172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 19:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
Size

52KB
MD5

33448423c8fc27e2ae09176d90a585f9
SHA1

64aa9e93bbb67b231db78411a401eb0757605178
SHA256

172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba
SHA512

23b4b22398477c1f3d20107c984f352087e457dedccfe71c79b3bdc2108a5632235889972d132932dddf16fa5cc205954cb4a14d577e367a63a9b8046ef27597
SSDEEP

1536:KWnkR5i3ScoK+pz+tGrCuymMaDl/nZKGAL5CVcMAdKZ:j3ScP+p+4dMaDl/nZKGAL5CGMRZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe

Executes dropped EXE 56 IoCs

pid	Process
1732	Pgcmbcih.exe
2316	Pojecajj.exe
2688	Pdgmlhha.exe
2644	Phcilf32.exe
2164	Pkaehb32.exe
2652	Pnbojmmp.exe
3044	Qndkpmkm.exe
1524	Qdncmgbj.exe
2772	Qnghel32.exe
3028	Aohdmdoh.exe
2916	Ajmijmnn.exe
868	Aojabdlf.exe
1872	Ahbekjcf.exe
2064	Aakjdo32.exe
2004	Ahebaiac.exe
2432	Aoojnc32.exe
916	Aoagccfn.exe
2008	Adnpkjde.exe
2128	Bjkhdacm.exe
2976	Bbbpenco.exe
712	Bkjdndjo.exe
540	Bmlael32.exe
2412	Bqgmfkhg.exe
2816	Bgaebe32.exe
2756	Bmnnkl32.exe
2252	Bqijljfd.exe
2564	Bjbndpmd.exe
2532	Bqlfaj32.exe
1268	Bbmcibjp.exe
2052	Bjdkjpkb.exe
3032	Bkegah32.exe
2892	Ccmpce32.exe
2284	Cbppnbhm.exe
1672	Cenljmgq.exe
1784	Cmedlk32.exe
3064	Cocphf32.exe
2076	Cbblda32.exe
1248	Cileqlmg.exe
2232	Cgoelh32.exe
1592	Cpfmmf32.exe
1692	Cbdiia32.exe
932	Cagienkb.exe
2968	Cinafkkd.exe
828	Cgaaah32.exe
1516	Cjonncab.exe
2468	Cbffoabe.exe
1720	Caifjn32.exe
1864	Cchbgi32.exe
2828	Clojhf32.exe
2544	Cnmfdb32.exe
320	Cegoqlof.exe
2604	Ccjoli32.exe
3052	Cfhkhd32.exe
2884	Djdgic32.exe
2880	Dnpciaef.exe
3016	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2512	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
2512	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
1732	Pgcmbcih.exe
1732	Pgcmbcih.exe
2316	Pojecajj.exe
2316	Pojecajj.exe
2688	Pdgmlhha.exe
2688	Pdgmlhha.exe
2644	Phcilf32.exe
2644	Phcilf32.exe
2164	Pkaehb32.exe
2164	Pkaehb32.exe
2652	Pnbojmmp.exe
2652	Pnbojmmp.exe
3044	Qndkpmkm.exe
3044	Qndkpmkm.exe
1524	Qdncmgbj.exe
1524	Qdncmgbj.exe
2772	Qnghel32.exe
2772	Qnghel32.exe
3028	Aohdmdoh.exe
3028	Aohdmdoh.exe
2916	Ajmijmnn.exe
2916	Ajmijmnn.exe
868	Aojabdlf.exe
868	Aojabdlf.exe
1872	Ahbekjcf.exe
1872	Ahbekjcf.exe
2064	Aakjdo32.exe
2064	Aakjdo32.exe
2004	Ahebaiac.exe
2004	Ahebaiac.exe
2432	Aoojnc32.exe
2432	Aoojnc32.exe
916	Aoagccfn.exe
916	Aoagccfn.exe
2008	Adnpkjde.exe
2008	Adnpkjde.exe
2128	Bjkhdacm.exe
2128	Bjkhdacm.exe
2976	Bbbpenco.exe
2976	Bbbpenco.exe
712	Bkjdndjo.exe
712	Bkjdndjo.exe
540	Bmlael32.exe
540	Bmlael32.exe
2412	Bqgmfkhg.exe
2412	Bqgmfkhg.exe
2816	Bgaebe32.exe
2816	Bgaebe32.exe
2756	Bmnnkl32.exe
2756	Bmnnkl32.exe
2252	Bqijljfd.exe
2252	Bqijljfd.exe
2564	Bjbndpmd.exe
2564	Bjbndpmd.exe
2532	Bqlfaj32.exe
2532	Bqlfaj32.exe
1268	Bbmcibjp.exe
1268	Bbmcibjp.exe
2052	Bjdkjpkb.exe
2052	Bjdkjpkb.exe
3032	Bkegah32.exe
3032	Bkegah32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Maanne32.dll	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
File opened for modification	C:\Windows\SysWOW64\Phcilf32.exe	Pdgmlhha.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Hqjpab32.dll	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Aohdmdoh.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Aohdmdoh.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Khoqme32.dll	Ajmijmnn.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Pnbojmmp.exe	Pkaehb32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dpapaj32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dpapaj32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	3016	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcilf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1732	2512	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe	31
PID 2512 wrote to memory of 1732	2512	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe	31
PID 2512 wrote to memory of 1732	2512	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe	31
PID 2512 wrote to memory of 1732	2512	172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe	31
PID 1732 wrote to memory of 2316	1732	Pgcmbcih.exe	32
PID 1732 wrote to memory of 2316	1732	Pgcmbcih.exe	32
PID 1732 wrote to memory of 2316	1732	Pgcmbcih.exe	32
PID 1732 wrote to memory of 2316	1732	Pgcmbcih.exe	32
PID 2316 wrote to memory of 2688	2316	Pojecajj.exe	33
PID 2316 wrote to memory of 2688	2316	Pojecajj.exe	33
PID 2316 wrote to memory of 2688	2316	Pojecajj.exe	33
PID 2316 wrote to memory of 2688	2316	Pojecajj.exe	33
PID 2688 wrote to memory of 2644	2688	Pdgmlhha.exe	34
PID 2688 wrote to memory of 2644	2688	Pdgmlhha.exe	34
PID 2688 wrote to memory of 2644	2688	Pdgmlhha.exe	34
PID 2688 wrote to memory of 2644	2688	Pdgmlhha.exe	34
PID 2644 wrote to memory of 2164	2644	Phcilf32.exe	35
PID 2644 wrote to memory of 2164	2644	Phcilf32.exe	35
PID 2644 wrote to memory of 2164	2644	Phcilf32.exe	35
PID 2644 wrote to memory of 2164	2644	Phcilf32.exe	35
PID 2164 wrote to memory of 2652	2164	Pkaehb32.exe	36
PID 2164 wrote to memory of 2652	2164	Pkaehb32.exe	36
PID 2164 wrote to memory of 2652	2164	Pkaehb32.exe	36
PID 2164 wrote to memory of 2652	2164	Pkaehb32.exe	36
PID 2652 wrote to memory of 3044	2652	Pnbojmmp.exe	37
PID 2652 wrote to memory of 3044	2652	Pnbojmmp.exe	37
PID 2652 wrote to memory of 3044	2652	Pnbojmmp.exe	37
PID 2652 wrote to memory of 3044	2652	Pnbojmmp.exe	37
PID 3044 wrote to memory of 1524	3044	Qndkpmkm.exe	38
PID 3044 wrote to memory of 1524	3044	Qndkpmkm.exe	38
PID 3044 wrote to memory of 1524	3044	Qndkpmkm.exe	38
PID 3044 wrote to memory of 1524	3044	Qndkpmkm.exe	38
PID 1524 wrote to memory of 2772	1524	Qdncmgbj.exe	39
PID 1524 wrote to memory of 2772	1524	Qdncmgbj.exe	39
PID 1524 wrote to memory of 2772	1524	Qdncmgbj.exe	39
PID 1524 wrote to memory of 2772	1524	Qdncmgbj.exe	39
PID 2772 wrote to memory of 3028	2772	Qnghel32.exe	40
PID 2772 wrote to memory of 3028	2772	Qnghel32.exe	40
PID 2772 wrote to memory of 3028	2772	Qnghel32.exe	40
PID 2772 wrote to memory of 3028	2772	Qnghel32.exe	40
PID 3028 wrote to memory of 2916	3028	Aohdmdoh.exe	41
PID 3028 wrote to memory of 2916	3028	Aohdmdoh.exe	41
PID 3028 wrote to memory of 2916	3028	Aohdmdoh.exe	41
PID 3028 wrote to memory of 2916	3028	Aohdmdoh.exe	41
PID 2916 wrote to memory of 868	2916	Ajmijmnn.exe	42
PID 2916 wrote to memory of 868	2916	Ajmijmnn.exe	42
PID 2916 wrote to memory of 868	2916	Ajmijmnn.exe	42
PID 2916 wrote to memory of 868	2916	Ajmijmnn.exe	42
PID 868 wrote to memory of 1872	868	Aojabdlf.exe	43
PID 868 wrote to memory of 1872	868	Aojabdlf.exe	43
PID 868 wrote to memory of 1872	868	Aojabdlf.exe	43
PID 868 wrote to memory of 1872	868	Aojabdlf.exe	43
PID 1872 wrote to memory of 2064	1872	Ahbekjcf.exe	44
PID 1872 wrote to memory of 2064	1872	Ahbekjcf.exe	44
PID 1872 wrote to memory of 2064	1872	Ahbekjcf.exe	44
PID 1872 wrote to memory of 2064	1872	Ahbekjcf.exe	44
PID 2064 wrote to memory of 2004	2064	Aakjdo32.exe	45
PID 2064 wrote to memory of 2004	2064	Aakjdo32.exe	45
PID 2064 wrote to memory of 2004	2064	Aakjdo32.exe	45
PID 2064 wrote to memory of 2004	2064	Aakjdo32.exe	45
PID 2004 wrote to memory of 2432	2004	Ahebaiac.exe	46
PID 2004 wrote to memory of 2432	2004	Ahebaiac.exe	46
PID 2004 wrote to memory of 2432	2004	Ahebaiac.exe	46
PID 2004 wrote to memory of 2432	2004	Ahebaiac.exe	46

C:\Users\Admin\AppData\Local\Temp\172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe
"C:\Users\Admin\AppData\Local\Temp\172d3f070f5bf0b8077434f5e42d7f6107041dd603821a60ebb0fef03c5438ba.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\Pgcmbcih.exe
  C:\Windows\system32\Pgcmbcih.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\Pojecajj.exe
    C:\Windows\system32\Pojecajj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Pdgmlhha.exe
      C:\Windows\system32\Pdgmlhha.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 144
        58⤵
        Program crash
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
52KB

MD5
76128c2dd917796e538058150a2a0fc2

SHA1
d4f0c86e964faf92d412cc516accbfb91a02e6c5

SHA256
797cf309782fd53f9cd39c34e692bbc35bad15b03386c37ee1c0bee27e4ef608

SHA512
72ace4cb13be93a7f31fb8faf9605713310099222bcd9abf3449c0ef6f0d28fbec6e5596aa425bb5ad34756ac1c60c618de567acf500bf87328f4d52960dab38

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
52KB

MD5
b711257b89aaa4ca6fc2ce23096e3ddb

SHA1
4614dc60e6ba86e8a591d331455a8c349398bc94

SHA256
5b0729096405a913d4b3e95d4419f0a1eb6c4aede5b1a4481d9a69fc819be0d2

SHA512
28593c9710d22b46c248e1bf19f09effacb23001d73cd867786e1759938938003d9a202741a14a23f66c478e9fd4503de54f861d2b521a9e829c385e8294dbf9

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
52KB

MD5
9aee305f6d2809ced8e2ab51773f7c6e

SHA1
a14d677cb3b714602d994264be927e7f358a71d8

SHA256
471070a92d3a7f52308e4c71322e7ccb38ebfa1fec5cff2782cecd218293f22a

SHA512
1572579763cad8208b39f7cbf107807e580a33a0d3987f08475b8d96f3e59e4852ec940b652dea4fb71cbade86f7ca922da01a31fe2b4a6d486216b31c5d4386

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
52KB

MD5
99b1317684a5952a194bbf4469e9a063

SHA1
1d53e71f2740fad916af26b0fc8e7b9915b2011c

SHA256
ec43577bf2d2fd1dcb649549b31e41ecbdfeef8018303d6c824f5e66f5475088

SHA512
a6e5dc06f1aba6eefd0b0d7ca0f689c7ac7b620805ee731eee0418d2c14d77b5e7fcdafc1ee7ef96aa23f1a5c7286a4724aa4ad84b228c5c5d9cfd89e9d8f875

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
52KB

MD5
d0e6626b462f56fb6d5e80ae741e124a

SHA1
1c70fa3813d5ea9210c2d5d5c3bf5c420256f692

SHA256
cfcec2163bd1ee12a9d2502b9a3fd76faa87988e7c605ae71d5fc350dacb25a0

SHA512
47744c775ad730a1c062f11145b79462ce211bc26171222672c7c398c4656ff277bf5fa280db5da9114712dfe4b7b1adb921b853d3e01ae514aca342e3bf3ea9

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
52KB

MD5
2368f15557aeaa99bcfe9c600412fdf2

SHA1
b6d753d83e336302aa2b34ac9bca6bae21b1a5f6

SHA256
95abe4168cc9895af370e1cfaf0de47a01792be7f5925558a33d37ed490c3331

SHA512
604a853ba3934b091cabc6e411a3c182cee3b84b5fdd45df70c6623a5d8008bb5088711816c804d1fa5c7ecccdfa3396d27b87147078d53050f296cf8ba9841a

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
52KB

MD5
32e774ca7c343f5776b5ce6a4f3b3644

SHA1
c89c43d51eda3ac54699a65ac04401aea6f8087a

SHA256
de525812c4ad87ddab3852ff72d47a7a329d53ef6511d4afc9db5318ef4f0247

SHA512
f38db0c92d5ca7e4e57dcfa718c3cdba3348a8629fbd47e4d82b2eb53260e559ba55b5a2646e5b25f8968c9d4395ff01f07e84150d3c10cfbe727c2a1e311803

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
52KB

MD5
f2c52a10bcf384a5dcf69c55307b6d40

SHA1
1a8fd7e626a2264d8700d4a86af2f57f0f22d772

SHA256
2fec8e85f462605cfedde70318373989f8573f73e1bc191a4ef7e9ffcdfaf608

SHA512
2faa92a2ce857bca6d5a01f1e708aa1587970f09160cb1df59815a41c396ee8570884235893c33aca265fa8e89592e8c8e0da88dec95df195fbaf3fab7bcf2e7

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
52KB

MD5
356db0d6ebc35083a8fe3dcfbe936c68

SHA1
c13871d15dd86f793f2db0abd27691f41efe0e30

SHA256
ff1548217ad2acc47f1ad5673900bca79a14aeddcd08e1271ca0ce5654d1b833

SHA512
e87a47d22bb372bab7f228943873c2161cd8194ef94e2c629ee55e701e5f14e64e4640936fb9e1d97ae67daf2ca573993ae45e16b1a40687fc9744857c78b6f1

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
52KB

MD5
107426aa790cad85ca0b8bf2570c831a

SHA1
9ed8a0481b99914c0d6d94ab62d514467fdabdc2

SHA256
0155088f0b6d3e92194a144e655563a4d04d79fcee2d2e9110ed0b9aa8fc6716

SHA512
83a5fe15e891085ff234b42854321838fab4d3488ce378f04689ecf457ac8cf3c7737e06e22699f66fd5a1619529b1909ad033c75db07effb72e3194257c69b1

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
52KB

MD5
1b6ef5f6b412ac73d8a064975d81930c

SHA1
d5babc5efaefa055920b4290d6dd7393f5d4868b

SHA256
cd2bfe417a0c2d1e24e77af7b2493adb09f4192e9f7d755cb0c7eeda6193b09c

SHA512
1cb96777d5e9a4c0653f6e92a2500fce6dce13ac9044c47888d7ea3eb46c2a3efbdc14ecf4e4341d63d0c20b23c4d725ae77e49c70c889fa9e75408c324fefb2

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
52KB

MD5
a01f0ef7154fe88b1170d9a2d55a27e9

SHA1
3e3914bb05be6e27cd317755f1764503479e6d98

SHA256
513e20e45e37d13af642e3696e01aa3d9641fc4a21ef58c574784d7a3774486b

SHA512
aed76f9e5faf5dbcde10ea84ccf66aac5310d443f82e76952f28d20d6cfb207f1baea5e14b3419db727068b286542f2170b153b6dac55b6e6c50191f895e5ca5

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
52KB

MD5
ddc59b6b19bbbdc58b54866d41cc1737

SHA1
2a0caa0a5bfb1f07003998b465c18d2a649dd27f

SHA256
664145f1911e65b3a3ef7edf7812dab46f44a2108455d6aa8c18d5d6d40aadff

SHA512
28909c5fa948d38fd82135bea69da55afd353357002f5b2783c296bfe99aaa3ee3f7ec90cf1b946b3c741da0c7d2673a1eaf33dd1f6571dc18001164c056c633

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
52KB

MD5
db80ba2271d9c97546a0aeef830768a0

SHA1
3181778e0ce76be2d513c4fecd8d3dc21223e4a7

SHA256
15dd5398a09d970d7291aea8b30068d3b0c467e0f19eb627fbd57857921beeeb

SHA512
60d13c1776bbbd7915ed6b1320369739c51cb17302e1371270749cc9ad2ed29b7a6ca6aae9a9ea57d8290c48b67bcdd3583b4e8bb23afe42c39d87edc37ff9c0

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
52KB

MD5
6952f9c86c213eb1e1a77b2df236b764

SHA1
41a44cba7094467f41e5f134cfcddf11659553a7

SHA256
326a62c7b77e978b6a6f0a07959a7791242f9d7a5c19c9b89a4356d18a123347

SHA512
ba72c8bd6cf048672271a6a785852af64d91cf0e3b84fb4e07a51fa8756f910e55b8697863c83dc4bbc4f15d9072fda8b065ab10927dabbe12f0032e72d9a34d

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
52KB

MD5
42d1130044e9cb4edf3a5198f7ef9e54

SHA1
818efaf2f2b24413982d06f99d01b40b6bbd36fc

SHA256
023527b389408ea51006e96e0577997c884aaccfe07f7eb42e301a436d080bf9

SHA512
b384f4df55ba881a43b80072d092962f77697ea43097a24a0521219dd83c4f3dade32b8644a0c4199cb0eb4a1dda87ef77568d16566157fde478eb1e4ae16a2b

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
52KB

MD5
76ee9e61027486cb7b885625ffd6d7ef

SHA1
e5f12fd1b3d1b0ff07b7e4383d09aeb7cd764ce4

SHA256
5e4ece7ed97035228d7acd6a0b50c709c8d692ab6fe07945b0c0a7aa3ff8a0ac

SHA512
9f162af59d66f10eb455edaf826299fd01601ea62fe17cb3d5fee19bb64411aa3ae535d0ab25766e7c4288fd44d98670d85ff3b5b663ff8ad3a43cc3a912a298

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
52KB

MD5
cd5ef0762de83613a1d582c04b367c65

SHA1
3f2ed0e35e469bfe3ede4770cc7034fb2e76a918

SHA256
b82f5e0fc497b64912cfdd8c479bc498ff9e081ea0373615f2fdc338496df653

SHA512
ec9bd88d08acb618a6af283f0ae973ec28be45a821484842cfe12c0b9425c925fc9b6a4805832047beb6b8632e2a8a016e8a83e5d9c65bf59a5c0b6ef7c7fb9f

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
52KB

MD5
ceb6f5e13b24bc610c9b014ee8b5c2ca

SHA1
e08e1f71015c5e2e0ba0af92ebd2f68beefdba23

SHA256
79c29d9ab66ba39fd4adb025b1988c34d4127443fbd211e0211007f541bf6a0b

SHA512
d99ee91e12922289221a15bdf8e22c33bd19a8c552667429abedc62fe75bdefe6245916d3c68d3ede1c0084900665d2bb088e22320d88eed5a7309b6ef5ff747

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
52KB

MD5
88a21c32a78a1bb419615a705f45ba5b

SHA1
dccfe24d33eacd914e72e87a5370cca9ad142026

SHA256
b2cf6b9a081ed98c1588953f72e1a663b7170fd71979677e5f58efed583499f0

SHA512
45775acdac7399f96218f43fa90597f5ea661ad8c5e80a5521ae3bc46d59ab43d1dee62e7f5ea1fa37005c1dd09f72c75921dd55ba1ae2cb04bbcc42652af9f9

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
52KB

MD5
dd02193e01eedd24a94d3d814aa78ca9

SHA1
2171b5feca7583645606e37d22e004f04e7605d6

SHA256
fec9f4f4dc1f92f60c7f3d282b2258fd507b00bfe085db77182eddc54c4bf3a7

SHA512
1b5b62b1de2d957f86f22971c392a0fce2db5a03f9968ab280b1c2cf041f7ee811b6a21b5c236bc7e137bcd2bceade9995819898c143550c1f4b4131b9d79c9e

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
52KB

MD5
0c11fce2c3a138956608bbb9b226cb86

SHA1
731aab8ec5c3c92b03db355f8ca4956a5f55bb51

SHA256
a6c47a83500e440c07d02526a820c1c095894367f1601f1bd273b87c8f1e5078

SHA512
80b38a5fc56543e5d0927d8be96e3f2a753d2f9794a1b1a0ecd3751f9a386d5a62736f1d8410af9e9735321ad00b67c00c4941c5bdf3611c28d94fbab840cb54

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
52KB

MD5
4ef063d695320374c00cb967aff74252

SHA1
1336ec6d4352b8de534ce69928350c41c4bc2d70

SHA256
e60842bbe3eff4bfc0cc190d5a60cb555bbf9a6437ddf5b2c8c8406e7c929df4

SHA512
3fa5c70128e1ea29807b0d304ee99ef338f669f7cd1cb569e2fb69c98f64f306a96f87584d7d6648f494acd5bca7e7b158ddb39212d48d56dedd09aa9648eff7

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
52KB

MD5
2b1a22d65f0f896ac365bbc342d22fe5

SHA1
33b4ffbd7c6e845b840316d0d6f601cd67095eed

SHA256
3b3dbd2f08d296d9ffeef8a69dab122d68263cc5314d058f4b259fdce053b4a3

SHA512
33548030b503b250592a228d37c596f83c93b8489f06c5e209bd35505233f1b15a3fbb3c4db88061eb27ba28828b162dfc2d08c79f7ec353b42cc6119cef8959

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
52KB

MD5
855060a60373e97d99ebf6a3d618f422

SHA1
8f65272c892549b71adf5a22f11bf5d1d2ac277c

SHA256
2eb6b2b1512994a5d1dd6b1dec9dd958ff7dec8fa4bf64b586ae324972d6f252

SHA512
e73ba70fe97a08f85cc8c78dccb55ae71d2a77105335d2bcf907629f54bd5c5b9aa200795abd25cc47e883b75a13c7f5f067a8e342fd86b6c3e3dd96c99d62dd

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
52KB

MD5
19d6e6697c71fd428fec8223cf5d712c

SHA1
a2f9789b0a95ec2c39139ea79cffd1411a4fdc4f

SHA256
b6b8b99417438104689c21a501d59ee1e31d22abe8c19efc900142a465fae051

SHA512
318b3850f27f73185413cea575fd13e6b8c90aa1c2ad9ec9d096a93f083ce2f1135ecffecacac3dbd5aefda70a9a28bbc2a8ce1319f2507420fe1a0eea9f61cf

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
52KB

MD5
0a0ff6d17cbe995246db3170fe16e1fb

SHA1
73130744bde03523196ff1a2c56f9a242fd07721

SHA256
5997e7a3365ecba34582493fb50309146c18721938f2b97ddb1ede9809eab347

SHA512
be5cd6f6f0c605952a6e3e8b1afd41839deb8888090c929a823b43813b2a651e7793abce537c967de454601d522524ceda4eddce31b7bad4a0458904cdf84410

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
52KB

MD5
070091fa4c57556d2e03b81844b22d1a

SHA1
dd6372a4980d5052a3ce51e760b65fe80084fa1d

SHA256
c31281f544121f2a2e7a0f5e9e52e964de1b4d80bf8f28f668cbda8847377ae9

SHA512
9513e69efb822914e9c4eb172d81c59cc1a4a6bbf62264b3bafccdafbbf53cff44b0a0ea765d3dbb96640cf3b9f44977bc0917e40731e9759104612bd0f87e2e

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
52KB

MD5
907b8ab095c4ce609933c83cd11810bf

SHA1
56684f0663330bb38c6dfef778aaca3406199f75

SHA256
5b71aab9c6186253db10a5ad0e1afeaf6bbac1e236a59418841f622dccff7bc0

SHA512
b2ef3ec913b428bd613f82e8e1a6fbc5176874c4dcb061364ef44c3025f599e346aad791fda102a49dd91bd69330892216b58a10dae7ee18cecd429b5b2642a7

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
52KB

MD5
0d26e258fbf67001940fd9e38f13f574

SHA1
ba9f1bfc779ca05314b6165f1c0433a334db1ccf

SHA256
2bf6bd7dbfd9bde467742249e11756217feaf7f57da34088abcb8474d6e79fc7

SHA512
433826a6ac9940be8bc64dcfc78f19d9da30c3d1c6bce3f198cfb1aaf5d272db3adbd4c53ee28ccbfc1e4a5e0ca8f26ecaf3cee24d1ce5ad3de63f57b505de48

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
52KB

MD5
4ed990138eb46c055363ca70c964b0a3

SHA1
ef6b4d0f81ffeb6df0742682f1b81e28ee8d3f8b

SHA256
af59f06b6b3db29f88d50cef699fc194ae58532ae05e1fca056cee40f67f2485

SHA512
7c865a94bb96e13f9c7eeb05b7d7841f430735f215b0387731683593cb214ee939b62a4b43e6ca43a450b1c733a0cede9c724c4f68033ad25b67737fac107bc8

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
52KB

MD5
c8ab4cc8b8198077d9fb9cee05fc549a

SHA1
d32e44163956cbc2fa7c8b0cb2ce6263b91e1d3c

SHA256
90165dac6641d20f4adfd53de3f867cc0987143e93e88ab3206f9a396b4b02fc

SHA512
253a2ce82b65ee16dbd94efd805c2f94cbb2f580a2a5888d3483b1b122c666cf22899ef31dade2abb6b86587c7fd40e87d4849122c156a6319cb607bc6557d96

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
52KB

MD5
d627a3c22a0c1156a5c98c2d2c5e040b

SHA1
d9de9492b5906c1c0467397422bc49908e9e6999

SHA256
6efaf82c7e5fa5e0354d9836f8dd2689f38f8b6872e24e73e87e03428bfbe603

SHA512
bf802e36414c31da2a43eab8a2b2c9b123e82d44551c7eac95bbbab701a904616c53ac0279e7e52bc144594c95e9209eee3e083b08eb5722a1599d4a85181a65

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
52KB

MD5
54163f1f9cc84f62807955e8a03be440

SHA1
593c8e486f375ba4b76df76d933992efacd1431c

SHA256
86f8321fe11de64ca5efebfd6cec1b5f558d1b0b1baa0f4795b9df69f55dee16

SHA512
b79735276a52d1bf75992e7e4f895edbc76fd7c169545b8c0348e916fff66dbd8a358d77d304a22ca039990f2e70d12b097f8656d60c60c2f01df1e97f701269

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
52KB

MD5
6ba569712640aad3727b5391b62f97d6

SHA1
fb3d86864cb30bd03d92526cfea94e5a6b3b538e

SHA256
63beb912066c898cd51ae7d2d78d67bbd73ec690ab2a123da82c817aeae43491

SHA512
06985d10d80d47a40c6e6833d763bcbb28cd0cb923c033c72c1c477de0c129c9f352db9728751fb52b343d6e0740bb845e1d7fc19de37466a103ea5bb1a65fb2

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
52KB

MD5
adb73aa5fdb6dbe67dd26e78af47f61c

SHA1
06533969c02cd5071e75911b25e79711adacd10e

SHA256
f8fe84d32b90f4264407c0274b3cb277c2c213982406e75649083dd48f172bbc

SHA512
c27c52fd7602f9d89b299822061d376179e235ffcc5e4620bffbc5b785943bc81efff9368ad1f77183e76d7ad2d04976dd3e16e23b4118ee16345df62d6e3883

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
52KB

MD5
d72f8d2b9090e64d2ef6030c69497e08

SHA1
a7b7fc9dc4be3df2678326bb3b03dee3304959c2

SHA256
68d52278c715f24167a869343889d5ed7e2e37ce57224ff67d6c148c5b50b947

SHA512
30ddfc18b1ea19475580c326d13aa4e32d707d1ff39a840e62c3a3c184646179cf7de6b6958c14fa331de3f5bd7d23d9f6ad69ee8336a6f9ab7dd7befaf18e8d

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
52KB

MD5
bb0867ef59999934397426a952a6750f

SHA1
a0ea668852d594b9fa9d4b327e99739efc40a862

SHA256
0af0b1fdda4dfe64b1f088bf96e05b890ca33948160bbe93e863c28f87069001

SHA512
132ee847c9af7199c3539f23bf5e4f25c462e2c02b26da3a43e42734daed4e80a4c39aa73209291f33a0a112d875eb528fac504eae5dc68e12a49268c9a40728

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
52KB

MD5
399a9f996512899b40f883c7d8a72f92

SHA1
9f32b8f9708aa339303a3dacfea54f5f074d93f7

SHA256
9c3eaefc243ecbf9df9bc87e4c39ee52b53a725f6a26f109d3c9b671f1f55414

SHA512
abc5052cd6a21a2d7f66789660d45847535ce0495685fd2f8dd010cc8f11e3eb1b23d7099ec493a48e75a96775787ceccf8a4ebdf3b8c03339d0995aa32b3596

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
52KB

MD5
3647772bb3b558c766ba86906ffc419b

SHA1
513a79f7e9e2d82d8629522939796cbd37859a11

SHA256
926ba707e6b3cc916b2d8520bbc55e717da9250e4ae48ffa2e4b163bd350270b

SHA512
a86df2cfc29833fd33849091d999f3ab6e653c3118da6a32fb698a8c3808bcd40eaf7ed4d1837805d52de6efe56964bcc4fd6e74d0ed4654e12774e90ea51809

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
52KB

MD5
60e818053b42eb2e2d3c3509f3e0b69a

SHA1
1194a4ac5fdae2a91805b0ef24dc8bc0264ba60f

SHA256
f3517def9bbf0e9301b1916404cd8d33c12d1cacf69a78203815ee935db8f4cf

SHA512
59932a12adcb1f80196c6db1e2d5e9192f2645ae92faef7fcf42f951e33fd8be3164bf9633b854bf264ccdcc10ba7fc40887808d3bc29e5aeb905c8db7886fd6

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
52KB

MD5
13a048e38eeb6ac3ab6df8d67ddfdce9

SHA1
81275f3a1844d22ddf0eec6061d13183eab9d219

SHA256
90104050b8a9e47ec1e6d776f474698f75a8d1c64f8532a0a63365f1415a6cd0

SHA512
fd1e39273dbe0bce45b694d46b452eea90c805b7907b5f2609bd14fcbe9f25c6ed8613ed514b32b64e47d1839b46bf314e5e3929f78fd2b9c514499d8ab20773

Download Submit
C:\Windows\SysWOW64\Pdgmlhha.exe

Filesize
52KB

MD5
9a6a1a0173b3587f881a8a0598fa0fdb

SHA1
4883848ed748d8fd676bab5ad5744bb8a974de94

SHA256
b29702166fdacfb6c57949de68f87909f633d79cb801ac51e94ff12efafd1288

SHA512
6831a88f436f2ba6c35063bf36e5cfa21425be9b140eb3d4ac3db74b2cb40126d1a52f21ff39a7fbab78cc083615c6d31611d57fe05308adf5f535b03a09ecd3

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
52KB

MD5
b2179f43001a9f855e4283fa5b955aa7

SHA1
2d1c758dc73009530617bb82cc8b2de441f82ba4

SHA256
ac33940f845630113ae81dec0cb43d0b7c4c7653dd57deb620df4704a784ae86

SHA512
cd58651a1002f776bdce91a5433d89ee997fc4cf7bc289dc215626d3bfb2e6ed55cf338c4d144b7d0d5cb3f446bf244aa287d968ee776af7f082ac936e4fbff1

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
52KB

MD5
78b4f9027c18a6dd649b90d3e443ba28

SHA1
22f7e26fc81493c3e038af866516456d3f0753f6

SHA256
fa316bf15a0587f772cd34da7041f7120290b2aaf4a7e14cd3ed0b15651ff4b0

SHA512
922144ad5339daadd64387e0bc6225c1baa2e56e486e5b545b77c93f583bd295aa025c3e59430ebc4f27ca2d8e28ab769b546394ad1237f7a7cba4c6481bddd0

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
52KB

MD5
cd2fd8952eec973881f43b0e68ce2e52

SHA1
143ee1f35eb28b762afb17eedf0f0d44fcb24c1d

SHA256
73ab965a3eb01d434a619d55ec2af03dc62ce56acd5d525ccb721daf0c7db7d0

SHA512
5397bef4b011ecd3920eb09b61f566e5f21d52ed75674c24d4a4bd86f6f3821fbf550a23c8635491eba7b2840caaaa32313dc77a2ca65a0f3f5fae9d2e3f12cf

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
52KB

MD5
1f36dcafe243bf6c747c987a8b81eace

SHA1
240c7bf34bc229ef635b4e03681199a380126f10

SHA256
fa17e4f2773ced10d2af34fcdbe3534d317e99021031eb41e5e07786f0cd50a5

SHA512
4932adf73d38c0aee9cccb136d23cfc99feb86b348d1232cbbbb2ce568ff22c4ea0fecef134705eb30bd34feef534f7960ca8b719079632ab52474137a7a3d65

Download Submit
\Windows\SysWOW64\Ahbekjcf.exe

Filesize
52KB

MD5
ead4169018eb7cb2f83245a89ae2fc7c

SHA1
583e1a0f69e491c9de35a8b70ed476f4769381fa

SHA256
9153713dac7b334927faa29c50fae941fbaa5fde81f612d627635cafdd0b68c3

SHA512
44eaf738b93e42db575a3685a6a500dde8bd0f1304a055df0002a455aa5eee518a89372dbcd610c5bd2c402deed51684eb2ce20726ab6e9590b76074ac08c743

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
52KB

MD5
ef7ada4806ab35657b6af0a9cee52112

SHA1
4884d8cd0d662e62ee5c8ecf4bfdae7cc06892bb

SHA256
b8cf14f914228100da3968b6cf0aefee2a2c72ab1dfacb89631b8424c1a15b8b

SHA512
b2a761dd45b2b17d861aaa109d5c24e9ce3670b1c90043bb3f2766c3f4fcf589ff6dac6b69873bcfe5c2d7c9b5ea84bebf4c2e14d03793a328bc76207e511ca7

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
52KB

MD5
bd418be5fdc8af54a1bc792d5d0551aa

SHA1
ea5466a449af4da9dd545d974365819d3ba21447

SHA256
23e5ad651b59fdf35607c3ec2f85f4fead26004c8c40815a4fbeab7663f2c5a0

SHA512
75653eb9a112d52ded12a9c356a4895d652c2a22ed477296bc4fb8b146df804ece472d4113f231e9454451f12b6e844aa9f3d9fc4605e10bb48a5995670a0c8a

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
52KB

MD5
c611085661b6e925ce586e4220addf4a

SHA1
3bbf07641522fa8c8ea93d49c7551d35509cec7c

SHA256
8fb358124314e40d9e51b80396b14a91d27f68de79412c9e3bff1a0e88b32d7e

SHA512
de49deee54a68d90308e48e1fe4a0c2a0125cf7634f135f28ea36853992d0e0939a361f2b7ceddeeca9015220c89f4c2b6eb56a5b9aa0fc4c445b94866e3c831

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
52KB

MD5
962e6522515e5149ad996b28259af8db

SHA1
99ceef9e3feacd61ed41583291f44e7f20e26736

SHA256
51f33797492948b6c2c9fbcc20992d147f9ae87b7fc8f9c731d696d27c06f72b

SHA512
df6437df73a65a48b9644cdc5e14d28c2d15c5cde2335b2f1dcc149a26e8310d2b032b8768e898ff44799f62be7b7538f5d896214e01af6ea4b1a9cee306680a

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
52KB

MD5
643489aecb896f4998b6e5a877851689

SHA1
43029493c4142d2f17088af8cb1238bd18d4558f

SHA256
907d276447b51d8f83b20a730802b91967dd8f33acca0a3d15df837fe89f8571

SHA512
1e7e42b764162aee9e05f1cb102f3fdb66a7cdf42fae6dacad7ef316d2258c20b247fb75e1485d456bce67defa3524abd2b38b10c045578f714d41027a29fa54

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
52KB

MD5
43f032585df8492cf74b15652b7b781a

SHA1
0cd5196e8b67ba99a1ab30d7c3be5daf1bca871d

SHA256
2e8358a28fcfaf2aacf4b97c60e487e69f4c22ad30ead13c30f9f9c820f48737

SHA512
614a3946abc523f64e2d5c2b5440910fdf33a3cc2497de1418c4774148d982ab145ee632fca3aa4ae84b1c1c96698327a474586560d70c4e40f2cf7b0415de09

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
52KB

MD5
b4f1788ac31b6378cc412d71d157a01a

SHA1
df6ad45c789f85da503cdcf7df79b19034bd9c9d

SHA256
7c9cff93452fe53189da2b97697606bdfbc5858be02c01907fcd13fc2389c7af

SHA512
eced97fb68527f6efeaa6b2e59b8aa8263b3c4f7b458c9b19d822e7d82367e2152e6bb79763255066bd287ad036b4c4c72de8461e427a6de7c3fa05e80c102cb

Download Submit
\Windows\SysWOW64\Qnghel32.exe

Filesize
52KB

MD5
dafe4b4c965a8ab25cfe027ad868a5c6

SHA1
68430e88f6c417c6bc97ebc9cd8a6374527f5771

SHA256
f0c99f87394d8cb5bfae88a582ca1a5d11c8ce46e543cc53a116d04c0e513858

SHA512
0873897797c7613e7a9dfbc8c57f89290af08b4a2ed85762e7a37cbd01b47dc10d89630c92c4fa4047d319b621eff1f739eca589a31ee579aa95a7c27d850a95

Download Submit
memory/540-351-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/540-352-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/540-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-308-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/712-307-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/712-340-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/868-186-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/868-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-239-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/868-193-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/916-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-259-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1268-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1268-396-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1524-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-176-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1524-123-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1524-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-26-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1732-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-270-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2004-271-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2004-238-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2004-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-237-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2008-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-269-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2052-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-407-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2064-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-217-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2064-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-285-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2128-318-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2128-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-82-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2164-81-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2164-128-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2252-360-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2252-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-253-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2432-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-249-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2512-55-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2512-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-11-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2512-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-12-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2532-382-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2564-374-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2564-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-64-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2644-113-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2644-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-95-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2652-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-142-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2772-191-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2772-143-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2816-375-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2816-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2816-336-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2816-341-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2816-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-174-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2916-215-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2916-228-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2916-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-173-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2976-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-292-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/3028-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-154-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/3028-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-111-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/3044-159-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/3044-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads