c2b640e40ac71c34a38174deaae2061b660e13904420a8bed0b43e26625e850d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d38dfd343a75f73e41723c8f406564d0N.exe
Size

112KB
MD5

d38dfd343a75f73e41723c8f406564d0
SHA1

28b2cb1b95e0dd222ffcdeb728c8dd16b5a12800
SHA256

c2b640e40ac71c34a38174deaae2061b660e13904420a8bed0b43e26625e850d
SHA512

ed8eb19e77eabc7faaa9567b0ecb65b429ddc309638daf17bca04a803e2b78e908e00251cbea39b0158e8a4dbf742ba77db99f05fe9dbad6b3dba527f655c4ba
SSDEEP

1536:pGZToi6xAHFKYc5Kz1toOrbtcl84vYf1gzBhrUQVoMdUT+irjVVKm1ieuRzKwZ:pGlT0s1toOHts84vCcBhr1RhAo+ie0TZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d38dfd343a75f73e41723c8f406564d0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe

Executes dropped EXE 57 IoCs

pid	Process
1884	Pmmeon32.exe
2316	Pdgmlhha.exe
2172	Pmpbdm32.exe
2768	Pcljmdmj.exe
2676	Pnbojmmp.exe
2564	Qppkfhlc.exe
2544	Qkfocaki.exe
2332	Qndkpmkm.exe
1920	Qdncmgbj.exe
580	Qeppdo32.exe
1436	Alihaioe.exe
1484	Accqnc32.exe
1568	Ajmijmnn.exe
2848	Allefimb.exe
2100	Aojabdlf.exe
748	Ajpepm32.exe
1892	Akabgebj.exe
960	Aakjdo32.exe
2008	Adifpk32.exe
1936	Alqnah32.exe
548	Aoojnc32.exe
1776	Anbkipok.exe
3024	Adlcfjgh.exe
2372	Agjobffl.exe
992	Abpcooea.exe
2996	Adnpkjde.exe
2684	Bbbpenco.exe
2692	Bccmmf32.exe
2704	Bmlael32.exe
2656	Bdcifi32.exe
2556	Bgaebe32.exe
3004	Bmnnkl32.exe
272	Boljgg32.exe
1648	Bjbndpmd.exe
2432	Bieopm32.exe
1036	Bcjcme32.exe
1852	Bfioia32.exe
2580	Bkegah32.exe
1212	Ccmpce32.exe
920	Cfkloq32.exe
2868	Ciihklpj.exe
1536	Cepipm32.exe
1948	Cileqlmg.exe
3048	Cpfmmf32.exe
2940	Cinafkkd.exe
2360	Ckmnbg32.exe
996	Cjonncab.exe
1640	Caifjn32.exe
2648	Cgcnghpl.exe
2772	Clojhf32.exe
2788	Cnmfdb32.exe
2760	Calcpm32.exe
2204	Ccjoli32.exe
1844	Cgfkmgnj.exe
1412	Cfhkhd32.exe
1836	Dmbcen32.exe
2808	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
348	d38dfd343a75f73e41723c8f406564d0N.exe
348	d38dfd343a75f73e41723c8f406564d0N.exe
1884	Pmmeon32.exe
1884	Pmmeon32.exe
2316	Pdgmlhha.exe
2316	Pdgmlhha.exe
2172	Pmpbdm32.exe
2172	Pmpbdm32.exe
2768	Pcljmdmj.exe
2768	Pcljmdmj.exe
2676	Pnbojmmp.exe
2676	Pnbojmmp.exe
2564	Qppkfhlc.exe
2564	Qppkfhlc.exe
2544	Qkfocaki.exe
2544	Qkfocaki.exe
2332	Qndkpmkm.exe
2332	Qndkpmkm.exe
1920	Qdncmgbj.exe
1920	Qdncmgbj.exe
580	Qeppdo32.exe
580	Qeppdo32.exe
1436	Alihaioe.exe
1436	Alihaioe.exe
1484	Accqnc32.exe
1484	Accqnc32.exe
1568	Ajmijmnn.exe
1568	Ajmijmnn.exe
2848	Allefimb.exe
2848	Allefimb.exe
2100	Aojabdlf.exe
2100	Aojabdlf.exe
748	Ajpepm32.exe
748	Ajpepm32.exe
1892	Akabgebj.exe
1892	Akabgebj.exe
960	Aakjdo32.exe
960	Aakjdo32.exe
2008	Adifpk32.exe
2008	Adifpk32.exe
1936	Alqnah32.exe
1936	Alqnah32.exe
548	Aoojnc32.exe
548	Aoojnc32.exe
1776	Anbkipok.exe
1776	Anbkipok.exe
3024	Adlcfjgh.exe
3024	Adlcfjgh.exe
2372	Agjobffl.exe
2372	Agjobffl.exe
992	Abpcooea.exe
992	Abpcooea.exe
2996	Adnpkjde.exe
2996	Adnpkjde.exe
2684	Bbbpenco.exe
2684	Bbbpenco.exe
2692	Bccmmf32.exe
2692	Bccmmf32.exe
2704	Bmlael32.exe
2704	Bmlael32.exe
2656	Bdcifi32.exe
2656	Bdcifi32.exe
2556	Bgaebe32.exe
2556	Bgaebe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ajmijmnn.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Pmmeon32.exe	d38dfd343a75f73e41723c8f406564d0N.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pmpbdm32.exe	Pdgmlhha.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pfqgfg32.dll	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Pmpbdm32.exe
File created	C:\Windows\SysWOW64\Qppkfhlc.exe	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pdgmlhha.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Qppkfhlc.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpbdm32.exe	Pdgmlhha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2644	2808	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d38dfd343a75f73e41723c8f406564d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d38dfd343a75f73e41723c8f406564d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d38dfd343a75f73e41723c8f406564d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 1884	348	d38dfd343a75f73e41723c8f406564d0N.exe	31
PID 348 wrote to memory of 1884	348	d38dfd343a75f73e41723c8f406564d0N.exe	31
PID 348 wrote to memory of 1884	348	d38dfd343a75f73e41723c8f406564d0N.exe	31
PID 348 wrote to memory of 1884	348	d38dfd343a75f73e41723c8f406564d0N.exe	31
PID 1884 wrote to memory of 2316	1884	Pmmeon32.exe	32
PID 1884 wrote to memory of 2316	1884	Pmmeon32.exe	32
PID 1884 wrote to memory of 2316	1884	Pmmeon32.exe	32
PID 1884 wrote to memory of 2316	1884	Pmmeon32.exe	32
PID 2316 wrote to memory of 2172	2316	Pdgmlhha.exe	33
PID 2316 wrote to memory of 2172	2316	Pdgmlhha.exe	33
PID 2316 wrote to memory of 2172	2316	Pdgmlhha.exe	33
PID 2316 wrote to memory of 2172	2316	Pdgmlhha.exe	33
PID 2172 wrote to memory of 2768	2172	Pmpbdm32.exe	34
PID 2172 wrote to memory of 2768	2172	Pmpbdm32.exe	34
PID 2172 wrote to memory of 2768	2172	Pmpbdm32.exe	34
PID 2172 wrote to memory of 2768	2172	Pmpbdm32.exe	34
PID 2768 wrote to memory of 2676	2768	Pcljmdmj.exe	35
PID 2768 wrote to memory of 2676	2768	Pcljmdmj.exe	35
PID 2768 wrote to memory of 2676	2768	Pcljmdmj.exe	35
PID 2768 wrote to memory of 2676	2768	Pcljmdmj.exe	35
PID 2676 wrote to memory of 2564	2676	Pnbojmmp.exe	36
PID 2676 wrote to memory of 2564	2676	Pnbojmmp.exe	36
PID 2676 wrote to memory of 2564	2676	Pnbojmmp.exe	36
PID 2676 wrote to memory of 2564	2676	Pnbojmmp.exe	36
PID 2564 wrote to memory of 2544	2564	Qppkfhlc.exe	37
PID 2564 wrote to memory of 2544	2564	Qppkfhlc.exe	37
PID 2564 wrote to memory of 2544	2564	Qppkfhlc.exe	37
PID 2564 wrote to memory of 2544	2564	Qppkfhlc.exe	37
PID 2544 wrote to memory of 2332	2544	Qkfocaki.exe	38
PID 2544 wrote to memory of 2332	2544	Qkfocaki.exe	38
PID 2544 wrote to memory of 2332	2544	Qkfocaki.exe	38
PID 2544 wrote to memory of 2332	2544	Qkfocaki.exe	38
PID 2332 wrote to memory of 1920	2332	Qndkpmkm.exe	39
PID 2332 wrote to memory of 1920	2332	Qndkpmkm.exe	39
PID 2332 wrote to memory of 1920	2332	Qndkpmkm.exe	39
PID 2332 wrote to memory of 1920	2332	Qndkpmkm.exe	39
PID 1920 wrote to memory of 580	1920	Qdncmgbj.exe	40
PID 1920 wrote to memory of 580	1920	Qdncmgbj.exe	40
PID 1920 wrote to memory of 580	1920	Qdncmgbj.exe	40
PID 1920 wrote to memory of 580	1920	Qdncmgbj.exe	40
PID 580 wrote to memory of 1436	580	Qeppdo32.exe	41
PID 580 wrote to memory of 1436	580	Qeppdo32.exe	41
PID 580 wrote to memory of 1436	580	Qeppdo32.exe	41
PID 580 wrote to memory of 1436	580	Qeppdo32.exe	41
PID 1436 wrote to memory of 1484	1436	Alihaioe.exe	42
PID 1436 wrote to memory of 1484	1436	Alihaioe.exe	42
PID 1436 wrote to memory of 1484	1436	Alihaioe.exe	42
PID 1436 wrote to memory of 1484	1436	Alihaioe.exe	42
PID 1484 wrote to memory of 1568	1484	Accqnc32.exe	43
PID 1484 wrote to memory of 1568	1484	Accqnc32.exe	43
PID 1484 wrote to memory of 1568	1484	Accqnc32.exe	43
PID 1484 wrote to memory of 1568	1484	Accqnc32.exe	43
PID 1568 wrote to memory of 2848	1568	Ajmijmnn.exe	44
PID 1568 wrote to memory of 2848	1568	Ajmijmnn.exe	44
PID 1568 wrote to memory of 2848	1568	Ajmijmnn.exe	44
PID 1568 wrote to memory of 2848	1568	Ajmijmnn.exe	44
PID 2848 wrote to memory of 2100	2848	Allefimb.exe	45
PID 2848 wrote to memory of 2100	2848	Allefimb.exe	45
PID 2848 wrote to memory of 2100	2848	Allefimb.exe	45
PID 2848 wrote to memory of 2100	2848	Allefimb.exe	45
PID 2100 wrote to memory of 748	2100	Aojabdlf.exe	46
PID 2100 wrote to memory of 748	2100	Aojabdlf.exe	46
PID 2100 wrote to memory of 748	2100	Aojabdlf.exe	46
PID 2100 wrote to memory of 748	2100	Aojabdlf.exe	46

C:\Users\Admin\AppData\Local\Temp\d38dfd343a75f73e41723c8f406564d0N.exe
"C:\Users\Admin\AppData\Local\Temp\d38dfd343a75f73e41723c8f406564d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\SysWOW64\Pmmeon32.exe
  C:\Windows\system32\Pmmeon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\Pdgmlhha.exe
    C:\Windows\system32\Pdgmlhha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Pmpbdm32.exe
      C:\Windows\system32\Pmpbdm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 144
        59⤵
        Program crash
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
112KB

MD5
cbed4817ffff9e778dc974f5c329a91a

SHA1
98f04679dd034a19327d7467c4c880f7004c5707

SHA256
ed885989e1795012671dd20c64e9dd38f37338df6c841748c8b4b66ac8062861

SHA512
5472fae5827687c6ac101d425c358d1486f1ddb3b90c73a7c9e4650e355db4495e0b0867969cec8dcde6c4bfb9460d681d296a55bc08d596ab52db95d8b7b2b7

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
112KB

MD5
efcdd7d0e8363055af37174f3e8b86ba

SHA1
846887fb41f8427d3d75fa2235d886e5cd9490d2

SHA256
ec39b577253323d19d3c00945ea39564ed50a14ae07dd7526f5a20ba24216bbf

SHA512
c5ab2f524a2b1fae58cf94af91a8003b528a3b40a9e4909628b67792084b1e5f1b2fd4a791da3ee02eb92921045f98b0add5b6c9f879b546054b912635d11494

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
112KB

MD5
a64c686ce699cb575fdc9454da4d2b5d

SHA1
5454af4e6c714865c634a8b354c906cd1a9de490

SHA256
16f36a1347e2a0ef7e4ba0c9ca040318e2993197ca86b3487ee6db86103c590d

SHA512
507f26dfd8ab2bf6b58e1580ea50cfcc7453547c1d44a06241932cc63c29006746c5596ecaa857e0788393ad36bed5c1e2b37d33d1218db9c912df043905285d

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
112KB

MD5
e2af2e64d93a1d39e1e44dbd17d4d3ed

SHA1
8eb3d0568aa3768e67206a508e7c28cb2b5ee78c

SHA256
0be8f8a6f2182ec62aec942c2be0e14036924bacbf14498d2919ab4681fbc985

SHA512
1d93e6625bd6bc0b40a1e417d8d608ba08f135bccd575e4270d803677a63d76d6c92000be4e2091d2b6cf656e7ac0c56f72f5f8843b9509bd5e9861df5ec6dd8

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
112KB

MD5
06c21c603e93f4dc7f069f5ce8f161d4

SHA1
8dfcb4e3f67834ab7bba96c7d122ff7a839aec91

SHA256
fdef4e526aa0b4199c2d0042b39e1227aa15cdb85b6a4b4d393295560c4064ca

SHA512
3c807f6dd75dd57f1945a843495e587bf6f6ba3c287b58819c2c79d803486fa4c6e5212d5200df9e3146f37cecebec632e11ba36e3063275bab965dad14a1e9c

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
112KB

MD5
107880e13d0800bce392dc54ecd2b7c3

SHA1
a39ee4577c837d155edab47778aa8c595bcd628c

SHA256
c5d19c9b045e84627e5bfca63e16f059dbc23d08eabef87efb18765ad85d13d0

SHA512
f50f2e8abcc31ba7576b9fe13db045e4fefa8f0636247f1c2f09fb623e4d5d6adbc5d523781d6020dc8fe3579940d3728ed395d8c56453fbf1f5211e0968e905

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
112KB

MD5
955a0cc89125f128d47c31728844a6a3

SHA1
03ffe62777a247683741ea2210f3e3bcae7ddd99

SHA256
0a758cb0618c853981d3bf2a58912e038c21556b7bb7935dc4be493295bd59ac

SHA512
3409a2c64318dfbe8d60c9c2cd7301f7c2313d38be4ac7ab3af44485c6443983697a5032d820fbd7f898be25e6c8407cb89f759e3150701b6f187f70cf6eadca

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
112KB

MD5
520c4e0a7db75119e009baa71d7e5f53

SHA1
09859d22a09643ab8fa189725a015d36e4eb4d86

SHA256
f72f1ef61d44b6bf5e357609ee40722b1a6d1a3fc9e052456c5927a63fd189e6

SHA512
b9071bc2df7950f8d4248a3ba000f8eadc6a6624a0b07fb1cc8dbe70ee848428b7684fd2699f4574b754e66a13d0ecc1fdf34d7e17374c6b18827a147f008526

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
112KB

MD5
17592d1a818bfc591d03ec57bc3daa54

SHA1
e8884fcf83425205c4743327dfb568ca15aa3e8c

SHA256
90f473dfa0b08ae77181ba3e1e5559f0b7e5ff6e8088da910d39f1d29e17e25d

SHA512
6ed3266e39c02765644daa6bf6aefd3ac3b0245b64c7d701f639cf1d3dbf570ae6aeb7a985cb3e8150a27b69b859299ef270ded9f8dabf14e49557b89a0fa819

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
112KB

MD5
2794be56769572bd300598b46817f45e

SHA1
38eb5e7529d9eae37a3f0c28ff558a969b7ee8c7

SHA256
adf0e78858b468f85fda3b9485150f80a842c5f0b9648bab1ad04acb4ceb24e4

SHA512
5de8d134537861357a9beef7118ec6c666199549eb5d1a1cf46f584ba76f67bbc506f8ff6ba4411e9999bc8e540fc0957c0c65d4e99d306769c967aa546fc633

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
112KB

MD5
b9d36e2b131301e0632f2c3724d12513

SHA1
e588733cc4787f3ef1464389cc70f077169b8e8d

SHA256
5ae96e9dc9aa9b7e6363b5644ab701d0b5e48a3fbc3b8379c0cfcf5c419e1344

SHA512
c35b9e3bf70a0375ff4f89e2c7458f40577945c01a78bdafb4bb904be4cd7f1c273ea4e4f23a9023aa7bfc86484e5d259aa96779320af7f3a0ea245be3717e3f

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
112KB

MD5
f89be35d4bef24c788fcefd53ea7992c

SHA1
29ffa6c3bb36f39f831f7be2056d19917d400e98

SHA256
730aa144b6952a7ac7cbc5b677a8dc6dbb33ca9e9f6a5009214d0ac810b0b592

SHA512
326acc157eecb2c34ebbfc80143a3307e594bc18a78782ae0e6862f9c1062ea54770c3de33f548a51c2fad08a5232cc323b6deeef04a380fa1fbb12e7f08e2dd

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
112KB

MD5
808b4dec99a1fc31e1d3e5ef62620e88

SHA1
87b8a0e7db04eacd08d1ca06629ad71111797df1

SHA256
90a88de52e5f44d2cdd6b3ac09c939f0c7553383a0fef73ac0eba2c18aa0f62a

SHA512
c14f8115ea55b7d6382f03cd14916c540bb1325e996b7a514f1d544be5b24e754d9bef48e4940a2d20b2bceef5d894f9e92a87ed50c48190abf289f65439f49c

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
112KB

MD5
005b40b6be1f6b50c64c4e62e00e8296

SHA1
9f014987e36c617c9792e546b39c115710bcf4ef

SHA256
c0db268851f40152ae2fdbf76817d8bf2f40b509327ce6d7dccc661085238c90

SHA512
fc9dfa92a3bae14f0c94961250ca1e06c13d5337bc9a911d68da184b9c71114bc9c5460ad67717718080b0abd43fff1886daa14849c18bf8ddc00244d0c38a88

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
112KB

MD5
054d70eb26b86fa83e436c18cb6cb1ff

SHA1
27af275845463127fa42094276d40e0a4cdbc528

SHA256
6615f0e2a6b87fe483cb4cdd86711c351d132e98c9510fa7bc43b959e4d37c6d

SHA512
43559ae3db76974e044c20df7ee5d4e3d4bc365be7bc41feaa1cce82e82f6016f26ad0666da69a80d8749507ff06290f195a74fb14708606ec2bbe05bed1226e

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
112KB

MD5
cd53e375fa24036958301563689b4e86

SHA1
fc0c6d61429970224da98ae3b123c0d16d63c468

SHA256
212c97d4d52e971abccd7da3e129e02aa391394785269ca0bef08c89b50d3efc

SHA512
ed10afeaf24d7823b664cd19965d804577f411415a49f097e79babde0829ab8ae58075b60e3a101bc4c2407494a48235c2f949690e604b117861a3022dc6fa97

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
112KB

MD5
e61b4f132b708e787e6d85e2d535b74b

SHA1
31c9b82b03f150fd4d9d876f1809a372dd83a009

SHA256
a1e79eee55364acbf75f883d39b7f3b840c707a8a328b304a6ff5bf3eb2d827b

SHA512
9fb028064accec0e0efe97043488b4b42e16bc81d8baaa4adada1f9ed501c526144419c36b7040b401daba01d0002a68d382aef96538a232fdb3c84e674bf767

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
112KB

MD5
29297b067eb1c225fb72a72915819876

SHA1
c6774cf750bccf0ea06f71d68f17c29f0522a7e4

SHA256
001b6f84cc97cbcc43a3883294ecdd2fe939bcf32ab8fe492addf41b74041b5a

SHA512
b4e00574a950e99eb5073315be303b7d9272697b9647809e65487e8cca37e4a53e4e6461de7f83508fc855d308e5deaf3249164e4997f7afe7e1eb1e4d8c7515

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
112KB

MD5
ad0f45b4e8ada163199b6fec363293b5

SHA1
e37fed21c912778c036d8e1c69a3d5b887b91f1c

SHA256
7f663f866307e7eab1ff6fd0fab79d4b4c2cb29f7876f47395d7830640532eae

SHA512
79d39345ffc154330d6351eb6cced4c28e6c4b7304effad96e7f49adfb8dc0858b34d83c2857af8813304146dd600c0a499d71add867b2a66160acce6c157242

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
112KB

MD5
3edf5410bb7016cc5c2522257d0a8eca

SHA1
29d5ab98b921fe369375a17454f3a8732e32aff9

SHA256
e27afd3b7dce5bf74c328b1aa02c9eb4d065f626c62942736260b3dcb1bee540

SHA512
44ce26098292caf6b300fa1a84f2562e6715fa49308fb4c30491eef36a48b1c455a0a4bd38d09aab0e00b98de3de622c64ad79c8e93d3d57e99100211e439da2

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
112KB

MD5
de3343765e46446b6dc391e510b1e7bd

SHA1
1020c7f4a20a88d15e28604ee5463d13a4ace332

SHA256
85c11405135c0b3c44ee8beca1475a2da3fdaedc3503624bab9b9130c35fdbf1

SHA512
be9cbc94046d811b2179d5f1cd3283f6d533d5a2ff85fadecdfeedc9b1b7b6087ba7a48221961bf3ad90ff0f81bef967197748990610d2db4f5434cf74d8708f

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
112KB

MD5
9bd88fcd4b6d9b05c221f64aa9b10f18

SHA1
ce1420de451f9cad366d0c20f2ed3e4e401c3b94

SHA256
22f94f13174e2fadc17dad4c28318450aea15d79c5c0869262f96b1dccb2b19a

SHA512
117b1dfa1da0105bcae6d79579119440b50c6401cf64c52e1d064ffe98d650a89e2782dedcc55d83f3beed1dbea6fd63d656f59f19e150e819ca572bbaccdc45

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
112KB

MD5
67b9425e8170c62ff1c82effce872c6e

SHA1
8e621465317a29e16704d54c7655c91ca1af1650

SHA256
f0e3d12b65bcd612dc252c07e7671d754270bb174fe28e508f36f2eb2db5c9d0

SHA512
f90269d9fd6aa0f1c25da0692f45210dc9bb6aa4e48a50fb559554b8193a5a1452eea6eb5723aba92a3c4013be843790d0f9669bc755e8eb52f00aae58519f57

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
112KB

MD5
4fa9220401be75b5b830a77246abd2f9

SHA1
a8860bad56d6ff56e338b63951f511dba357c97c

SHA256
9db6d11c6abbcddf328a5f3608934c083b62820335bfb54ef4ef8031d98fa6bd

SHA512
39358f280869599376258ec947ef6afdb30e942044de33e5d1f0ddd1d945731c00cf87610f2062c7a56939ceaba602866fdc04fd4b852f0b2f373f739a5f9bc4

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
112KB

MD5
ea710298beefaa951346a2d72367e20c

SHA1
85ff95338bc3cfb670689371f876c28ab2617f5f

SHA256
401cddf167649a4fafa069f400747821a4dbe7a9fe99248d7a1e08fd858a8684

SHA512
c522ba9f80cab2f2bcd35d97e46355b277f888d81cdf8fda5915ed2f545207423401244529ff5489b2a2794ca6e26d05116af2d9a2380ab92c4072e184ad6b3f

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
112KB

MD5
76e99522a03e7762f2ed9cdb2504e884

SHA1
7730d272d7f9e473334736287c71af565e3803fb

SHA256
46c106fe7b00e23432163fb0d7d2cdb02e37b529cb85097c0c286cf8b08a526e

SHA512
eb30448c8b63dd2b397c30a8cb4628723b7b7e43fca72cab6dde6e18f6025bfc68daf5c626f5832be4f73997056af199b5b267ff83b94c8c9e5fa01b6768bfe2

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
112KB

MD5
512889a70a454634baf73bda85b7e0f1

SHA1
56d63196beb4a6ef071ea1eee9ce1986af9a52e5

SHA256
194a5758a3a0e91d3e7a9fff0989208d90d10b6e7833c214d590c2901aad916a

SHA512
306ee5e91748f354a5250ba48b9d554f704220a72dac5b6aefe21584584285b8c1603c57eaf5fb142c3bd3437474ab4ce16e5c777b47dbafec0680bcdf50279a

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
112KB

MD5
031b4ef2fa488dad0b6035e5830c89c3

SHA1
be9f3bd127d043eb4008f1691966a75ef9d24621

SHA256
aed4ba44fbcd113772d5e05cb57424f73f9b3b191776e40071f8a910b3ee5c59

SHA512
f3d4d725ea69cdd0241bb3de35bfdb0e3c20f487790006bf7fbf29c1a499c43ffb9fc9efba2a2256ddfdccccae53040fa2864029f136d8c02f1f54e7ff6f7440

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
112KB

MD5
a19d371035753e700d577f0320a9f7e8

SHA1
c52cbd5ee902dac17e92e7a125437b39e31f721f

SHA256
2ad984a6431bc6baefa79a1bdc8516ac5a386b13902b90e8ae9394e7cdc7f0be

SHA512
203a76e9472fa8c932004a50006ee4d11c7e79a2875fe2c94ec03484a2f3676d0217b4be41dd130b6cb41c2b4485bc5e373f20a15fc7a1100a5fb6aa4ee9029b

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
112KB

MD5
0680663a634de68aacd071c87211358f

SHA1
d56e5a6da76a0a9b133c6cf5120ac16e684fe52c

SHA256
0e5e5ba5c3c47a947f61655f092eebe6e0fb9cd001be79344ba1fbe1930cb345

SHA512
8518a22c12362af58067de9b6e8e7403a458467889237263248141d946c2c26be8eaaa595761ef5b67457a3100c38b8b337b2ba96da3289c9f0776aee17a44e5

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
112KB

MD5
4f22dd9e422affdc576d13afe210b0a0

SHA1
8c07ba7fdde7116c0a7ae6e2c072bbb1a7fd2dd4

SHA256
01c87b7c98ffaa36869916d3637a3df37feccb227fd665d5855c4ec5eb0929d7

SHA512
090aa12ada8ae29ef4e45289839e0ba7689a2c38cb78a5deff6336f2c255ab23038ce633afc58e78ad7555cb8b18170fe34ba27d2aafa00b8bce1080d6454dbd

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
112KB

MD5
03950f6ba6ca1f44333936ef1479669b

SHA1
988ecce449952413fcef2b5aa1bc182b0de72c90

SHA256
2787ed74f6a50bb1d3072b0d28a1c09a37fe2f56d064ac031739fba2791fe494

SHA512
731b73480655322bf2f6b423a064414dce6ad260b10c2df419fe219c7749f096afdf2507187d2198f8a04e6d7710657f4da67fa552524620054f1b0f3363db7d

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
112KB

MD5
dc72ef41b76148b8b09d7ca7c9bb384b

SHA1
524738c516152871ccfd3e0e53e9ff903977dbdf

SHA256
934d1ac9d6e901938e1f93ccaf7e4f68f78747a8db5c02a011f480e3e7d1808e

SHA512
89e916f790cfae1f56d811f89dcb5b9726d9bf7b2e7f27a75efe722befcb12c72c91b72101ddc3193c5fdd936b49bfaf5485abfd69c1d9a23399a5111ba48730

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
112KB

MD5
17bdc29a9199eb9f591bd8b0829bf587

SHA1
00522d0c26249d0d194aa57316f6a2a0e95cbd24

SHA256
f1835fe43eebd7aa692ac85b9cd0573c047504f2b3f91756cd11c2277b3c25db

SHA512
b31b8bba229b795daacd07287b3cd88bd35980a21259098131cd1934d5b9d5d4f6ec1e67cb41f0a271c8be05556a850df9bac2f7c0fd84a7e87c8e4fd8e152b1

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
112KB

MD5
0f780c555a3ef846b9c4988604659498

SHA1
47eeae88b0f459a5b49389ec9e96510b76ced5b4

SHA256
03660bbd0b3677b7c78b5b70ba821592571b819b8a5168720343f85cf7c49338

SHA512
489ceb298e076170fef346bdd017879dfdb0532bc1699f70449a5a6c72979f90ec295aaf71ac48d34cd6cc0fc69521bf661935dd143f3e59a2be3cd130cf2c82

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
112KB

MD5
186a70c964830b618e318a6bf8a3e557

SHA1
b914233cbf97fe7e73ba9cf1ad45d1b520c057f3

SHA256
aff6deae705c5f2eb3d2254bf41a55d819333f2fdbf5b73ec0c9aecc81fa844e

SHA512
d66d17371874e43389b300e997a8242ae309f2ad11009f3d3c7ac40d16ea104f87006e918cace6cffa25d0c20f13633b3114d7b7028a51404f9d179997c5c797

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
112KB

MD5
74f40ccef37cd80f357997d4dfd11c7f

SHA1
55fea4fb887be9b99077d18d6a5c0fade1ad06df

SHA256
f77fefa1592dac3dd6fe0442bb06427539ad38594aa777860807211f6f12b203

SHA512
0a32f1c0afe452bcc30f8b1dfa5ad7356030dfbedfeb14daa220705ee3310b43624cc7abec909d485d295e7deeea058e7ebf16a996c352127f25134b26795121

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
112KB

MD5
9141c465a28bc4c693284ff390b63e7f

SHA1
cec2f03ca0188bf90ebdf46b4f10374d281e9a3a

SHA256
adc6f6b626083303453bcb907d92c2bdcb81ee0769d71da948e78052b1f3ff0e

SHA512
4756bec67c180072e7a6d973422a8c3855f082306c8e770ac9b86b0633102d63a5b143031d95b31fe766fc4f56fa0e94f14342d7614c0faf4e902fcd20883336

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
112KB

MD5
4eff415af62d98e1b57cd6cf41dfe3b9

SHA1
45ea8f69c795472e847e4f458fa104aee49e126c

SHA256
9a6de4312663d98585eaa9d99fc78eeee6eb7fcbcfc6f28b63fc196c53c08c71

SHA512
540a1d023381de446103d4bb4ee7aa0690dddd718433f5e53d3297b7990cbd8b5d89cc00cae89f3d28625f9d745e7f19905c38bde554f44656870bf38734be4c

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
112KB

MD5
586acb5c983e8b225afb9cd847f4d025

SHA1
a1cce9e0306e9b1cdb67991b0985ceaafec8fd64

SHA256
95852c66bbb836b49ab0f5bcd0073559b44b6318bc5868774196e8263e7717eb

SHA512
faad49b7d4e6d4d2ba84acd415186c83f411e15e4bfdf53bd0cf3b871b85608595fcffe9d2940a680594470163cbd73eed2e38efad074dbdd0ff28ddd8209435

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
112KB

MD5
bebe155bf216f001d1e50d515f30958c

SHA1
05d4202172e2cd9407c26b4e3fa5261dd7b3f893

SHA256
2443185f3db34b49172058e6838a01c1722f68d51f5fdb978ae6683742cc8d5f

SHA512
970525e0d6bea25b838f36f12f6eaadc99622c01725d0a560b8093a53bfcfe74479ed15a9ff61fafbf6ae8a261202d7b92614dbc88556774862544a83bb914ae

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
112KB

MD5
5e01960ee2b49cb94b342ba610392163

SHA1
c8f624289ab016d5a182ae415f8340ec13bef762

SHA256
f8c55f5b451711c027e3cf311294b0957d1d6815c917655728ad9a447cbe6af2

SHA512
8f5edb2c7d955fc464f4d8b35fd0e2e38dad582e4815f33239f551b5b0cc8dee463c1a7c79f4b6eb4f44ec782f2ffa4eb93d2c3dd98d45fef82e6a8f22e82b55

Download Submit
C:\Windows\SysWOW64\Kbfcnc32.dll

Filesize
7KB

MD5
e8a9faae8153d7a34292a9ceed90a575

SHA1
20236cd012f84527caf1eaa57191cbf13b2cafb5

SHA256
fcd5a3abc5673811ec045f311e65d003f3aef5d46f92e290f4cecdaf27cddc95

SHA512
3ea3f4cf58c83470b8463a6e0161ffcab06c40c452b66ec2650bd3dc9523a1c86779990c56e3426f0d20715c404acfe48cba29c548e7d1155824037faad93e4c

Download Submit
C:\Windows\SysWOW64\Pdgmlhha.exe

Filesize
112KB

MD5
8cf07e0912496612de313859b2ad11a6

SHA1
3eab8fcc0cb81d877e2812579fddf2ef42145f56

SHA256
1b0907bbd7a69847c27d037a072e24b4450d63b2e455bf103871713af08b5765

SHA512
ef7c674a03f6ddd1e5a90162f732dc18274e657f2531144a4c002ac575c9cf73ec992e769a61f66f867c6293756276af81981d71b448e547930701e976134948

Download Submit
C:\Windows\SysWOW64\Qppkfhlc.exe

Filesize
112KB

MD5
140fda5dd5762a26a51e54ca289abb5e

SHA1
653cbd96b4b8ad378272fb14174952e6764fd0f1

SHA256
e837524fb791d2358d75516798a53edf9761456109277d279b88748cc75bddbe

SHA512
495b23917ba3639c0a8e481b559b1e5eb162207b4db1ace86ca2a5749d5b1da3a8a248bf2a95681d35d83f7c1eb67b3e1636546a3a14f734f18a721b01154d08

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
112KB

MD5
ffe18d0d18dfb4555b0a8bc89c24ad85

SHA1
d1a59a6b38e9671ed8fd38d34503bc3e4bba20cd

SHA256
d11b12943e094c805f9132396970e30f7e301dd517ba5b7f4f12942004d6246a

SHA512
a54bafe733bff717f4472c0edf21cde60f51648031adf1e1410a6595f5795c6920c5e388d96805b0cbe6246accfd601927368199f112601f6686693736fbe305

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
112KB

MD5
ccd59a77075e191be842b0565784af8c

SHA1
d1676407ca96f3ed47f7446ebd33637565ff6829

SHA256
4ffa8218120e15dd7f4978868fcb258e887c47dcc7e2fe5294abf5cbdbbc18a8

SHA512
57352481c1c370cea4c8fde3dff0180907653225c0941bb696dbe06638b5d0f07a5e506bb25fcde90890ac5c4b9b8e61ace8d5224c94bbd111d986c07b7c51ef

Download Submit
\Windows\SysWOW64\Ajpepm32.exe

Filesize
112KB

MD5
0afe8071c5d46a423790f07050242080

SHA1
e57965aa35dbf2118b97006be940d9463186cb20

SHA256
6e3d3563649e66af18580c237cb2d0ef981564b52871d24a61179cf4fe71a996

SHA512
9c1f34240e691f2ba8aafb55acc909d300a49abe6b0d158f76d061c113642a45b79018aaaa7bf60f032b8b911f445fa674fea07f44aa66bdf8ccf0619bce3374

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
112KB

MD5
b37d55970bb3771d21a8565f1cd53b73

SHA1
ef0ea73855e7a341c22d6aff8e3506307863a9f0

SHA256
0592003cb257f6a3345e1d07d730f48869b3de962ec40ce20b173cd2ed6010ce

SHA512
9ad59b41c9164f160e84691191f65d4d4959256f224971056e9c8febc112c8d36cea9100e212ad7b7336ca8a12f19a8481906bd870ac480fc1d364701c19c262

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
112KB

MD5
01e334900ed6705c0cecb1384e63dbc5

SHA1
589b3813079272629786222d1f0dab0a6295bf16

SHA256
5148305753cdab3012a437e4400cc5fbb7814296f9df5f66d44c53136db7ec8e

SHA512
865e541966ebbb641a9ac96c292a26780d8b4e67a384dff28b5bde49233c5a611e594c53986b0751e2522aa922d3f2fd7a790c878f8f7e822816f50dff33ef81

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
112KB

MD5
502b6f2fa873e429132b3a582ab08ccd

SHA1
0bda59f096641ff81bc63b08fcb80d8b587254e2

SHA256
c079d70493504065c0f4f59d8e64835a13ea87f425217fa6f993b9fad5c4c40c

SHA512
f37701747582ccd097b32219bb536648771d1751e2d68460578903d39c38c04131c41422508905dbd652ff3f1c66993cd8082685934d6c4f20611c03fe153dc3

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
112KB

MD5
a504a849b251028aaafe4c4acc5def5e

SHA1
838ddc5947f67dc3abf4c16e833e3e0bfff643f2

SHA256
34ba95d26a68a887a6a8a141b6d000778a42b8c47259cc83c43cab7b1395b773

SHA512
a4373a4c7a5bd7e9256563f82f5bfab188406f6cf0e7b8a13169d2a4f1d595f029bf49998d6fc5497bc43dcc1a456eb77a548630d165e21c15df8980c0daecc6

Download Submit
\Windows\SysWOW64\Pmpbdm32.exe

Filesize
112KB

MD5
6024818708f48852532cd2c3fa2c348b

SHA1
d947178ec9a38c5711eee35a960586ba03a05873

SHA256
da5d5ffc1f06e733af80b4999db609850c42f15deb7a2524384cbe45b8ae061f

SHA512
8695578d3949ddda571044ae5f56bfd11bd0c666e9c61b068a56188d16f3093f0fa13bb66a7dfeffbc6f91cb0b279675bab47e018dc43f924d622f8c6c1e9d85

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
112KB

MD5
c83b2ab65ce557b87d1274f746d79250

SHA1
f5f51b315e9d8319628c14a81de511d2533b65b8

SHA256
0e650ebdf9f165a4ed08fca63e8176921048a8b63ce2b7d9c695c06707942a61

SHA512
a6b80f16f1a1077db9dbac7183d2ac101d36098980a633bbce08f7c22b9e716a2c879537db32b60c15b8abc3380645450db38f4db1dc44160f6a89e22064fd67

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
112KB

MD5
48d1e36387283996b3eb170c52d5eecd

SHA1
524debc54cb41fa3d5c62304b2d05f887f79c412

SHA256
420f5e67f4e1548adda4e36af77af34f347f48121c18746d96b0aabfc164814b

SHA512
8cf2569df0660a08b2f116ac49606b385cb3584c3188309f9b30c0ce7edb2096b4e790aa85e412861eecce82c04e54c8ad395a2eb87142500b4f6ce54ef6ab70

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
112KB

MD5
23ee94b2399848b4ab3d7ea47073ff7c

SHA1
284c5d6b3d03c59e0629c4d665c852a218fe6226

SHA256
53503ec06b86739de5512c3588135534ad8be9f2827da9d7030ef05413830254

SHA512
42a05ffd3815bf1e8f32baee39d1c37dd746a5a5e978d89250183b1f37398d66864cbcb41fe077c1c991ebce15b729d431fd9bb31435c19a37dafd8d11235669

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
112KB

MD5
832e00de6f1d10a9b736a4dd98f8e6ce

SHA1
c0ae2fdda90b8d357e056809254d23e01eed348e

SHA256
5f515fc3a51419a17578060c6e1028b6fcccb488f95611c2c8b4ae600237b439

SHA512
1aae6f0e1b02ed82ef3b6ac0cb9181c55d58fa7882d271521524eeb5c773c6159adab1d19789789b1e60863080209e08681e756625b0ac835383b152ed8f5508

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
112KB

MD5
72867d9847e950710b606775f6a0fca8

SHA1
b79cb4e32adeded7bf023a03ecfef1061da5b43b

SHA256
dae123c2c10783888f2f9a75518660deedeb10b826e618eb68312407829b61a9

SHA512
13b70441804eac06b01f5cdb3c9700ff61753912280693091121ebadf23473e359dcca3bb644572a67294de307780853ce7db6ac1d594939f42889ff4d19402c

Download Submit
memory/272-400-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/272-399-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/272-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/348-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/348-12-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/348-339-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/348-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-139-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/580-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-217-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/748-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-474-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/960-236-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/992-306-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/992-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-310-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/1036-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-463-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1212-462-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1212-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-475-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-166-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1484-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-495-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1536-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-274-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1776-278-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1776-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1892-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1892-227-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1920-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-131-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1936-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-258-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1948-506-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1948-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-508-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2008-247-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2100-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-47-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2172-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-33-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2316-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-432-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2332-113-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2372-299-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2372-298-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2432-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-100-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2544-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-426-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2556-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-377-0x0000000000330000-0x0000000000365000-memory.dmp

Filesize
212KB

Download
memory/2556-375-0x0000000000330000-0x0000000000365000-memory.dmp

Filesize
212KB

Download
memory/2564-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-86-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2580-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-361-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2676-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-74-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2684-331-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2684-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-332-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2692-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-354-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2768-61-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2768-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-192-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2848-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-317-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2996-321-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/3004-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-387-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3004-388-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3024-289-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/3024-285-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/3024-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-518-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3048-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads