71a71532cc9bc53

SHA512
c147904de1626cbf7f39b89e759886876460b6a6e227041c7869788118ebbfb95ff75b274798d4db98a76df3f81fc1c2063f84c393d58b1b38c2369f8965111b

Download Submit
memory/220-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads