80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
Size

80KB
MD5

8864f7609d75c9394b739d49d0015030
SHA1

86123d0cd55ffcc9b6dc925c3a964b6eaecbed11
SHA256

80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6
SHA512

b7ef5462fec1700798ccee09f8bdcb3569d2f4225b96f8fbd978776e8aa1d59c428021d96eef2359b3025eea6f2e762dbf8d8dbdf58cc5387e8d0f0f61f02ccd
SSDEEP

1536:ubzL7WaugUFHkIGw/DoGvHQ8nxaA05PVbiVLN+zL20gJi1i9:Q/7Wao1kAoGo8g5PVbiVLgzL20WKS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe

Executes dropped EXE 64 IoCs

pid	Process
3596	Pjeoglgc.exe
3344	Pqpgdfnp.exe
2692	Pdkcde32.exe
4708	Pflplnlg.exe
1004	Pncgmkmj.exe
2136	Pqbdjfln.exe
3572	Pcppfaka.exe
4404	Pjjhbl32.exe
4596	Pqdqof32.exe
4832	Pcbmka32.exe
2200	Pfaigm32.exe
1000	Qnhahj32.exe
3016	Qdbiedpa.exe
5056	Qnjnnj32.exe
4808	Anmjcieo.exe
5116	Acjclpcf.exe
4276	Ajckij32.exe
516	Aqncedbp.exe
4936	Afjlnk32.exe
1320	Ajfhnjhq.exe
1552	Acnlgp32.exe
4768	Ajhddjfn.exe
4784	Aabmqd32.exe
2328	Ajkaii32.exe
3076	Aminee32.exe
3556	Agoabn32.exe
60	Bnhjohkb.exe
812	Bebblb32.exe
4584	Bjokdipf.exe
1724	Baicac32.exe
1988	Bffkij32.exe
1512	Bmpcfdmg.exe
2828	Bgehcmmm.exe
920	Bnpppgdj.exe
3480	Beihma32.exe
3140	Bfkedibe.exe
4608	Bnbmefbg.exe
772	Chjaol32.exe
1620	Cfmajipb.exe
768	Cndikf32.exe
4084	Cabfga32.exe
2372	Chmndlge.exe
4804	Cnffqf32.exe
3616	Cdcoim32.exe
3824	Cmlcbbcj.exe
4332	Ceckcp32.exe
404	Cfdhkhjj.exe
1760	Cdhhdlid.exe
384	Cffdpghg.exe
868	Calhnpgn.exe
660	Ddjejl32.exe
1624	Dopigd32.exe
1612	Dmcibama.exe
4232	Dejacond.exe
208	Djgjlelk.exe
2992	Delnin32.exe
3124	Delnin32.exe
2760	Dfnjafap.exe
3104	Daconoae.exe
2944	Ddakjkqi.exe
4220	Dfpgffpm.exe
1496	Dogogcpo.exe
2012	Daekdooc.exe
4152	Dddhpjof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Gmcfdb32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4280	3716	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3596	2560	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe	82
PID 2560 wrote to memory of 3596	2560	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe	82
PID 2560 wrote to memory of 3596	2560	80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe	82
PID 3596 wrote to memory of 3344	3596	Pjeoglgc.exe	83
PID 3596 wrote to memory of 3344	3596	Pjeoglgc.exe	83
PID 3596 wrote to memory of 3344	3596	Pjeoglgc.exe	83
PID 3344 wrote to memory of 2692	3344	Pqpgdfnp.exe	84
PID 3344 wrote to memory of 2692	3344	Pqpgdfnp.exe	84
PID 3344 wrote to memory of 2692	3344	Pqpgdfnp.exe	84
PID 2692 wrote to memory of 4708	2692	Pdkcde32.exe	85
PID 2692 wrote to memory of 4708	2692	Pdkcde32.exe	85
PID 2692 wrote to memory of 4708	2692	Pdkcde32.exe	85
PID 4708 wrote to memory of 1004	4708	Pflplnlg.exe	86
PID 4708 wrote to memory of 1004	4708	Pflplnlg.exe	86
PID 4708 wrote to memory of 1004	4708	Pflplnlg.exe	86
PID 1004 wrote to memory of 2136	1004	Pncgmkmj.exe	87
PID 1004 wrote to memory of 2136	1004	Pncgmkmj.exe	87
PID 1004 wrote to memory of 2136	1004	Pncgmkmj.exe	87
PID 2136 wrote to memory of 3572	2136	Pqbdjfln.exe	88
PID 2136 wrote to memory of 3572	2136	Pqbdjfln.exe	88
PID 2136 wrote to memory of 3572	2136	Pqbdjfln.exe	88
PID 3572 wrote to memory of 4404	3572	Pcppfaka.exe	89
PID 3572 wrote to memory of 4404	3572	Pcppfaka.exe	89
PID 3572 wrote to memory of 4404	3572	Pcppfaka.exe	89
PID 4404 wrote to memory of 4596	4404	Pjjhbl32.exe	90
PID 4404 wrote to memory of 4596	4404	Pjjhbl32.exe	90
PID 4404 wrote to memory of 4596	4404	Pjjhbl32.exe	90
PID 4596 wrote to memory of 4832	4596	Pqdqof32.exe	91
PID 4596 wrote to memory of 4832	4596	Pqdqof32.exe	91
PID 4596 wrote to memory of 4832	4596	Pqdqof32.exe	91
PID 4832 wrote to memory of 2200	4832	Pcbmka32.exe	92
PID 4832 wrote to memory of 2200	4832	Pcbmka32.exe	92
PID 4832 wrote to memory of 2200	4832	Pcbmka32.exe	92
PID 2200 wrote to memory of 1000	2200	Pfaigm32.exe	93
PID 2200 wrote to memory of 1000	2200	Pfaigm32.exe	93
PID 2200 wrote to memory of 1000	2200	Pfaigm32.exe	93
PID 1000 wrote to memory of 3016	1000	Qnhahj32.exe	94
PID 1000 wrote to memory of 3016	1000	Qnhahj32.exe	94
PID 1000 wrote to memory of 3016	1000	Qnhahj32.exe	94
PID 3016 wrote to memory of 5056	3016	Qdbiedpa.exe	95
PID 3016 wrote to memory of 5056	3016	Qdbiedpa.exe	95
PID 3016 wrote to memory of 5056	3016	Qdbiedpa.exe	95
PID 5056 wrote to memory of 4808	5056	Qnjnnj32.exe	96
PID 5056 wrote to memory of 4808	5056	Qnjnnj32.exe	96
PID 5056 wrote to memory of 4808	5056	Qnjnnj32.exe	96
PID 4808 wrote to memory of 5116	4808	Anmjcieo.exe	97
PID 4808 wrote to memory of 5116	4808	Anmjcieo.exe	97
PID 4808 wrote to memory of 5116	4808	Anmjcieo.exe	97
PID 5116 wrote to memory of 4276	5116	Acjclpcf.exe	98
PID 5116 wrote to memory of 4276	5116	Acjclpcf.exe	98
PID 5116 wrote to memory of 4276	5116	Acjclpcf.exe	98
PID 4276 wrote to memory of 516	4276	Ajckij32.exe	99
PID 4276 wrote to memory of 516	4276	Ajckij32.exe	99
PID 4276 wrote to memory of 516	4276	Ajckij32.exe	99
PID 516 wrote to memory of 4936	516	Aqncedbp.exe	100
PID 516 wrote to memory of 4936	516	Aqncedbp.exe	100
PID 516 wrote to memory of 4936	516	Aqncedbp.exe	100
PID 4936 wrote to memory of 1320	4936	Afjlnk32.exe	101
PID 4936 wrote to memory of 1320	4936	Afjlnk32.exe	101
PID 4936 wrote to memory of 1320	4936	Afjlnk32.exe	101
PID 1320 wrote to memory of 1552	1320	Ajfhnjhq.exe	102
PID 1320 wrote to memory of 1552	1320	Ajfhnjhq.exe	102
PID 1320 wrote to memory of 1552	1320	Ajfhnjhq.exe	102
PID 1552 wrote to memory of 4768	1552	Acnlgp32.exe	103

C:\Users\Admin\AppData\Local\Temp\80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe
"C:\Users\Admin\AppData\Local\Temp\80258d961cac3694e83efaf89743d2520453936d0d08ea58af5c7f4dcdd1a0f6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\Pjeoglgc.exe
  C:\Windows\system32\Pjeoglgc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\Pqpgdfnp.exe
    C:\Windows\system32\Pqpgdfnp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Pdkcde32.exe
      C:\Windows\system32\Pdkcde32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 228
        70⤵
        Program crash
        
        PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3716 -ip 3716
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
80KB

MD5
b857951fa8a8d4605fd15be910e5f693

SHA1
cc6e859f0ce930d5bd1f443f791b23e823487a43

SHA256
eb523601ca4ccce9cdc485582b1ac4b4c503a0f2defe09442c3110caf32160fd

SHA512
4235804574eeeb4b1635e7bde5ea65acf2fd2119cb5791f66990c08aeca0bc505c7e1be32728407bded73765be5dfb90c0fd6dc0c476c494613f932b90f61891

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
80KB

MD5
4455427091d9b626b7a9a4ddb08b52a2

SHA1
c3afebd5e9d27d3f9d9bf6c66cd5c917fe5328f1

SHA256
cad2345396728ac37919464e4ce98b55c2ac92852814b8dc1b70c86aef447bf6

SHA512
3744ce627a6972e325b90ae8c23258c900707f90fea8fa0e88c142f1154ac5bbc4889cecb417316c7d949179bc47629f8cfb80ffebc538006ad0f57608e9ac4b

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
80KB

MD5
78e3f8ba6a81641d1e4e24fca83f5a23

SHA1
b272e7ac457a5f2efb2b0564bc06c8ac8a9b7aad

SHA256
537548d58148e199d2cbbdd32f56cf28dd8d006c00ac411ce34edef6752b4b9d

SHA512
696a3d0dc0df06f5fc987e93e0046fc64212ed6111a849d3f4894ceaac47824e3a162472ef454f0acca9af49cd3350708b0e2efa1ac8a1b473f8f0a5432e4807

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
80KB

MD5
9fab06cb8740df33a39b69f5add58a99

SHA1
19c675ad8f5fb48b2b00b42477b93ba981ce16c4

SHA256
b425da7172973f5d224f96c52fd65610dd7488fdf5660f464a73590e4ba5a85e

SHA512
7b048c9c6f7c40a9971c654fd0838d6ef6358b68583a3f24f276ffa063c342acc89bde015ed046c753549bd4a568ea43b214956860e1e82b6650ad6f1ae421ec

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
80KB

MD5
a9aea15f547010170d9d6d9c153f032e

SHA1
e50effb15034bbe07c53ec56855430e305861f44

SHA256
81ee8b037ee155750917583a8eeff2406852bede0924d8b68a647b660adf1083

SHA512
b2aacfe8c1770a30d4c2590c022ecb0632114f01619a4f15fa1a5c009164c7d41781b420957af89b50758a40c5ca0f5e426092a4329e2851e48ad588cb1eabee

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
80KB

MD5
7bc045ba6d2f340827b1143bf1994e43

SHA1
6f2fdc38252b29736ff41b272fff855a0849bd7d

SHA256
3977b27ec0f7256f96d18c86a54e7221fcb537586e0ea65522282837b13dc153

SHA512
cb1aabe2966b7dcad4d750b670d14a306315975e5209128bcb07396010a6a112f0469665b329e3f8a1744cb2ac6af296b054a18230ef1aa8d6c84544a7467416

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
80KB

MD5
a720e58ded9b746c467e95fc48405a04

SHA1
e389ba311cd3d87f8bd3e2c5dc17eb197ddddd9a

SHA256
ca41ed9c80c8e9e63dfaa1c5d335822974ca8e23e41cdf606d74023b6fd083c1

SHA512
192bcffac6e0a0e007d94b6d12458a15e729dd3ecc8cfb7cce65d2d53a5901533a69e98c7df1edee3f921021087de3ca302533bbddb585d2a9e146c8e3df4e1a

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
80KB

MD5
af634b78d99af5d7cefca6c593b9e65d

SHA1
bccdbf93ecd6eff8e72e5f214a9c82d378c596d0

SHA256
feeed7cb0b9a7c462e515b213cb4dd317dc7879ac0b8c870048be67d883a45e0

SHA512
65c2a1886bf79f361622198efb86c49ca62b1d11d705c22c3b70598f91393909e05ee6d2ce894214d14a3c7288668d5aa65bca6b9c640d82a83807d4205d395d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
80KB

MD5
43ee051c3f209d0442e4a12c7a86024f

SHA1
5f78993bd092d094cf967c61e0d003108163b4a4

SHA256
5265549e8f4e2271aa6bcefbbecf6d9871689bee50389dc1cb1e43fb5bdd5068

SHA512
1e9cba446567339e94f13523cc15bf8a4c644c6014fee4776744b9bd9ec1cdf7f747f1804ec011dd64b32e1f05ae572950721f3c4d0d0887bb9e8e7d52858555

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
80KB

MD5
a81dfee0dacad992b96bdd2f57d24c65

SHA1
c4fbd08d65e144190544a1cafb28a094c024681f

SHA256
fa333e91354ae42d8fe82a6e9ae6972e9766df0bd788fdbda3dbbbd6efe08cbc

SHA512
2677d298f5d395a6f68876a9eb41cee9c07a81aed1d4c917892673555374c9622beab56ae6eed8ed4a4ede317a7280f39b77d9b3c84b84eeb54ad8e62fab002e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
26fb7c32bce5a827d63263e5ab00f011

SHA1
0c1e9e43043a41424461a2e889975fbe96f01d43

SHA256
cd92756087c5419d837b7b3eec6590abbe4de6259c663569646cf7056b8c4fb5

SHA512
4b6aee6717171e20f29728a09518e34ed48a12dcfbcf5bcf469660e358fe1178d846e5b03bb401e27b439ff541d8c1df487725ac4ba7537c731568ab5d3f1fbf

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
7ac18c0de6e660b9516417b176d3787d

SHA1
102eb8f8da33291637007d86089b0184c0508481

SHA256
810af076ad66267aa605cb8a5262590826672b39969ec409efc88ae91810c52e

SHA512
0f351e5b9c289e061ab0749e5d72d733e9f01e8c4191f06e6d7febb89e1c95b74b552b885726cba630c23499c1bf2ad2b1b98379df3c591df15b9cc5706215fb

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
80KB

MD5
ec9b4f8760a37fd4fe7436c73952c2ce

SHA1
8d0465bdd8acd962c732479e756320ba81e83f76

SHA256
bdd8a6149fe1163c081a72c4c2940a986e2d8594c51d2c8de26c9695880bf246

SHA512
55b9fc0e27a93a80dbca919c8eec8b08395ad0bbbd6b42a105c447a46904009734c691db27803eec9513565bc16981b7a271f202f9fc618f0a7769c2c61f97d9

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
80KB

MD5
1d2b83eedc3eb453f26e45b80c475239

SHA1
86312156b83d7334e221af77cfe5032f7c96b908

SHA256
55e8120d16cc8e9ac523c5c3d746c540ea976f40533732ae4911939db194c419

SHA512
caffd8eb05ee600f9bddc5d91b662c45c3ba2715d4fc80eef51099041bd78a9b047f54c2e9de65901604f1f7e1154cf5dd1f935a817ac7f1ad830a8f94ccc8fc

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
80KB

MD5
ce7b0f3896c973d0b3e79c405916b46b

SHA1
66afd5d548477203a5708876fba5b034995dcfcd

SHA256
6a489f4fa18bc74e2556b6b0c44076ea5b2492425698c76a03e1337679b8eaf4

SHA512
94c9bb88a476e08c8d681aaaf4b6448a7129c247dacefa8b4b429b9b50b260134b97597e4624d6e1a28df6827864fa135e34eac5992e9ea807725733b0fbfbc8

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
80KB

MD5
03ecb1cd9f304ed13a9e02f06a1f2227

SHA1
f738d61c86ed3d0c785adaeb988c335241b3243a

SHA256
33c6978df8c242ce14933ff570f52c6df3a0801818ae6932e1aabf42b6b7fef4

SHA512
d13841522ad58ce887d12bd53c1cbbbbd867dc4247512e9ab3c10e15649ad14ddf9a8e275b5ad3a6bf2bb14597b938348b0684bfe67b18fb2cffcd8cb1825be4

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
1d794eb3e55ead753efb05c00830dd5f

SHA1
e59fdc272e796348f04ae408659bdb3011e23730

SHA256
831d54f0f2c81a1b3a982d02ba589e86129bb0d94f86c7980df342a959e501ca

SHA512
9f255954783a9f03d5a4f51d6b9ec1089725941a5c29770ff9872e1bc9fe09d0d4b28eb4c304d5c1df932d86dc18e56c14cf5ba8d700149c538b83c6241b620c

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
80KB

MD5
94c17b87d0dd9d9a27b22d72fe10f8c9

SHA1
ef626b141baaeb9047ed0c28951dd47a57cb57f0

SHA256
c78a9dd13e3378f506c89484fae1fb54447fd6bb7591aa68838c8069afd22d4e

SHA512
59e2453c467b5374898f750728f2bfa9ab474e3fbdfef37f762b69698bbc8cefabb2938f5dc05773dff296f1665dcc06954f736e4123fcc73e829106df6cb6ba

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
80KB

MD5
89de1afdbf3e359b30c3de0d6884fc78

SHA1
7eb99d8e86fad6f2e3a7f5f96f622229ae1ae3ce

SHA256
dae1a4db11cf97afffc4849eed2b47946dba8ac1b636dd71091fcf50437d3a3d

SHA512
e621523186f2eefdbec0d85923b4da20f18a0edb203980538c5470371c4a46da4756d50825b384afccdf6e4e7dc08038aa704cd8bd3c36dc00aa3f5a5137cec5

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
80KB

MD5
2b8e5a4a773bd5245e952da3692b2e8c

SHA1
034c05c10c655928b34922b3b657a11b2a0a01ba

SHA256
d7e0bc79c114c81befc48f6ad5a3befb0b3b15eb96f1dfa5f11d3d32f6d2e9e7

SHA512
6678c2f20bf99fadb9861558f865ef706231fc92530261d76b14ff64f54a50bf0caeb64ea1f94dce6d0a117307a09f97967b2d2af8b2e17ca0fe52d5fea9603d

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
80KB

MD5
9f8f7adb75820a6827ed45e63e2675f9

SHA1
cc78538e8152359aee7525da9b6718880561c603

SHA256
6746dc98b437a5d06a6ef32ce634db9cc11dc65869bc50d9f8cdf7476039e6de

SHA512
fd1f6c2974c2a5cde782fa490558915bbf8fed2e9a205fe3321e6556dcdfe51f9cfbcf897b1d96f4c2c337b46b378283f8c92944cd863d06e6c16ae649c926c9

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
80KB

MD5
c477420464798295295aab00a927f447

SHA1
b2f1b8f46662b2fe824e78c3dc9fecf5239e263a

SHA256
35db9340467b72c56ea5289c80f983541c06b28dba3a9670326e1d3e51f9d181

SHA512
4031f551cf3a2a934a396352ac725129103b7fd095173f32fd149342743e7c5567e232b5f3c59386e664a5a9f78c4ead4731b70d2ebee79af1924043c880fe40

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
174097f9b616efb7518f0e96e27fbb3b

SHA1
7b8b62e6015085bb4ed98752b5d4fc2ce30bfd70

SHA256
f7fc7db9b9d7eaf967332419a7ff8370bcb2d4651b3597f76857573057693022

SHA512
40d20766920235e1ef2076ad94993dc5e6d3198e7fe32724351f6c97e17be07580f9c2f40d524240f8a379af07b1b72922232e88fa5f025e4feac02f575a1532

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
d32e0fb1dcf96f588dcccf9f4085be0f

SHA1
b645cf8bd61aeb21112de061fcc499731dd46a56

SHA256
f65130da685b649cac2e72f9a1228abf9a496f6136ca2d46c6c949b73ea9212e

SHA512
1471eebe0bc86eb231628f25d3054afa96b28584b832b4a5a8d551f38532deb33fd39eabd077b09c5e76675228580a7456d3694e25b2a69a9117131180564b4c

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
80KB

MD5
b8ca68f5e64d40d6806eead285a7b621

SHA1
c6bb0a55fe3375781c05c732bb298da068c7e358

SHA256
1a79b2acc7c3255d8c843af7d8294371a69bc142d4076cd570faadc5d46fa8e5

SHA512
958bc71d75973b0907ec33468360b5824b1463061389b86166195eae9125ed89d266899ab85551faa093fbb97d6576cc7bac8b10eb30ae17be2d2ae2b9c45829

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
80KB

MD5
00a486e0d4e26262024a9ac6b92e6e44

SHA1
302180d43fbdd7f3eb474a4011c0dbe915727406

SHA256
c57d907507ded7230d6f34f85047129a07ea8155c10e3bd473fc77058b6c917c

SHA512
bded8b407d0011e31232e9be3b4291273bc2920bbff7cc79e5493767659e298daceb9b269c7e0da719d2f3fb83c4e776399ea3d4b07b9db7caf06220b056a943

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
80KB

MD5
74f6e4312d1f3da9a504e9d209485c86

SHA1
e16652304aebaecda9216cba5785b39c7f26b49f

SHA256
dd195a659bbde51a3862afa1209e4633dc1dddce33ab2e158f541b68f824f29a

SHA512
7081ed0ad9983d454a6afb48fdf94b92e60df9437a381fb564994e750baa60c948606c2a7f035228c84faad8581702f5359697b568edf3828a0b8207cc98d119

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
80KB

MD5
407217d7340bae6aa3dd76fc6126355d

SHA1
5ef9e96c35007f26bb876916e93a58edd8fa1215

SHA256
02365da250470855790a66ec288b24c5c10637f7da688dd0e47b77c1b4d8e3a4

SHA512
6f2799a0d275fe6a027efef3482ca525874993766a130545018a331ea9684c8fa8fd099001f85a4375b274f5237c601f76a241e633d528b89f97b1811759d128

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
80KB

MD5
93f761ba5c9da30e41cce9f91e75771f

SHA1
a2a4932c25baf3d1edbe31aa9562f8a985a98eb5

SHA256
dbeff0b99ecdbb157278b7e82c65b2e16ea22331e3b45100dbcee1128e5fd8be

SHA512
5f8f1eabaeb899edd5625db77f64533fd33407245515997c95c88a7948d3ed9120e3231d5101ec843e7c25a56a77862a85e2930d1627ca1bafbacb24bc60a156

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
80KB

MD5
74e1960763fe7cc96ccbafccf7ef6b18

SHA1
6db78875eb46fa43243a9164b180287248f7f203

SHA256
6afde317499b271ea39697a6de1e3aca2ff063b120c08145ab7622fece6ead9d

SHA512
2d63468afbf0ed80129fd22b275ea7f3daf3e65156713bbe554888d819ad55376841e92ca1509f961314f621fae3113ce9fc7f4945845ec4df165cd2c35f1f9e

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
7fa247dfa2e9c50cb55ee91b30f457f7

SHA1
7389f35ad3cd92ab5720065dc22c1b1dcfa29652

SHA256
fe845e58575b07288c315ce4dc26104605db2c43c6de35da88261f35f96162a1

SHA512
8aa79dfa4a267693e9c71f58fda60198bd34cbc8dad1f44de76a7cab15dd4f049e5c6cad12a6ee5b333e5ed24a15c4efa0a58b84f0744c4ce56978eed25bd951

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
80KB

MD5
c00567a50d501a8f5910f9d8fe64c502

SHA1
768242d23ae24e76cf334490195166fab0d82592

SHA256
a6431b3d718c8cedf537141dbc83eeeee1ce5fbbe62c9c788ede25aaa5a08f2c

SHA512
e2688411fecafd96f28a5308e9eb9c151dc4c7596121f3a821415f248c37a2aaa6e58635fcbbbedad91063e048dc5ffd89204efc573f71f6ff8c957ca60205d9

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
80KB

MD5
9980b08bbae0f23cf16b70c6ea2897fd

SHA1
2ed98219dbea3b23410ac668d15ea1fbdb6e61a8

SHA256
5ddba5a69b44de2cb6cbd1fd6e50a699fa14aa1227d350453972b51de3f32c14

SHA512
b6b1b65c0e0ead204009d829b953e4f331424962a6d3d96647037a1027a1186cadd48498eebcd19ce1717484cece314e9e07867bf40964849fe2769bb54af166

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
80KB

MD5
dccb382ea6504f46c60a529af9820796

SHA1
6f5ed18fed02f6fd66b2b61c31a88804cdf1f624

SHA256
9112194c5dc1363c522339c4465c2396924f88dfa93f4bc4f7627da79cb45a48

SHA512
88d39a5e5a38211ed2ecdc5bf78d06f8f2fc0fb29dd39ccfff754f3c9cb82dc5e765ce3a6f1699ade3794cdd58d5dd8b8dd85300e1d4d8bad8f1bfc3e524513e

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
80KB

MD5
25d92604d4008ec6021e2037706ea7f9

SHA1
e8681f66ab215fbbcc4d62332f6278f3df9ae776

SHA256
6abe34941e1a819f1b72d5cbb79c4d53f27248cc2f849144bc2a6021e69d578f

SHA512
514a637892665ac9b1c6b1047ae785599b252974c0f8c1b4ff3ca63fcd0f951e5aa45268fe12ef8e6d56838c7cf3012cbb0585368acebb0be9660f08cd5605ee

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
80KB

MD5
4dfe800eee9af40faad16c54691abb99

SHA1
24ee636376bfda2ea2a4b5b546871008e2306e98

SHA256
07e294ae44b28d776bf96bd1be7b52c8c6f4aab3ff0fd280faeef264e2f43f00

SHA512
c8d95c74efa4e10b330a80c7b19430ec6c857e9920ae77fcf9a45c6b0898b279782374ed3c8e6a0458c34d6b8216a5d1d5c42288ef8e7a00741e24fc9af24114

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
80KB

MD5
d24ffc210b084ed8782da79c02273488

SHA1
e7f4000e07d156e04b36eeea9d91295a7937a123

SHA256
7d1af85422d02f5949853c3ddba5088e0fa403450aca8fcb4398d1f1d9e863c9

SHA512
62e901626148391ee76be4cba1c44ef8648e41170b3f547ac860c2c261116e8ba3e39ab6d1f58239a473cb86fb8d390e0b314518a3f7e893d27367a81a73792b

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
80KB

MD5
014d04d3ee499c1671e1bd5c0c218ad7

SHA1
833e60722bd7f9a1fbb7dafe928e029efcc63ea9

SHA256
f667650db514ea4871b85cf43d73c6cf645396f8b57b375974b0898c59a2597b

SHA512
1597bf533356e7a2e5eee6e30bb4c0211bac0f79481b25b77eda4f3ac325ee0cd73f95fb7302f08f099c58656c657061d073f73c92e89c91ec8ad3f0aed43d46

Download Submit
memory/60-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/60-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/384-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/516-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/516-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/660-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/772-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2692-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3480-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3480-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3596-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3596-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3824-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads