ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531

Analysis

max time kernel
95s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Size

188KB
MD5

c2493db67f7500988f9fe8700d89f226
SHA1

a0c4548f2b692b60c42e62adf2d31fbd7d588736
SHA256

ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531
SHA512

21caf7b1700b18b96553001e9f3203fe4cba5566d365e160ebd095df31309425227fa834ca2bdfd4ec35221012b40637bddabf18591aa015fc79933ee506449e
SSDEEP

3072:g4uyqylkpEimjTbECwtVnbSBIdnRmssR96v+1AerDtsr3vhqhEN4MAH+mbPepZBK:gh7GrjUCwjI621AelhEN4MujGJoSoDco

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe

Executes dropped EXE 64 IoCs

pid	Process
3196	Pjmehkqk.exe
4132	Qdbiedpa.exe
3788	Qgqeappe.exe
4900	Qjoankoi.exe
3140	Qcgffqei.exe
1684	Ampkof32.exe
4824	Afhohlbj.exe
4116	Aqncedbp.exe
228	Aclpap32.exe
4692	Amddjegd.exe
2876	Acnlgp32.exe
4340	Ajhddjfn.exe
1348	Amgapeea.exe
2952	Acqimo32.exe
4128	Afoeiklb.exe
5116	Ajkaii32.exe
996	Anfmjhmd.exe
4072	Aadifclh.exe
3960	Aepefb32.exe
936	Agoabn32.exe
1860	Bjmnoi32.exe
4868	Bnhjohkb.exe
4064	Bagflcje.exe
2900	Bcebhoii.exe
3456	Bganhm32.exe
2936	Bjokdipf.exe
3548	Bnkgeg32.exe
4796	Baicac32.exe
5012	Beeoaapl.exe
4480	Bchomn32.exe
2604	Bffkij32.exe
4508	Bjagjhnc.exe
4964	Bmpcfdmg.exe
1448	Balpgb32.exe
384	Bcjlcn32.exe
3872	Bgehcmmm.exe
1016	Bjddphlq.exe
224	Bmbplc32.exe
3244	Beihma32.exe
5016	Bhhdil32.exe
4468	Bnbmefbg.exe
4604	Bapiabak.exe
3220	Bcoenmao.exe
4700	Chjaol32.exe
1100	Cjinkg32.exe
3156	Cmgjgcgo.exe
2488	Cenahpha.exe
2880	Cdabcm32.exe
3316	Cjkjpgfi.exe
4080	Cmiflbel.exe
3732	Ceqnmpfo.exe
4716	Chokikeb.exe
1640	Cjmgfgdf.exe
3200	Cmlcbbcj.exe
4816	Cagobalc.exe
3076	Cdfkolkf.exe
4320	Cfdhkhjj.exe
4232	Cnkplejl.exe
3500	Cajlhqjp.exe
1036	Ceehho32.exe
3044	Chcddk32.exe
2172	Cjbpaf32.exe
2176	Cegdnopg.exe
1788	Dopigd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2868	4136	WerFault.exe	160

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 3196	3672	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe	83
PID 3672 wrote to memory of 3196	3672	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe	83
PID 3672 wrote to memory of 3196	3672	ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe	83
PID 3196 wrote to memory of 4132	3196	Pjmehkqk.exe	84
PID 3196 wrote to memory of 4132	3196	Pjmehkqk.exe	84
PID 3196 wrote to memory of 4132	3196	Pjmehkqk.exe	84
PID 4132 wrote to memory of 3788	4132	Qdbiedpa.exe	85
PID 4132 wrote to memory of 3788	4132	Qdbiedpa.exe	85
PID 4132 wrote to memory of 3788	4132	Qdbiedpa.exe	85
PID 3788 wrote to memory of 4900	3788	Qgqeappe.exe	86
PID 3788 wrote to memory of 4900	3788	Qgqeappe.exe	86
PID 3788 wrote to memory of 4900	3788	Qgqeappe.exe	86
PID 4900 wrote to memory of 3140	4900	Qjoankoi.exe	87
PID 4900 wrote to memory of 3140	4900	Qjoankoi.exe	87
PID 4900 wrote to memory of 3140	4900	Qjoankoi.exe	87
PID 3140 wrote to memory of 1684	3140	Qcgffqei.exe	89
PID 3140 wrote to memory of 1684	3140	Qcgffqei.exe	89
PID 3140 wrote to memory of 1684	3140	Qcgffqei.exe	89
PID 1684 wrote to memory of 4824	1684	Ampkof32.exe	90
PID 1684 wrote to memory of 4824	1684	Ampkof32.exe	90
PID 1684 wrote to memory of 4824	1684	Ampkof32.exe	90
PID 4824 wrote to memory of 4116	4824	Afhohlbj.exe	92
PID 4824 wrote to memory of 4116	4824	Afhohlbj.exe	92
PID 4824 wrote to memory of 4116	4824	Afhohlbj.exe	92
PID 4116 wrote to memory of 228	4116	Aqncedbp.exe	93
PID 4116 wrote to memory of 228	4116	Aqncedbp.exe	93
PID 4116 wrote to memory of 228	4116	Aqncedbp.exe	93
PID 228 wrote to memory of 4692	228	Aclpap32.exe	94
PID 228 wrote to memory of 4692	228	Aclpap32.exe	94
PID 228 wrote to memory of 4692	228	Aclpap32.exe	94
PID 4692 wrote to memory of 2876	4692	Amddjegd.exe	95
PID 4692 wrote to memory of 2876	4692	Amddjegd.exe	95
PID 4692 wrote to memory of 2876	4692	Amddjegd.exe	95
PID 2876 wrote to memory of 4340	2876	Acnlgp32.exe	97
PID 2876 wrote to memory of 4340	2876	Acnlgp32.exe	97
PID 2876 wrote to memory of 4340	2876	Acnlgp32.exe	97
PID 4340 wrote to memory of 1348	4340	Ajhddjfn.exe	98
PID 4340 wrote to memory of 1348	4340	Ajhddjfn.exe	98
PID 4340 wrote to memory of 1348	4340	Ajhddjfn.exe	98
PID 1348 wrote to memory of 2952	1348	Amgapeea.exe	99
PID 1348 wrote to memory of 2952	1348	Amgapeea.exe	99
PID 1348 wrote to memory of 2952	1348	Amgapeea.exe	99
PID 2952 wrote to memory of 4128	2952	Acqimo32.exe	100
PID 2952 wrote to memory of 4128	2952	Acqimo32.exe	100
PID 2952 wrote to memory of 4128	2952	Acqimo32.exe	100
PID 4128 wrote to memory of 5116	4128	Afoeiklb.exe	101
PID 4128 wrote to memory of 5116	4128	Afoeiklb.exe	101
PID 4128 wrote to memory of 5116	4128	Afoeiklb.exe	101
PID 5116 wrote to memory of 996	5116	Ajkaii32.exe	102
PID 5116 wrote to memory of 996	5116	Ajkaii32.exe	102
PID 5116 wrote to memory of 996	5116	Ajkaii32.exe	102
PID 996 wrote to memory of 4072	996	Anfmjhmd.exe	103
PID 996 wrote to memory of 4072	996	Anfmjhmd.exe	103
PID 996 wrote to memory of 4072	996	Anfmjhmd.exe	103
PID 4072 wrote to memory of 3960	4072	Aadifclh.exe	104
PID 4072 wrote to memory of 3960	4072	Aadifclh.exe	104
PID 4072 wrote to memory of 3960	4072	Aadifclh.exe	104
PID 3960 wrote to memory of 936	3960	Aepefb32.exe	105
PID 3960 wrote to memory of 936	3960	Aepefb32.exe	105
PID 3960 wrote to memory of 936	3960	Aepefb32.exe	105
PID 936 wrote to memory of 1860	936	Agoabn32.exe	106
PID 936 wrote to memory of 1860	936	Agoabn32.exe	106
PID 936 wrote to memory of 1860	936	Agoabn32.exe	106
PID 1860 wrote to memory of 4868	1860	Bjmnoi32.exe	107

C:\Users\Admin\AppData\Local\Temp\ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe
"C:\Users\Admin\AppData\Local\Temp\ad39cb7ee951411dcbca1ca9b2d6812cfe77f8ac10eb8d8d06021336249d3531.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\Pjmehkqk.exe
  C:\Windows\system32\Pjmehkqk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\Qdbiedpa.exe
    C:\Windows\system32\Qdbiedpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\Qgqeappe.exe
      C:\Windows\system32\Qgqeappe.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 416
        77⤵
        Program crash
        
        PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4136 -ip 4136
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
188KB

MD5
1b5428f465a5bbbb3538ca082be11758

SHA1
f0bb58a9aa7feb5236979393727a1cb8b98e127b

SHA256
2186594325df73068efbc78ce8b38222e22462a4f073d33be074ce4cad8a749a

SHA512
c0344f92fe79949dee402d756ef07511cce6e1260896dd5e2ca2a91c63d778115e97cfac33481effcf120a44521bc22da776e9bb6ec3c594681d86faa236d0e0

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
188KB

MD5
e8f6f22a8dcbfad8a728fe0df8ca7448

SHA1
e31f7f42b94febf30566a1012ffb60c7367c98c5

SHA256
cfc7e0f05be0df4413e839f587aa9db3d87daa6d322233f97f7ead6d63460b9b

SHA512
2314714796656af16f33ca12649c4b25f2932fb42eaa161609b8c9478bdd8ace5f8577c443ae8ba15fa19786466655e68bdb2c71ee5cd346f50d8e97da035dc4

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
188KB

MD5
0d811c445e9839855e802e6f70322de1

SHA1
8a466672b9dc0295e1229ee91848145f124bfee9

SHA256
dd46fb81e22377507a51c34f3edf56a62d46999d1979db22c307507a40ab0d49

SHA512
4d875b9c07bebdc0105298e5dd5c654aa65e534ab57c1f772bec85ab00a93f76870617ae2e1d94faf20ceab5b7e5babca8c70e8ab166599c8a0076ae12deb9b8

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
188KB

MD5
f43fa7be97067afde813ff87dd3fc963

SHA1
ec519e6e443f3027d1ccf580c82b5a639fc9342b

SHA256
b48a86a374ad04514bbd1826ce5b6786a20ae77ec1a45d2880d63cda20b63cc6

SHA512
6b30144d09e90b510eeb0a7fb6a4376649920320d00678c18f69431414e5e7d48d75cbf2c9077b7e57f92f7413a222eb0eeebe541e8ea4698c45f6f691a57eac

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
188KB

MD5
a708f1adca1c5ac8aea3cbf25c5a2f1d

SHA1
044b8c895e09b762b7a5adc7e8c84269cd0e748b

SHA256
9ef8973aba0c55b349213b9d81b50bcd2bf8f210661ececd2480a98c9c950b42

SHA512
25616acec66a8a7720579198eb91f5a45267676c51f26ec0c61c0c3fd068fef7b2cd6229a9f68d27dfa28a4fb6c6dfd256b69fb759d6c22687b77ca6367f97ef

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
188KB

MD5
329b57fd0ddae7796e82411a3f05e0e1

SHA1
e603099a75b631fbf822fc0034c00d92bf547173

SHA256
83075659388d59058b50c73cf0e03288e089f5a02d4db578924ddfade5f2ce3c

SHA512
744bfb1953fb177b12a01b046e9b49ec694a90fbfe2d117570b78c1bee964e0290bac29566ed5afbbae85f2ad16acaa19bb4b4cf67ef97600ea4267cbbbb990e

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
188KB

MD5
222ecc18181a9766f89d265fe3d90fd5

SHA1
057938fafff1e369f6abcc323d706d2babb9cb68

SHA256
3d803b144b95fac4628e54ec48bb053f66cb392f9f43269018f498e4688b0d89

SHA512
6d0f52b63cb5ca6c1f2663008552a07ccb77c663356ad172c561d8228e9d67a577177d31702ea13302c6ac997f31e75b093110aa21787560fb108edc5f7e2c0c

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
188KB

MD5
d090a08a16947403816f6e455a10ece6

SHA1
cffc59a575fda22bfc3c9d6ce2f03532b82835ac

SHA256
9375cb4260d1ea0fed90b9f0c4a59a7022caae2d0114c1d1159b757c71bd9376

SHA512
49950e6fb8c45ffea5a7d8841217a3843b0c8ac178b4576089e9973337bc0c94ce8bf857a9d43a56a6866208caa146da34ec45aa461c1e7408379e6fa818842d

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
188KB

MD5
fcb3c3f96e94c7e4dd70a900304a0935

SHA1
033c98b3a1ccf3208b16659080fd1ec8e7c1bc47

SHA256
20be88f1979d00ed748f7627f5f134e0291aa79f3c54c3c572d2dc8ffb264343

SHA512
f37439931e7c99d5d4e93ff2c03f2c4497e75318bbb2df009c413ca9822cb8722704a8b2b649bc6fa3aa1da96852781a13705b25bbae13ab6fc8514011fd3a0f

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
188KB

MD5
c249b8d626ceae77a6ec2149d6e3ef71

SHA1
baaf7da28475c405dd111ff19afa64e9d16e1eeb

SHA256
cd361683e57b7387cfb7ab4fb4afc26bf9862676d5ef326ec3114fd926c6c8e0

SHA512
eb6ba3ff844ca37aee4fe28f22f611e0152ce36b67389be37001cbc70fd4389c42a7febcad37f214a7c6ca22a2524427153f9f6f7ce8960d0dff1ea2fa5acb32

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
188KB

MD5
e04d8f82a1da8bb961d6eec103dbfbe7

SHA1
37dc907ae0db480275869417125cad8e268aa59d

SHA256
8ff4376e50e6643321beed6b0148cb5f78a2c618fe88327c38485714334af1d4

SHA512
b43ce9705cc4af9798a6c55d8344c37c2b0f81bddb21903712fc6e5a2da046a47994946c8e57ffe912bfc5ea2ec240a88e6b3e3be3606596515ccde0676ce9fc

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
188KB

MD5
7606501c229a3ddffe15d1c2b77dcd6a

SHA1
540c420dd9a68fb9211a6df697f4eae40e26ea50

SHA256
ffe68fa5cd0967c5fe9ac91580193736f0de06f9308c2225b77db92e5bcbd466

SHA512
6d1fea828a4ec6fde7a76f3a323a8a9b0023bd5348942e72bd3e2ded4872d90f67c8f7a3f2bbbb68934215c3ae2786b3af14435871e5c82df3cc9197fdf04b80

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
188KB

MD5
0bfcabcabc268cdfe5d538cfbda89a32

SHA1
6ce7d9713f962c99ac4fcd34f1e72fb26f937927

SHA256
12d15278067eefea59933b77c14ac03e586df1133d18312045c05e2afa61f9e3

SHA512
f12b73ff67f7a2fbdabe439fe965fa560ae7b9f23508b8559aa0678606a63fcbcb340c1bb003b62781815f9b96ab658785a2cf9d527deb3e44c4e57214783e70

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
188KB

MD5
b9bc8169d0d1a92c20aaba2df35434a8

SHA1
8ebf21b3bebfab1ec5a7890d8dd2fbe02f6e89b9

SHA256
c8bd4d80c80be98bf4f3dca0946f63f9387cf26b845aa41e6123cb29e75720c6

SHA512
21e63ea8b91d02ce955a1780f88909c8067655e58ad40e25e2994744b9969a54c0c37fd5b5e97bedf02b4f476fc989f483a7e65332cfa3d6ad25216941045963

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
188KB

MD5
29f9be85b480f6a82e0a484508f75267

SHA1
b7b0a8fb00fb5423b4a8d99957e39142aa1527ad

SHA256
0c5c1189a377f4300f357bce6a4d2c5fc274bd0d641770e67ce4568b771ddb72

SHA512
57c6399814bcb51c91820a72c105375ff4f143ac6c3b748d6e9270cfba4a9bbac51d3ccd1d2bb7d53e7e39017d6a672451700f7f2b88abb2eb286532411d71e7

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
188KB

MD5
b8577ddbe379fbc136692417ca08810c

SHA1
f6605cf13f194852985175324a10a17ffa50163e

SHA256
a9d5c92810b5ce6579dab91fd0e472d2939a21e6ea33e62fc0d317dbf02a908b

SHA512
e8c9cea14de79b6a0dc9da58ab10e9891643c257d0ae176d4a2e17d97b3edc0ed6cf3b18b29e3729ec141032493872feb10dc6b98221c8ba162ba84339385186

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
188KB

MD5
1ee1df4522ea4799e1e80c05de806272

SHA1
390faec2ed6449513cbb1552b5cb09511c4cf056

SHA256
e6dbcb0b94ea1e081840aefa7b5ebd073b9791749fefebd1f05df479f5f2629a

SHA512
565fd46bb42fd31acba685d51cc8744ad7ce802da0c4e770abe5801a4f44da5ec98a57144f88c316b4f256481809edbe9ebdaf141a53a4f502e8cb90390fb0bb

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
188KB

MD5
b8520ddbf82186a46a4a3ed9af79f61e

SHA1
4b89b5cbe778e33ad47068fb5b9f94ca0276bba2

SHA256
d85445f43eca9b1551d2a648e472e28ff1034c3aa030d1a082ec47398bc6cc32

SHA512
8df3c6531a89d8b9f50349cac53c443b236bd7739b2bd9ed78920bc6ae55f84d9c2aed77ab4219007f06415b74fbda4c9e4f75960d60f9bea6caa776e6f1fdb3

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
188KB

MD5
fe2abb7c6e98bb0b91758e65ff78e692

SHA1
c8686ab639aa4a8b28f85c24ccfeedb2f0913363

SHA256
242e12473fe0349e6af1ab125b19a2b8bf9e970cdb2f996975f7b49f85b89bab

SHA512
c33738900a4f06044c970ac84d1f084a9ae60adb218739f08c40048068f11b7ed8eb6d5fa9d48d04aa6be1ca076b04a9e55b6a613d619e56cafb04464b70e27e

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
188KB

MD5
772fc45c97f8f96cd2bf37229c0784f1

SHA1
018091d1ab27bae3cdeee4ee0045a7508716c491

SHA256
28eb759f92189f83a8fc752cf55d733d7f964076f9c34849a391b9f1b439e3a2

SHA512
623ef2e10073b82ec07429eada7ffd6f15144b0c367005b952ca52954e1d2b91201c8b888d3f4c50b7d6a96b460e289f78bf9a98b9bdc1a499f2ff4138b0589e

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
188KB

MD5
25e7e4c40149138ebdc414b18211f056

SHA1
fd329f5f2f51bb992cc00d70572f4c8884c0a49e

SHA256
b5b6f498ff57a6512a6c21d376897dfd22e952758645322996299a63355e9d2b

SHA512
a7e09eaab054cdb20fff39aa7d1be30c6aa9567e05c96d988aafdc555f1b5b128c9fff1f80869018504752e5c34e8030142727fc5c858fe18dc05559b17a006c

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
188KB

MD5
8646ad8a47125d12c686bdabfbc0adb9

SHA1
530805c09a803991983d9fefbb9c71e3d9699382

SHA256
a050b881f201a829711e1ae55725a425289542b01bea6f783fe56129f3a64ae2

SHA512
b5d2307d23efad010756525e95960dfeaceda0950b00222a92caf21cfea58a1dd42d3af7b8f4ecfe572a7f688e2e0ce77b20def58abf3bd08427814519bab0c7

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
188KB

MD5
3a3a7a21f258cc77dd6dfcdcfe5d90cb

SHA1
28f6b97c5bbcfc7e58226fcf28bd10219ebb17a3

SHA256
34dcecab8c62f7e1b894cf83f7c4cab48635ab65feb1fcbd951158b252f410ec

SHA512
324e9b9bde18aac5f88535a02628926f2fe2ec71966f1211ebd7dd955c256be2be2f61d5f2936fdbba8d03b9bf8d1a70bc57ea701b22b59a7cb33811b1de572f

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
188KB

MD5
97cc49e747033cfed1d263f9ac10b9e5

SHA1
78ed6352cc4566f63be4755f337f08c8486e5324

SHA256
80dba61668fe1b08a184368b73311f5a3da69aa469f2745f7428b02fa539e5bc

SHA512
1eff1d1420fc016d46b45e584acb780f96aad5280dd324557965616171c39015afd14a79f9bbd0ddbb26fbc10d8be5577218c6b4a7dfe823f450c94fc6679625

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
188KB

MD5
a8645d5cd99e68c6b93a533b3437e59f

SHA1
a4358b00fb14ddaada115317577d6f8af7a0650a

SHA256
cde0f1ab79be9bc395e1ebf772089e1008f11505b94d2d8601a9ddd637a28054

SHA512
8498f971bddf8638fd767d1421c3a5937fb6726766681821bd484d58070ce333cd0a17dbd1b29946abba5c40523ef5acfe8bc99c9bb2eab193bd366762de4d5f

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
188KB

MD5
a36e86a9560c4a7a0972bece31d9076e

SHA1
d23de0a1ce507a01ff34b97d4a86befe86799764

SHA256
2cd126de03da5a8de6043c8ff3266b39f75d65dea7cdca1fc3708b4c75a03ba7

SHA512
1e77eb626e38565d9802fcd176576a9500301bbff20700aad7386541e664ca932ca7b9b6a5072cd66d27306e97e7424682d99c5f0659effbcea66dea45f4a1ee

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
188KB

MD5
9df91931e4c362627154c786d9f49167

SHA1
6fc46260f2acf10ebdd363581073b794e62045f6

SHA256
f2da9d717e5c6832cbb762751f93c6482a7bd268a0b750a58223e904f38f5cda

SHA512
920f805ba004f4bfc02922659d5a0793c1c4b5a4da601f4a1239268487329340025b306a04ddc0ffadb9ae47799b9e0b1e0cd177ce75fce90aa29c07407ac03f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
188KB

MD5
d3fe39d6bb6857eb96cd73f6782e2721

SHA1
1a2a763b9d567d3d56ec14d089897283cb2d0414

SHA256
3df65d28c9de38268e0ca587440a8b93c08ef7db309247991c63984c60bb983b

SHA512
1be484c248cd226f8ca381d746735c356d827c2cd73091e51cb36a54f34f7cba61c2110655f3e2ce2a68e2d314453be1cb302495b0c43d87d4f7fa2f754e6acb

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
188KB

MD5
ed0451bb534acb16a23e06eeacde6773

SHA1
1f9a68d5366b15a9beba8e2340d01510548dccd3

SHA256
c13b2f24649193d2c5d6b6f41273958f5ac40571b1ef04b84707272b551e6033

SHA512
ee24077be6cc210326145c47b9d169cfe7678b0305bc269ca7b708dc2cec734e3c7c3aafc3de8f9ed6d72fc871bc024f63b9531bf6199e86365fd785554ba958

Download Submit
C:\Windows\SysWOW64\Jdbnaa32.dll

Filesize
7KB

MD5
76af57c51bf5ff51279fecf4a7346c4a

SHA1
7504a532686a7d4ea385cc872ebbd3a660618183

SHA256
69fc74466e67e10888630534b5e781da21a2501b99076e4c3c33d73d861124b0

SHA512
064594efc6f57fcf8a508699025ea5ef3a6819790089cc363f581b133f3025d766029c021dc7f4e7bf2b98cf39cb30fb224aec22b901e2cafa4c7d06ba63254a

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
188KB

MD5
a7f84b12905d7e52264cc6482ece06b9

SHA1
af6ea8b8a52253b23fc541bc1b4bbb0dbce925d6

SHA256
10a808e9aa92f95ac3708794ea6706892d3a90c5e83eb61ee725c567259d22fe

SHA512
5a7f537f462b28e9bda57ec19c682d9c9b33b22b291aeea8b844db2ce6482bc379bc14854b86b0a15f26a423dcdc2f6cce18b10a79317dbd59a9fbc1a419cece

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
188KB

MD5
18710e0717b6f66b3cd9a2f910294f00

SHA1
1075b9e5eb3906de5b10a1ecea22a9e507e078b1

SHA256
0830f5977048ff41df4e3d55ef2c738dd05a2c0660a42e82c171f3e596d66b8c

SHA512
6259f6bb5e1fd63f1a7a92fa2fe3a0ad4a0cade489df5fc65117bb764b56018c61ae7a7142bca8a48539e94008c3664f6478a9e109cab6f3d1659817002bef1b

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
188KB

MD5
56c602178648a48358a8c50ec04b6ac7

SHA1
e9d6ccfd6e6c3fecc7959d121951883d18c79f56

SHA256
499eb9e76e757eadbba6004d1e2eb37295ef9a2cdc584c1722ac683d58ffd358

SHA512
a21235899d04d8426f375450e8f5894c0f9e882bd3e84da107d2449279912433ec5ed621f98196d2d75c1b2225e9f927df7c6f2368c117f969f144072c50c047

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
188KB

MD5
19f718296b01b96c2ed16628ab3d911d

SHA1
2b2bab62ce40eb4382cb6dba1fc3e222d0d24d44

SHA256
4f9c5cd9818535fd584babf1dc3214ced7d7bc16a469b06ca917706527320ff1

SHA512
3f45f92390e32f1d582683bfb46267ad85e56d5f4901d3cfb033160a7c3968ec8bc663d0982a64a50d8ca445f16fddfecf00e48cc9d404f3e8d0f9f8b0a1c535

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
188KB

MD5
d19c0a128a93a3b6d53a9b2627778a6e

SHA1
6989ccf35ce2d2caa4b48b5b9a91de31a70b79dc

SHA256
13412a6d9d27da9a2705ed213a6765fcb8ef854445510566403a20f6f54a9a40

SHA512
974267419b9716939c5813e69df07dcc2ddd38d0badfa5f12f41f6b4b643743f8581cea2c14358f45fdbb6b80c0fc02d64e8b1c00b7234847a84f3c1c2377ec2

Download Submit
memory/224-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3200-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads