e8be4c00382c21d0e05be3b33fb4e07bd9e8a6779864f2ad95aa4e5be98381fa

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad50ea267bd2a726a959637269e410e0N.exe
Size

90KB
MD5

ad50ea267bd2a726a959637269e410e0
SHA1

2e5d2fa82b1550a5ae07f2f8cb7b92516fcfce66
SHA256

e8be4c00382c21d0e05be3b33fb4e07bd9e8a6779864f2ad95aa4e5be98381fa
SHA512

dd551687bb170a3b3039e12f8b31514d7c5d432129c4027385c0ea628e51d92927fc0620fb2e70bc461fbdb22f515b23dd8761241c91f82fe426b8adb4dc598c
SSDEEP

1536:m8ruLqGQOvTQQQpBKzLmWJbU1pcIyuKTN2rszok5LpWFdPepnjKTGvu/Ub0VkVNK:5mLgg/mWJCyIy0I07WOGvu/Ub0+NK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoicb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ad50ea267bd2a726a959637269e410e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohiffh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoicb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ad50ea267bd2a726a959637269e410e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdgmlhha.exe

Executes dropped EXE 58 IoCs

pid	Process
2088	Ooabmbbe.exe
2724	Oekjjl32.exe
2984	Ohiffh32.exe
2740	Pofkha32.exe
2716	Phnpagdp.exe
2564	Pkmlmbcd.exe
2560	Pafdjmkq.exe
2092	Pkoicb32.exe
540	Paiaplin.exe
2328	Pdgmlhha.exe
112	Pidfdofi.exe
2316	Paknelgk.exe
1692	Pghfnc32.exe
1120	Pifbjn32.exe
1784	Qcogbdkg.exe
1916	Qkfocaki.exe
1928	Qpbglhjq.exe
916	Qcachc32.exe
1652	Qjklenpa.exe
1940	Apedah32.exe
1732	Aebmjo32.exe
2496	Ahpifj32.exe
1548	Apgagg32.exe
2392	Aaimopli.exe
1424	Ajpepm32.exe
2948	Achjibcl.exe
1540	Afffenbp.exe
2732	Anbkipok.exe
2692	Aficjnpm.exe
2992	Agjobffl.exe
2600	Adnpkjde.exe
2924	Bnfddp32.exe
332	Bdqlajbb.exe
2036	Bniajoic.exe
2364	Bqgmfkhg.exe
2040	Bfdenafn.exe
264	Bqijljfd.exe
1976	Bieopm32.exe
2196	Bqlfaj32.exe
1900	Bfioia32.exe
1992	Bkegah32.exe
1924	Ciihklpj.exe
932	Ckhdggom.exe
2260	Cfmhdpnc.exe
2968	Cgoelh32.exe
1440	Cbdiia32.exe
1736	Cebeem32.exe
2116	Cgaaah32.exe
2944	Cnkjnb32.exe
2676	Ceebklai.exe
2800	Cgcnghpl.exe
2708	Cjakccop.exe
2556	Cnmfdb32.exe
2468	Calcpm32.exe
2428	Ccjoli32.exe
1588	Cfhkhd32.exe
768	Djdgic32.exe
1572	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2416	ad50ea267bd2a726a959637269e410e0N.exe
2416	ad50ea267bd2a726a959637269e410e0N.exe
2088	Ooabmbbe.exe
2088	Ooabmbbe.exe
2724	Oekjjl32.exe
2724	Oekjjl32.exe
2984	Ohiffh32.exe
2984	Ohiffh32.exe
2740	Pofkha32.exe
2740	Pofkha32.exe
2716	Phnpagdp.exe
2716	Phnpagdp.exe
2564	Pkmlmbcd.exe
2564	Pkmlmbcd.exe
2560	Pafdjmkq.exe
2560	Pafdjmkq.exe
2092	Pkoicb32.exe
2092	Pkoicb32.exe
540	Paiaplin.exe
540	Paiaplin.exe
2328	Pdgmlhha.exe
2328	Pdgmlhha.exe
112	Pidfdofi.exe
112	Pidfdofi.exe
2316	Paknelgk.exe
2316	Paknelgk.exe
1692	Pghfnc32.exe
1692	Pghfnc32.exe
1120	Pifbjn32.exe
1120	Pifbjn32.exe
1784	Qcogbdkg.exe
1784	Qcogbdkg.exe
1916	Qkfocaki.exe
1916	Qkfocaki.exe
1928	Qpbglhjq.exe
1928	Qpbglhjq.exe
916	Qcachc32.exe
916	Qcachc32.exe
1652	Qjklenpa.exe
1652	Qjklenpa.exe
1940	Apedah32.exe
1940	Apedah32.exe
1732	Aebmjo32.exe
1732	Aebmjo32.exe
2496	Ahpifj32.exe
2496	Ahpifj32.exe
1548	Apgagg32.exe
1548	Apgagg32.exe
2392	Aaimopli.exe
2392	Aaimopli.exe
1424	Ajpepm32.exe
1424	Ajpepm32.exe
2948	Achjibcl.exe
2948	Achjibcl.exe
1540	Afffenbp.exe
1540	Afffenbp.exe
2732	Anbkipok.exe
2732	Anbkipok.exe
2692	Aficjnpm.exe
2692	Aficjnpm.exe
2992	Agjobffl.exe
2992	Agjobffl.exe
2600	Adnpkjde.exe
2600	Adnpkjde.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ohiffh32.exe	Oekjjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pafdjmkq.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Apqcdckf.dll	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Eibkmp32.dll	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	Ohiffh32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Pkmlmbcd.exe	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Khpjqgjc.dll	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Jmgghnmp.dll	ad50ea267bd2a726a959637269e410e0N.exe
File created	C:\Windows\SysWOW64\Oekjjl32.exe	Ooabmbbe.exe
File opened for modification	C:\Windows\SysWOW64\Pkoicb32.exe	Pafdjmkq.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Qjklenpa.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Oqlecd32.dll	Ohiffh32.exe
File created	C:\Windows\SysWOW64\Leblqb32.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Apgagg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Oekjjl32.exe	Ooabmbbe.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Pdgmlhha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
444	1572	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooabmbbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad50ea267bd2a726a959637269e410e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohiffh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekjjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoicb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ad50ea267bd2a726a959637269e410e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll"	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ad50ea267bd2a726a959637269e410e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkoicb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ad50ea267bd2a726a959637269e410e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ooabmbbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll"	Ooabmbbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ad50ea267bd2a726a959637269e410e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdgghho.dll"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll"	Paiaplin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afffenbp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2088	2416	ad50ea267bd2a726a959637269e410e0N.exe	31
PID 2416 wrote to memory of 2088	2416	ad50ea267bd2a726a959637269e410e0N.exe	31
PID 2416 wrote to memory of 2088	2416	ad50ea267bd2a726a959637269e410e0N.exe	31
PID 2416 wrote to memory of 2088	2416	ad50ea267bd2a726a959637269e410e0N.exe	31
PID 2088 wrote to memory of 2724	2088	Ooabmbbe.exe	32
PID 2088 wrote to memory of 2724	2088	Ooabmbbe.exe	32
PID 2088 wrote to memory of 2724	2088	Ooabmbbe.exe	32
PID 2088 wrote to memory of 2724	2088	Ooabmbbe.exe	32
PID 2724 wrote to memory of 2984	2724	Oekjjl32.exe	33
PID 2724 wrote to memory of 2984	2724	Oekjjl32.exe	33
PID 2724 wrote to memory of 2984	2724	Oekjjl32.exe	33
PID 2724 wrote to memory of 2984	2724	Oekjjl32.exe	33
PID 2984 wrote to memory of 2740	2984	Ohiffh32.exe	34
PID 2984 wrote to memory of 2740	2984	Ohiffh32.exe	34
PID 2984 wrote to memory of 2740	2984	Ohiffh32.exe	34
PID 2984 wrote to memory of 2740	2984	Ohiffh32.exe	34
PID 2740 wrote to memory of 2716	2740	Pofkha32.exe	35
PID 2740 wrote to memory of 2716	2740	Pofkha32.exe	35
PID 2740 wrote to memory of 2716	2740	Pofkha32.exe	35
PID 2740 wrote to memory of 2716	2740	Pofkha32.exe	35
PID 2716 wrote to memory of 2564	2716	Phnpagdp.exe	36
PID 2716 wrote to memory of 2564	2716	Phnpagdp.exe	36
PID 2716 wrote to memory of 2564	2716	Phnpagdp.exe	36
PID 2716 wrote to memory of 2564	2716	Phnpagdp.exe	36
PID 2564 wrote to memory of 2560	2564	Pkmlmbcd.exe	37
PID 2564 wrote to memory of 2560	2564	Pkmlmbcd.exe	37
PID 2564 wrote to memory of 2560	2564	Pkmlmbcd.exe	37
PID 2564 wrote to memory of 2560	2564	Pkmlmbcd.exe	37
PID 2560 wrote to memory of 2092	2560	Pafdjmkq.exe	38
PID 2560 wrote to memory of 2092	2560	Pafdjmkq.exe	38
PID 2560 wrote to memory of 2092	2560	Pafdjmkq.exe	38
PID 2560 wrote to memory of 2092	2560	Pafdjmkq.exe	38
PID 2092 wrote to memory of 540	2092	Pkoicb32.exe	39
PID 2092 wrote to memory of 540	2092	Pkoicb32.exe	39
PID 2092 wrote to memory of 540	2092	Pkoicb32.exe	39
PID 2092 wrote to memory of 540	2092	Pkoicb32.exe	39
PID 540 wrote to memory of 2328	540	Paiaplin.exe	40
PID 540 wrote to memory of 2328	540	Paiaplin.exe	40
PID 540 wrote to memory of 2328	540	Paiaplin.exe	40
PID 540 wrote to memory of 2328	540	Paiaplin.exe	40
PID 2328 wrote to memory of 112	2328	Pdgmlhha.exe	41
PID 2328 wrote to memory of 112	2328	Pdgmlhha.exe	41
PID 2328 wrote to memory of 112	2328	Pdgmlhha.exe	41
PID 2328 wrote to memory of 112	2328	Pdgmlhha.exe	41
PID 112 wrote to memory of 2316	112	Pidfdofi.exe	42
PID 112 wrote to memory of 2316	112	Pidfdofi.exe	42
PID 112 wrote to memory of 2316	112	Pidfdofi.exe	42
PID 112 wrote to memory of 2316	112	Pidfdofi.exe	42
PID 2316 wrote to memory of 1692	2316	Paknelgk.exe	43
PID 2316 wrote to memory of 1692	2316	Paknelgk.exe	43
PID 2316 wrote to memory of 1692	2316	Paknelgk.exe	43
PID 2316 wrote to memory of 1692	2316	Paknelgk.exe	43
PID 1692 wrote to memory of 1120	1692	Pghfnc32.exe	44
PID 1692 wrote to memory of 1120	1692	Pghfnc32.exe	44
PID 1692 wrote to memory of 1120	1692	Pghfnc32.exe	44
PID 1692 wrote to memory of 1120	1692	Pghfnc32.exe	44
PID 1120 wrote to memory of 1784	1120	Pifbjn32.exe	45
PID 1120 wrote to memory of 1784	1120	Pifbjn32.exe	45
PID 1120 wrote to memory of 1784	1120	Pifbjn32.exe	45
PID 1120 wrote to memory of 1784	1120	Pifbjn32.exe	45
PID 1784 wrote to memory of 1916	1784	Qcogbdkg.exe	46
PID 1784 wrote to memory of 1916	1784	Qcogbdkg.exe	46
PID 1784 wrote to memory of 1916	1784	Qcogbdkg.exe	46
PID 1784 wrote to memory of 1916	1784	Qcogbdkg.exe	46

C:\Users\Admin\AppData\Local\Temp\ad50ea267bd2a726a959637269e410e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ad50ea267bd2a726a959637269e410e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\Ooabmbbe.exe
  C:\Windows\system32\Ooabmbbe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Oekjjl32.exe
    C:\Windows\system32\Oekjjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Ohiffh32.exe
      C:\Windows\system32\Ohiffh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Pkoicb32.exe
        
        C:\Windows\system32\Pkoicb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 144
        60⤵
        Program crash
        
        PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
90KB

MD5
3cbb1e7b20b6b9f1233116b235455ccc

SHA1
2c2d88fa9a88109033cf44171ad460e0f73f7074

SHA256
11b7ecf2f5d54f81c8ca2b53c3b92a05afc3b8446e0f13a8ea6ff9f85de612ae

SHA512
6953c78ca6a398be4e6c01350cb83a035dad30745f2c9a4d1b213488cdf5fe4ac91b230791ebf4e26e4e7a91df8c581d06522dcee87ec4cdaaf3b52e567e0908

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
90KB

MD5
97043f55bd8e0c5a42cdae545fa26bea

SHA1
184aa2cb5d9b4ad173b647007f22641c8f78b036

SHA256
278423c4a4a1328bb1900e98b590aae9896b6d53cf409c883136c1677ba2a3d8

SHA512
8cda208708277f84a5f43beaf898f5511ea94836c9d72e80131381d451c2bfcbfdaf3a65e6de02a6d87cf46bb0b3ffef6058de55000fea85221ae7e7c38a5314

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
90KB

MD5
c504b63e5ad729f957ec0d2087ee15a7

SHA1
b39a0c91527fa4f1be725b33a9117c5cd18302ba

SHA256
89c0d54266231dba366d493d6106d42e3e637e8b3f01f47458965cfa595bea4e

SHA512
a176b1b543cbefe02640bcf1b3bcc8fb17d4e7e173e0692b9eb87c8b594ec515d5a83a8992179db5d42645afa68518cbdd5ddb207c534a939a35885da0622d25

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
90KB

MD5
365816f18ad0685e627743921f9367ee

SHA1
460eccb8597472a18a0d84e3b5b9946ec287e2b0

SHA256
2602021dfc9cae306b7cd67e2b2837101a25c8b8ac74ea012c1010f4f6004c03

SHA512
9b451026fec17cdcf3e875280e7b339b676eebe726641da72f47f5b1e1c024a7965e8610f6726446047da9fd5d2d5deb77be97fcf3d8a5ebe2b307cd7189d64a

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
90KB

MD5
0e318b020a9c22005c597f8ad0fe9635

SHA1
3ee5e37c73ae47cf61b68546c03479d0dc597238

SHA256
04f6490cd548133e28fdc60a6b85cf3f7cad872be8f65998de0932144a90d545

SHA512
7d247ed17e9c30a5f79809433d475ce99dedfe96c7fa421ac4d2e4283027e66373cf9354e661355b91fb07a994e33a52328145c146856c9879b779cf6f9034c1

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
90KB

MD5
2a477a47b06cdc8d6ac09f022ea6be4b

SHA1
3c08fa718996dad1bee0622f5d3a9c07efc3f08e

SHA256
0fd5ed311ecf0050d719c01a8a148cf361daaf46de47b762ebf6cc0b7e5fdd97

SHA512
286f807709627808177204f57b0614ec25940c3bcc121591329fc24d3d601e6485644c7b7b4ec778fa29178d43346223a33959a6a4772c228601895b83c06d95

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
90KB

MD5
7ae91b1bfbe85aba45846f8f320dd2bf

SHA1
8945d2b398abbc305bfdbf13396ef03f0e375f2d

SHA256
1943c9c23d31c8dd72c0505b10f9709ad074a9e25f56a6ec82dc1a2b47c7fbf3

SHA512
e304614ca26072bf0656fec38e334de372fe60ca6b0891051b5808451b5a9c276af095f8b3dd85ea832a53e0106452b5c2f3f167b9b7fff2420708e5d2d61ac9

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
90KB

MD5
b339e7faaced3a466ed97b4c43770823

SHA1
031c76577f409ead8eb81c1576fa24f0533780b8

SHA256
1dd735e77a627a65f4e3c8eea1e62e57c3eb11cb3f4a7ce0506979f1e9b8c8a5

SHA512
32b634b2786da20fdaecb30391c0d2a7e704e88349d27b399ae63ae452d70b836ed5aa82e75ba62c19bd95b3c73aa01bbb2c0b9335002afe7cc21e81dc479aaa

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
90KB

MD5
964cca078a9058adc0b23bd3b254e163

SHA1
1b8d6325e15f0bf8aafa567eacd7890c6fd03fa2

SHA256
48a30ec7ba79f3ee7328ff2d111e9c733fea424a4e71b460116f601013b692ea

SHA512
6dcace3bc52ec15ea83b1f4136a107cc1aa463e666c7b039ea8f2068334ca25c61adc3832705e9691b0330b5f1200fc095c729843210849df365afd788e3ca47

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
90KB

MD5
f45f2caa2ceb72368f6fb81a6ac3b10e

SHA1
95d1a6751bdb459278231b491a9bf13825844c58

SHA256
8a9ff03ca6dad427ceeebf04067eba95a7c0bd977df8c056885e8ec799d89abb

SHA512
aa55f5b5e6bfd9c849be7af2059cfd76f3a683080bb1fa2c4f2d4aa6fbaf0d55fecbe30a70b760dddf721316c9393fa5504291a966ee822244a8c3cc8b4023e1

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
90KB

MD5
b568c5f1d844d18fd11cb8ff8eacca5b

SHA1
17cee3ea5ee3bf3bd29a52db57873de75efb1f0c

SHA256
ae4b4dbb4b246dad73a637284a7929f79c5739bc3dba206e1bab8791a5cfc777

SHA512
d2ec77c2164ac157198f317fcfecf04fca49e55be9599dede2505bb76fd5a5be7700230641f32239b61247464c12cf47c67641534559b824bdd72404bce436a0

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
90KB

MD5
c5ac499bbfb9211764a1480d5ffda473

SHA1
427270e9e89338f6612bcd532b5983b9655592f7

SHA256
4d3ff8c43e21b5b3f1ed0f3dfa541ecd937fb28564e1d8301dbc65fe5566e99f

SHA512
b51599cd84071ee60dffd37dc96b0936ea91ab13dd7dead5c430b101598a15cb2e28f348167dfde07269d5ec8f367afdaf988fb47d040a9dbd9aaba0699ef10a

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
90KB

MD5
0b6baccfe2f398a8a9e7de6f26c2e5be

SHA1
be179b03022eac85f5b240b5ca40ce6ac7481b74

SHA256
fdfe6772712431923c5cb231d271440bd92341cd958d45b0ffb94b903c65cfb9

SHA512
c4535bddd224d79aff0a0fded257bf9284951ff4ebd6e9c37aa773e7eabbd5c7b3a86d66a7bd85b3fd69d5deeb4f30489b4de27c8ca98e5cb8ede34764d229ab

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
90KB

MD5
819e57b1db7e0584214b0e619435f9ad

SHA1
4a7a5bf91b7d8c223210c348e74921a2d1503133

SHA256
b6217c2d9de35f178676b744667be86b2f32181659d154378f72c6ae3eb5e954

SHA512
4e1ce0dcb10de5080dc14c7d34cf044fc5e1af2de2cd597d901bbc5f1c4ac341d20cc3010b9abded3e92150a1e1336c09367eec103fbd662e90a7b39d258dad3

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
90KB

MD5
cea6d012628201d1377f8dc4f62cb012

SHA1
04d1964cfc69bc413daa593668c52f61550bd5e4

SHA256
7fd3f3f6746e002120625df590a55b0aa785f1b0b111053cf6d7d74a473e3e97

SHA512
bac8d45b5cdeb82834eb994380c2d9d69934e1f80c833c8594a7f32a78e1ec3bf5994795095b6af48f52c487410f6b58043e432c68feec4385838e1ad7c4172c

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
90KB

MD5
1b0c04286ad8a37096f9f20a7834f527

SHA1
ddc6112c4d4dc68008253ccd4b70736818b1844e

SHA256
df4d2d6d4883b06a5f29c37d588c65696d848d44986dc93d3e52c4540ca0a309

SHA512
39aa505978829295b0df0dfc3272a9cc508c696394219d7fd543d23bed3559b032d247f84b07b81f37c63d4607e1e147e753b2174507ca2b3a13dd0b4de5e817

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
90KB

MD5
1859c08e7583338bd684cb46d6ad5cd3

SHA1
8a127dbc3ddcd6b9363b5e1abe20ac4b38d202a2

SHA256
675ccec57c6511a018aa56e8e515f19f64cc89ebc3da77d43287115a65909c19

SHA512
294eff53c75a42b92c43109801d1d73c54f6049fb07d5f5824550a8f4c630450b421e4218731a3fc879c2b72d20a4086facbd7dea8569f5d36bffe4586423d02

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
90KB

MD5
3aae65c8800bc241af5ba3f47d99c159

SHA1
489416ef9616ee79e3e58d5cb1ed6ab111173855

SHA256
ece17dacdebfcda52768a7b3bd14948d837e7e677e80ba91e268a8960ab88291

SHA512
0312fd43dc75373fccbb3132cc48dfead28e9d95cddf4d4a62020421808627ff6c69c5594e03e5b5a48642d06205f21fafd9f94ab7d470012b2a56b5bf28e273

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
90KB

MD5
8fa641778f28fe8c73b48407b449fc44

SHA1
3adadfc191637f14fd885012113d0d7097c2a0e0

SHA256
d55a8ff9e9e36da8c6af29424808f7819af73678b9b3e100bd94a374f1591314

SHA512
ecc49f1becdda4f210180560d9f56c27be328675e2324ffbe19e8cb2ba9826956344d6c15a5e43bbc84135c8a711ba7194ad9217ec55115e30b516c92433b012

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
90KB

MD5
25b47b4e54b8439f848817ee456f9430

SHA1
abd69d34448596ae3e8abdb4d317d6b34369e579

SHA256
b5b365be0e258e2974a07bb1bc95f0f431d1ba99507e3ddb0bc1284359369f6d

SHA512
977a60af300b798b5a6c1cbbad9fdcd128fbd45be821aa188c2d38c7a70e5540f357397a35d7d8a631bbb987bf031e1c30729cacdce813b7279420265105843d

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
90KB

MD5
3186c611f5a6c4f9f947a86814ef22e5

SHA1
c70db8363ef0ab2ed66c09e8c1451587002887a4

SHA256
d937ec4ebc7e2e2c1d27edbcd0fdf72df26801b3d2ae379806c9149da84dcec7

SHA512
8ba4fb57fcab4ae64d15f759fa8ab1bebb7c152bed440d7e20b38f8df0964b1e689067f9d9628bfc97db241227ff8c1bcbb2bded2c4d24fcbe2851c4c02c1605

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
90KB

MD5
9de39627da76c9995ca4cf5f28a819c8

SHA1
3a3b084064fe4da84abe3db203224d0ec02b9d42

SHA256
05305010f59973132e881be74869967613023fbf612fdaa85c535be1d89aab8b

SHA512
e80c8b954c0cdc5da9fe78bf2b294ba263bb58d7caf3ac887ae3bec44dd17e3029bd789bb6473ee80fe7596585c99f404dfc6c3f8c81c0776d4305c66762de3e

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
90KB

MD5
cb8ce9779affcc3fcdb9456e894db211

SHA1
6f99ea4d8c71618d28f6f708f03761a6c26b8107

SHA256
4912c1f253296e82d256e008df57e14bfe3c43be739c9ecf724c44e19b33f964

SHA512
4de3237e70f5ff21bba02a4aefad93a5954e9e71cd8bccf52352b4ebe889497d9961011c8c71a730a8a41743360b40984b429e5ed1f2bebbd1f9e2a1d508ffda

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
90KB

MD5
9da8ce2b82f8172289d28dbc4917b4ff

SHA1
c0168ddb78b5cdcd94a3549af2bb8de062873574

SHA256
09fea63a77edbed1fbfa46d34d8ea5b46d917f5905586f682dba15b1be28a28b

SHA512
33f9dddf0b678d1b77083202c244dc6aee2a9a3ea5109988c79cdcb82c88196eb9ddf47c31d6febfce92c9e6a963d433a283af442062891c1e32258a56d695dd

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
90KB

MD5
a66e2f85687bf0d92fd194ce3167220d

SHA1
20eeecf773d9e3f58dd537e8c413269718040884

SHA256
f4d86db6b562336988671b008dbdebdf517a29662e524642e3cfbe1a85badd13

SHA512
0659513e8d04d893c34298ba509369f78650c5b966412ed26860824e694b6fee964131992e6472f3eabcd608561ee6bb2a805be47b28e5c0acfd70a9808c2e8e

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
90KB

MD5
ef82c7923452a280d833aa7c29e0d4c9

SHA1
8a24227008cabd8d028435b6a245694e2fbdbca1

SHA256
b1839b36d21a3f622f15cf718c8d6b9fc6c057d50f89c5e24e2c378a3cebb805

SHA512
824e9ec110552372e93b800b0a540e677a6ee0fd3c4c368fecf0d322ca2a8b976a5b41fb0fdf375dc9dca280cd81b3fe3a4e7d12e9af5ae998e3a288ff327e15

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
90KB

MD5
ef01e823ae174ec58a411922e99feb5e

SHA1
7e74ea87edbecddf9af9d140b2201843945d5a08

SHA256
14178072bf06368ef70d27d11cb5bcdcc14a4413b8f6ee0402fcd7ca6943f574

SHA512
ff206aeebbdd84593351fe1142f39ab45aa70857cdcb969c942ffefae8a3172e91cf3709532d0af77737a36f55211f846d97a43af4374daaf07226c1840dcc2e

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
90KB

MD5
8ec217babc63fb4b9cd194d917fa1c28

SHA1
d954d8a054038558733d454ccfdab973eca50674

SHA256
75abcab8d2ed303e898a4df6411d567d038b8b88d91cdc7941743d4e26cce9ff

SHA512
1817487cd78705677dbea25dbcbb557e72ee01e0738fd21a342dac48b40eeabcdc7a24c208b5cfdfa1d6528bb0e99c417812a1c973e5ef70eac185dc2ea3ccac

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
90KB

MD5
4a992407325c3811fea6039207d85b02

SHA1
9f539ae548b09021eb8d65ab00ded3624f650933

SHA256
4d3bd61721a73612c99db690a6cc5e0d60c4e3addd22373fbc414d43e8e5c953

SHA512
d6ca335dd16c4881ab58d3dfcb01d1cbcbbe25808b599324ffe4a63d6feeb3fa2f33f060f579b5af108bf515e88c5b032114cfee88ad12900c2739a93f7b9c27

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
90KB

MD5
832bb8d4266bf85a9bbe148a63b83266

SHA1
eb0841561df17de0f35500cb230d34243e05dfbf

SHA256
f2153f38955c703bac0163c0ed37e6bcb51fea5c9da2caa75ec99c109e536d04

SHA512
ba3a1d831d29c0e88302ba731f269f9965ed89f4ff073addab1c51817e0ae272837e6568bd0130155ec5d968bd121ec8e10777448c511f8c845a66e63b0f0e17

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
90KB

MD5
8c1f0399620aafe2f0a8795aff43fa77

SHA1
108618bb6bd87061c087a6936fd26a81913546a4

SHA256
5a5d940429db6e4debd36cdc925dcc238a00dcc4adc89940ea58662f4da82683

SHA512
29eeb766f10f24d6d694e91f153abab54175652eb5e84610c743b50d089a5013c6438b91aea007f86713a69643e1d4c12a03a584a535df54f247d0989e31916e

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
90KB

MD5
8fb519620f625953d289b4847374ad75

SHA1
413fe0b4c0698025ecc0a81e0ff3e410164eaf05

SHA256
867cc1f601b10cbe8cf65f3bbf97dad9564d683073480a13df5e62f6d2adb9c2

SHA512
dfd64da9e15f75a685572d28daca95c1322454fe07b178dbe7baea8a9138ed3f01d487cc37bab308d01bb4b485544ad144d55896c88ac1bc9eb4f43542261084

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
90KB

MD5
3a4b2233f3cd0569f8455bb506937d08

SHA1
5b044d7223fa4ffe588619c128e52fff4d473533

SHA256
1794c4341e6f0dc3a92a8899a08b622ba08bd147ea75fc4b95f7a12b73586d73

SHA512
78983045791e564b25132b808148c65a93dc71308309f1e7c1666aeb549c2a8b14b74d6edf3278a72fbe74d29dd3608504e5cb75a83f19065ba5bbf0fba7e9c0

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
90KB

MD5
709301ebfd7e96e4e65b1cf25896980a

SHA1
cffe7d496027138cc0d15131cb80ed69a7c48958

SHA256
c160394805ccad1d47f74c12321415279cd27d651f47f69f49744fc267a12f3c

SHA512
eaf1fa2917d0057f3af2c9d98c96be483f44673b3c6299d349e361119ead1f97dbe4b2f6e8a1ab13d80272c2a10b2535712e072c479ea1a26d75658783e72393

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
90KB

MD5
cc4df6eeba22654c7cd04b55090ee015

SHA1
f6cfaec0594350cd72bee98b838371ac3438496a

SHA256
0f1219001f0768240d43edffdc29921a62ce16eb552f9fdd40ff9a8505c2da32

SHA512
ca54fcd95675fa0e01b1c767d2450a7e30e6e69cc2ac047479393cb51cd8c60e3d975d31fa33712e7c950dd23573867203c60a55b5ef96edae6d623afbf7d3ab

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
90KB

MD5
1ca53f6c1e1ef1aa45504ea310d63da5

SHA1
05b26de0c1065db76e2a9a6cd486b77167f46fc4

SHA256
44598e42bafa5dcbca657a424524418b40d6ad7f523ee83f67b936e21970b0ec

SHA512
9db6799abc11ce82bc331d7229160ef801415e9004dee28d34d7d351aaa5f9b5b3bd13a2e5e98b57be3bb33bbb4d2c10eb3881ca657e94d64e632deb5cc89dcc

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
90KB

MD5
bc89f4e14bfa822e334d8ce5199a6032

SHA1
9edd076ec0347be5432be714836c52c1b0f12d65

SHA256
a3920bc983a4de58a04ca396ea66883dfecf37afcef020149487a3104a614c79

SHA512
b50fad33e7698f60a1baaa06954c7c1ae7973366675398ce8939a493e91d91b772e14b6601a4f5956f9edaf497aa163654a49cfb0617ea3dc8fd347975cc1357

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
90KB

MD5
f6c9ba978454b8dc4e75eacd6854806f

SHA1
7307b2736cb715d72596bf3cf71257ca19e19906

SHA256
403c39e47f2306bb866ebc5f5b138cfad8e02a55d0b2851c7353510fbc872955

SHA512
cab81d1ffe8cdec534c62a9ff065447870cc2cdbf9db141f4d8d1d8f7f46b314d957c022a7cc1566209ff01fe2a019bb789d90a3bf0c2a9450c64b15fdcaebe9

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
90KB

MD5
4efca01a30375ab340584def72bddbce

SHA1
3d03371cdb5d34e43ada7315220848f0c6f69fa0

SHA256
7b5513eb887d2f164545230c38b27de9f20ed2487e76b755ad7acdddb296141e

SHA512
9443a467d1b749267de65547276b3c9bb82bb518718e9c936b4ad0cb3fe4b54f617fb3c0730a2ef6198de801edf256e4056b86fc63ee512b17da0b869c6f4d6b

Download Submit
C:\Windows\SysWOW64\Ecinnn32.dll

Filesize
7KB

MD5
dcc227c557b4a0356af3104bc885f59d

SHA1
de99ff94c5dca9d425e8b599e927d7943af37701

SHA256
21f50b7884b05590778a1464a1d363de056aab0eced6c9a74261906026266e28

SHA512
7544abbd0d25fb035fa01de8871603b7bb4fe2932e7d792a918b06d0108211aefff61b5f7890bc710e4c49428df10f293b1dcee089ef3dc31a6170e6df186a8f

Download Submit
C:\Windows\SysWOW64\Oekjjl32.exe

Filesize
90KB

MD5
705ffd53efb0187e00cded769e678f83

SHA1
67597e07fecd6afff47cde657d09c9b89520ed23

SHA256
f05308402030163c587d7a2503a0eac28f397cb41f1df508c5144e03e24d4238

SHA512
00fc39e40fcc40fdf2aff1701a01c32396a295bdf1a42c3fbeb9a10fdbd85cacd3e34d39c99a739d989054337025d2d639b90c52fc50c244055329e96bab230c

Download Submit
C:\Windows\SysWOW64\Ohiffh32.exe

Filesize
90KB

MD5
b1179181bf410f4e07ce17fb886f32e9

SHA1
e1d90aa9da10d8ced2c4f3be9eb545df0d7806f0

SHA256
951ce8315ce923642ec0acab081466081e00543472b3bcbff46d3520e315c785

SHA512
95caeddec01e67568d7456c6a8f77334e6c6c363be77c7b30ea9cc2d6208a610dc93bb049c0a8ffc23de459030ec651c49681e3cb9e74c7699a21127f86defb1

Download Submit
C:\Windows\SysWOW64\Pdgmlhha.exe

Filesize
90KB

MD5
6b48c0c3be5c0d99bfb2789265667300

SHA1
faa3d5ca44a5e2c6ee61dd12d55b3d12a0f82005

SHA256
e5441d2bfcfec2f1bd9b75fe6cde26b6eb4b27dbeae8decbdf96cac963d7d4fc

SHA512
1f83388f97bf623ba8a061fe7bd109b5a452aaaaaa489bb99741978a61d846fdbf057c15b865968364342b9b073097e056499fed510993763d01e3f2a0c9a5a3

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
90KB

MD5
fcc0bcdeab656fb8e07a7d1676e058a3

SHA1
7f06e4e72caa34ec3a35f0435ac1ba39e37ebb34

SHA256
6fcfa74cecd82fa67a181a0d510ffc9e38af9b706ec42904f86ffdd16f7944f9

SHA512
d7e9c8278d668387a9de7cd44c5efd0e8d2f49aa1fa487589ea9ff869eede205511edd95c91e48879efb6b936aeb50a53b7746a499439e9bf8efe8c20623860a

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
90KB

MD5
52ef2432d74e6b2d11bc940a15773d89

SHA1
b5b547aacdf111053c913aef84dc2aec5fb36dcd

SHA256
44199da03e9511ac1e70e513515d66741b0306df9c9167c43157805af80b96cc

SHA512
e8f88b283a6a0760332a2856b3f591ef0c7e2569961be855e455483070f75243391f6114e204e38f13c1daca40126f7838990c3b8c86ee5ef3502d24546255af

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
90KB

MD5
65275ae392d30719bf599d587f4b196e

SHA1
a45369c9e967457980baab7473a18fa1c2e027a9

SHA256
44b26f8eaf0f9aba6c47d202d01b4043be6b9dcbc1ed890321088d98a35ef894

SHA512
e75044b4b1f3df060eef6aae4b5c91b97b778719884929710c01171fb0c5ed6c6eff0952d153bf3ac4b903ec867029d3f36ef4a426e4b8cada9577ed9c0ef2c3

Download Submit
\Windows\SysWOW64\Ooabmbbe.exe

Filesize
90KB

MD5
d0a0fb68fe80f7532496747c1a71e616

SHA1
f6d91c93453bdf0885194f8345ce9c47e39e1720

SHA256
de26f9e5b081ddfd29b4f0e511eaba2981ffd5cc243e5342d3b93081606839d7

SHA512
39ef3bca3562237466780279f92182fe89c068dd215749355b062f0473b95ca14bffc46d0814ee9fe68cba73f723353bc561a962bbeb4aa7db0557f2e629cf11

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
90KB

MD5
9a2eca8c1e5854b8c8c32de74e01f4d2

SHA1
d3d42d1dc60893bfa159fbf76ef528439e19b415

SHA256
7cbb670abe7be8741ac866eb96caea4c16579d4b46f965573daf05e698c59d4e

SHA512
712b22a00ddaa365a06af0a79611cbdd831e8f021fb004caa4f1839205a4eb5f6551d2435c718c55eeeb647113c732f15ffa6f2e6194d0adbb838c6b6c2766c6

Download Submit
\Windows\SysWOW64\Paiaplin.exe

Filesize
90KB

MD5
4d9226d9665a6753d6b8b71a6c647d23

SHA1
55ac5e96b9b25e30842233a783836e2cc2267d77

SHA256
6330fdf34e60880aa88c0cdc452ab37830e129168772ce8206b476d629147af4

SHA512
90cf0ee12da25fc64d71785404b25437d348975f804ee889165a72af5d2c70d7ae3882c2446790c52f12a385ad62fb97b95022e5ab16e7a42b0ff0861dc75a9a

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
90KB

MD5
3660bbe386141efbaab67c447f1092d8

SHA1
5bb4eebc244fbd942b3d481c064cb87174ebdd4d

SHA256
bc18357be8f17e9caa6135ce32340e259eaa87bcfc94a62fd1363ea7dd32591f

SHA512
37ea88efc830147136eca7827626d4e770861b1b0fb4fef3c6206eaea86505e4d12fffbb0ea184d6cf10712f067d6090465b0ca3f8a1171eb15ee42fa90b450f

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
90KB

MD5
f6be69d2bd7909a8f86ff61686688443

SHA1
ed0df1c61736e760ca478fbe36861f7d8842fde5

SHA256
e320f3a1d5c6c791a89f779dd43e5f23d8bdea459fb40ce26064510a8d8ffee8

SHA512
55025860bea8b3c530558c79caea8868968cc7ec4b3d69bc53b49dd319b0ee0488dcffe8e4e5860ee0ffe212c3999b4e351301cd8c4687fe4ed40dd60c16ec58

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
90KB

MD5
aec39aa919c0344ba0138fc286385a9a

SHA1
601275b5468ff0f7838c4472abda627520f60537

SHA256
9d4498f5482a83e4318f830ab131ec9db84c06c00e1bee45a998eb60cba0e741

SHA512
c0c0525cc80189135063df60681005d4e0fa9aae6a14accf0dd94997ce420d2fab595f5570d8e1c33e9dd2bd96652c79f674991ef896f0ace5c68fd60251a317

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
90KB

MD5
d487412852d6cdd7734c5860ba902eda

SHA1
c00a7ee4b89d8b060b32c54f2b27ddc1e0adef8a

SHA256
cb03535e0bee263450b8e317e5c8e6476ef966d57cf896b991dbb17239bdef78

SHA512
eb4fb51075bebf45446b338605c07792ae01c7ede40c036cc5d574a98bb28b77ab53d09fd7c67e4d095103e7bd2c69e60103888be214ad9948862716377ef5de

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
90KB

MD5
101e7dad555b8236d703937e70934464

SHA1
b9fa684ca2f6336d7c186f35f8761b386e302b43

SHA256
825f68b5337e61e8cdc856006b9ff60c5eb60282bc79ec32d7f58161eb826610

SHA512
286e328ce50ea67bb19d336eadc63f90039ae9386bc088aa94a52e31b656b3cca0c86975c1d2aeef68fb4f3fa52442789d754037cd4a68f6c7cbfffffd93a15b

Download Submit
\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
90KB

MD5
ba43b15084e11d56e852862d75b6558e

SHA1
c40152b2db3fb44f01d946607e6bc3557dfdfca6

SHA256
967421816b5f169061ca06884d894fd9c8c4e2f1e0363dee1790761497725d28

SHA512
f0eca91ea5de1019f2563a92b5c7df69f59ce6004d33cefcaba13c8255d47680ac507c8b97408eb0845cb0f1f9da9d2af9cba36270705503119a726c22418ff4

Download Submit
\Windows\SysWOW64\Pkoicb32.exe

Filesize
90KB

MD5
f06c545dd77f1bd7a4b0e333d10911cc

SHA1
51d75ac327b56e8f7f6593a9a5b1baa75dfc1367

SHA256
6bba02105de131892870aab665dafde36fe3c6d07ba6ff108b77ab53d619b127

SHA512
38dfce03d3ec742570a3560aa3e4392ba706ca77a62d3323e1811e297cf2bdea58d298a2f7ec093ec94655162fc2cb4618529bd799d153661f59d1b58a0988b8

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
90KB

MD5
418b5deddc9c7c298dfba37d8d6f7a84

SHA1
8deb31ea900117cfcb9262d1bd68bb95bb25bfd6

SHA256
b27d5695f16a62155252d658e8897a9bb5c04833c3be82259241d475f78d83e5

SHA512
d90d3525d8ae95e90e9fdc9877ad9ca4e19880de9feaf545819f49781dafe762463454218bdf77f5a71fadb65490b7bf9957d34c024fb9303f79e9a59cd4c4cd

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
90KB

MD5
10c53cdfba5b9818a54fd8f4586dabe1

SHA1
2dbd967350fe8f61e019a52b85d52d4cb889cdda

SHA256
c2f14618d9bfdcc291291602bdfb3d771fa5296f292dd201dee575f179d0cd90

SHA512
ab03430d48d208f81fc51a282f64c5f4410afff881977fa9cccbbfb54b9113264edf716acba6b3ac1e0e8c3b6ed91d71bdae2d6aefc09d503cc08c8d938adab2

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
90KB

MD5
f3efb8cc56f2b32e3b7a5d5ee0ba47c0

SHA1
d4ae55ef6cf30c113593e5692d2992aa110c13fd

SHA256
7d3ac0c37ba28b30a44f213a86475302c2091c03bafa91be3f215b43eccf8f4d

SHA512
1a5bdcada5e3939883460cb9aeafeb86133728553ed54448884f80682f368733d1a167f4a3f19566c6fe76c8aa26ec32a48887d62b9d20e551ba0214f62a3fc5

Download Submit
memory/112-500-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/264-438-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/332-404-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/332-405-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/332-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/540-476-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/540-118-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/916-230-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/932-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-192-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1120-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-318-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/1424-319-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/1540-332-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1540-336-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1540-337-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1548-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1548-292-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1548-293-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1652-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1652-249-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1652-248-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1692-182-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1732-270-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1732-271-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1732-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1900-474-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1900-477-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1916-218-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/1916-210-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1924-491-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1928-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1940-260-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/1940-259-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/1940-250-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1976-452-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1992-490-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2036-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2036-415-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2036-417-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2040-428-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-356-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2092-457-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2092-105-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2092-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-467-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-469-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2196-468-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2260-510-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2316-513-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2316-157-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2316-165-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2328-139-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2328-489-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2328-131-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2364-427-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2364-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2392-303-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2392-304-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2392-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-355-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-361-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2416-12-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2496-281-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2496-272-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-282-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2560-451-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-87-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2564-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2600-372-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2600-382-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2692-360-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2692-349-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-66-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-416-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-34-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2724-378-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-383-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2732-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2732-347-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2732-348-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2740-64-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/2740-403-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2924-384-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2948-326-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2948-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2948-322-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2984-389-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2984-47-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2992-362-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-371-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads