ae563926ea5d2732bc862c00d42d73c497455fd99ea7e50e2a17ede11a52b0b9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf70c4665e77d23bc85e421548a1900N.exe
Size

182KB
MD5

fcf70c4665e77d23bc85e421548a1900
SHA1

0e798bc340aa25ff8315692dc26e17bb6581ae0f
SHA256

ae563926ea5d2732bc862c00d42d73c497455fd99ea7e50e2a17ede11a52b0b9
SHA512

fefcb56c3b69ca0b131b7d8f1f70a799afe5aa1aa83f007be7eb02dba02df08105b005e812d73b56c77ee4bdeb49a3364c443c5d6b0013ae9121d08fb2a86888
SSDEEP

3072:FZblIqRew5AxTPJRmuu1r7nguPnVgA53+GpOc:PS9xT/bu1rEiV6GpOc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fcf70c4665e77d23bc85e421548a1900N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fcf70c4665e77d23bc85e421548a1900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe

Executes dropped EXE 54 IoCs

pid	Process
2320	Phqmgg32.exe
2840	Pojecajj.exe
2780	Pgfjhcge.exe
2680	Paknelgk.exe
2776	Pcljmdmj.exe
1012	Pkcbnanl.exe
2588	Qgjccb32.exe
1256	Qlgkki32.exe
2864	Qeppdo32.exe
380	Qnghel32.exe
2440	Ahpifj32.exe
1448	Acfmcc32.exe
2084	Alnalh32.exe
2340	Adifpk32.exe
2504	Akcomepg.exe
1636	Abmgjo32.exe
1356	Andgop32.exe
2936	Aqbdkk32.exe
2976	Bjkhdacm.exe
1516	Bqeqqk32.exe
1732	Bgoime32.exe
628	Bkjdndjo.exe
2472	Bqgmfkhg.exe
2696	Bfdenafn.exe
2692	Bmnnkl32.exe
2264	Bffbdadk.exe
320	Bmpkqklh.exe
1788	Boogmgkl.exe
2856	Bjdkjpkb.exe
1968	Bkegah32.exe
2736	Cbppnbhm.exe
3016	Cfkloq32.exe
3012	Cmedlk32.exe
1948	Ckhdggom.exe
1036	Cnfqccna.exe
1936	Cfmhdpnc.exe
1248	Cileqlmg.exe
2032	Ckjamgmk.exe
1100	Cnimiblo.exe
328	Cagienkb.exe
1160	Cebeem32.exe
2132	Cgaaah32.exe
2344	Cjonncab.exe
904	Cbffoabe.exe
2456	Caifjn32.exe
1608	Ceebklai.exe
1060	Clojhf32.exe
2952	Cnmfdb32.exe
2824	Cmpgpond.exe
2676	Ccjoli32.exe
1536	Cfhkhd32.exe
1688	Dnpciaef.exe
1144	Dmbcen32.exe
2904	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
780	fcf70c4665e77d23bc85e421548a1900N.exe
780	fcf70c4665e77d23bc85e421548a1900N.exe
2320	Phqmgg32.exe
2320	Phqmgg32.exe
2840	Pojecajj.exe
2840	Pojecajj.exe
2780	Pgfjhcge.exe
2780	Pgfjhcge.exe
2680	Paknelgk.exe
2680	Paknelgk.exe
2776	Pcljmdmj.exe
2776	Pcljmdmj.exe
1012	Pkcbnanl.exe
1012	Pkcbnanl.exe
2588	Qgjccb32.exe
2588	Qgjccb32.exe
1256	Qlgkki32.exe
1256	Qlgkki32.exe
2864	Qeppdo32.exe
2864	Qeppdo32.exe
380	Qnghel32.exe
380	Qnghel32.exe
2440	Ahpifj32.exe
2440	Ahpifj32.exe
1448	Acfmcc32.exe
1448	Acfmcc32.exe
2084	Alnalh32.exe
2084	Alnalh32.exe
2340	Adifpk32.exe
2340	Adifpk32.exe
2504	Akcomepg.exe
2504	Akcomepg.exe
1636	Abmgjo32.exe
1636	Abmgjo32.exe
1356	Andgop32.exe
1356	Andgop32.exe
2936	Aqbdkk32.exe
2936	Aqbdkk32.exe
2976	Bjkhdacm.exe
2976	Bjkhdacm.exe
1516	Bqeqqk32.exe
1516	Bqeqqk32.exe
1732	Bgoime32.exe
1732	Bgoime32.exe
628	Bkjdndjo.exe
628	Bkjdndjo.exe
2472	Bqgmfkhg.exe
2472	Bqgmfkhg.exe
2696	Bfdenafn.exe
2696	Bfdenafn.exe
2692	Bmnnkl32.exe
2692	Bmnnkl32.exe
2264	Bffbdadk.exe
2264	Bffbdadk.exe
320	Bmpkqklh.exe
320	Bmpkqklh.exe
1788	Boogmgkl.exe
1788	Boogmgkl.exe
2856	Bjdkjpkb.exe
2856	Bjdkjpkb.exe
1968	Bkegah32.exe
1968	Bkegah32.exe
2736	Cbppnbhm.exe
2736	Cbppnbhm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Olpecfkn.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Andgop32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Pgfjhcge.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Gncakm32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Pgfjhcge.exe	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Aacinhhc.dll	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cfibop32.dll	fcf70c4665e77d23bc85e421548a1900N.exe
File created	C:\Windows\SysWOW64\Acfmcc32.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Olbkdn32.dll	Qeppdo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	2904	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcf70c4665e77d23bc85e421548a1900N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fcf70c4665e77d23bc85e421548a1900N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll"	fcf70c4665e77d23bc85e421548a1900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fcf70c4665e77d23bc85e421548a1900N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2320	780	fcf70c4665e77d23bc85e421548a1900N.exe	31
PID 780 wrote to memory of 2320	780	fcf70c4665e77d23bc85e421548a1900N.exe	31
PID 780 wrote to memory of 2320	780	fcf70c4665e77d23bc85e421548a1900N.exe	31
PID 780 wrote to memory of 2320	780	fcf70c4665e77d23bc85e421548a1900N.exe	31
PID 2320 wrote to memory of 2840	2320	Phqmgg32.exe	32
PID 2320 wrote to memory of 2840	2320	Phqmgg32.exe	32
PID 2320 wrote to memory of 2840	2320	Phqmgg32.exe	32
PID 2320 wrote to memory of 2840	2320	Phqmgg32.exe	32
PID 2840 wrote to memory of 2780	2840	Pojecajj.exe	33
PID 2840 wrote to memory of 2780	2840	Pojecajj.exe	33
PID 2840 wrote to memory of 2780	2840	Pojecajj.exe	33
PID 2840 wrote to memory of 2780	2840	Pojecajj.exe	33
PID 2780 wrote to memory of 2680	2780	Pgfjhcge.exe	34
PID 2780 wrote to memory of 2680	2780	Pgfjhcge.exe	34
PID 2780 wrote to memory of 2680	2780	Pgfjhcge.exe	34
PID 2780 wrote to memory of 2680	2780	Pgfjhcge.exe	34
PID 2680 wrote to memory of 2776	2680	Paknelgk.exe	35
PID 2680 wrote to memory of 2776	2680	Paknelgk.exe	35
PID 2680 wrote to memory of 2776	2680	Paknelgk.exe	35
PID 2680 wrote to memory of 2776	2680	Paknelgk.exe	35
PID 2776 wrote to memory of 1012	2776	Pcljmdmj.exe	36
PID 2776 wrote to memory of 1012	2776	Pcljmdmj.exe	36
PID 2776 wrote to memory of 1012	2776	Pcljmdmj.exe	36
PID 2776 wrote to memory of 1012	2776	Pcljmdmj.exe	36
PID 1012 wrote to memory of 2588	1012	Pkcbnanl.exe	37
PID 1012 wrote to memory of 2588	1012	Pkcbnanl.exe	37
PID 1012 wrote to memory of 2588	1012	Pkcbnanl.exe	37
PID 1012 wrote to memory of 2588	1012	Pkcbnanl.exe	37
PID 2588 wrote to memory of 1256	2588	Qgjccb32.exe	38
PID 2588 wrote to memory of 1256	2588	Qgjccb32.exe	38
PID 2588 wrote to memory of 1256	2588	Qgjccb32.exe	38
PID 2588 wrote to memory of 1256	2588	Qgjccb32.exe	38
PID 1256 wrote to memory of 2864	1256	Qlgkki32.exe	39
PID 1256 wrote to memory of 2864	1256	Qlgkki32.exe	39
PID 1256 wrote to memory of 2864	1256	Qlgkki32.exe	39
PID 1256 wrote to memory of 2864	1256	Qlgkki32.exe	39
PID 2864 wrote to memory of 380	2864	Qeppdo32.exe	40
PID 2864 wrote to memory of 380	2864	Qeppdo32.exe	40
PID 2864 wrote to memory of 380	2864	Qeppdo32.exe	40
PID 2864 wrote to memory of 380	2864	Qeppdo32.exe	40
PID 380 wrote to memory of 2440	380	Qnghel32.exe	41
PID 380 wrote to memory of 2440	380	Qnghel32.exe	41
PID 380 wrote to memory of 2440	380	Qnghel32.exe	41
PID 380 wrote to memory of 2440	380	Qnghel32.exe	41
PID 2440 wrote to memory of 1448	2440	Ahpifj32.exe	42
PID 2440 wrote to memory of 1448	2440	Ahpifj32.exe	42
PID 2440 wrote to memory of 1448	2440	Ahpifj32.exe	42
PID 2440 wrote to memory of 1448	2440	Ahpifj32.exe	42
PID 1448 wrote to memory of 2084	1448	Acfmcc32.exe	43
PID 1448 wrote to memory of 2084	1448	Acfmcc32.exe	43
PID 1448 wrote to memory of 2084	1448	Acfmcc32.exe	43
PID 1448 wrote to memory of 2084	1448	Acfmcc32.exe	43
PID 2084 wrote to memory of 2340	2084	Alnalh32.exe	44
PID 2084 wrote to memory of 2340	2084	Alnalh32.exe	44
PID 2084 wrote to memory of 2340	2084	Alnalh32.exe	44
PID 2084 wrote to memory of 2340	2084	Alnalh32.exe	44
PID 2340 wrote to memory of 2504	2340	Adifpk32.exe	45
PID 2340 wrote to memory of 2504	2340	Adifpk32.exe	45
PID 2340 wrote to memory of 2504	2340	Adifpk32.exe	45
PID 2340 wrote to memory of 2504	2340	Adifpk32.exe	45
PID 2504 wrote to memory of 1636	2504	Akcomepg.exe	46
PID 2504 wrote to memory of 1636	2504	Akcomepg.exe	46
PID 2504 wrote to memory of 1636	2504	Akcomepg.exe	46
PID 2504 wrote to memory of 1636	2504	Akcomepg.exe	46

C:\Users\Admin\AppData\Local\Temp\fcf70c4665e77d23bc85e421548a1900N.exe
"C:\Users\Admin\AppData\Local\Temp\fcf70c4665e77d23bc85e421548a1900N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\Phqmgg32.exe
  C:\Windows\system32\Phqmgg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Pojecajj.exe
    C:\Windows\system32\Pojecajj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Pgfjhcge.exe
      C:\Windows\system32\Pgfjhcge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 144
        56⤵
        Program crash
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
182KB

MD5
2017a916fc35f0acc446bde41ffa0418

SHA1
108119c564992de7389802a127ecb1c7ddf011e8

SHA256
6531a0a59f995813df4b9064eb25d3823d8c6ac49bb0d38ef15900cac3689549

SHA512
716af83fdd2fb6b0097fd69d8c849206f256df01bd4d75e781946c48d7d8e572067389e46ac998f74f620b149b3b7e82c98a9cc3a517299faf65f477b49f2ab6

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
182KB

MD5
203cf4e851d3b998413c9618c02d5290

SHA1
b2d413fe0df6aed2ba3f364380203f01762ade59

SHA256
69cf9eaf80a7aec10f3675f2ffcd9cd4fc878fb5d6529ab26e5b66eda8e6d689

SHA512
e28560b7acaed9005289b6f869ec030d073c01d0d161489ebb9fea56bb91151ea1d3169067c56e9b7cabde7b1d07508a623bae410af9d9918f5665bfff2bb075

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
182KB

MD5
1dbf535554afb0eebce9061d2dcecd36

SHA1
3ffde11f1ae5d22f1c24cb58899b30a54eb28726

SHA256
265a12e5e9afa89093ea7a8a266483e1f8e8d793bfa38b49888bc4354d8dcc44

SHA512
a8d5cc0d22b43de9625dd838a94e4b77b1b0990a06492331039b620101f948935b75d75f87fcd7858d02dabceeb17b6cbc1e0ee4ff9eaa3d596eb436bb6ff92d

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
182KB

MD5
73ae529d00523da51deba3b10a59c97e

SHA1
5750ca260faf6a9c710a2513ebc23d24b21c751f

SHA256
b363ad79788dc8b0f246887f302191e3e5cce17a72dacc9d43bcdddd5e387c96

SHA512
86b4abce7039e6f19764d56dfa35b11f39231038bf0b536af22f9c283667e13b21ec39705f43f5dee813008d121b9c176fddfe5fadf5f0fc2dc4d967889b0b45

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
182KB

MD5
2e3a2abd7af8c312ea5ba39f7641c1b5

SHA1
2166555584feef87ec5729530351da42785bd2da

SHA256
83e4ab30932bf86f4bcb606976a82200eb3be605c5a25709cefc85d8239d0a3c

SHA512
078e39039955b3f52d07038fa848927a1e1354d082be9ad1cf653b00f87f498b31f193030b15da9b049f551713b978f5c4a8e437f96b5f5bb25518ea88c0bcae

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
182KB

MD5
594085f5b22dbe08c1d4f106d0d025c7

SHA1
6fef48a962b97ff14eb74337f1224e5a1df0afc1

SHA256
41258cb2d02658301b1c424155a1a3595394c6e842ca5752e94c7ce54746f9e7

SHA512
a2cffd98691da05c0176342cce62c8aecb078937a61568e3605b818dc158e1b34b3cf1668dca5fd0aa15ef03034cc85a288d40dbb13dda210976a2a39a95d608

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
182KB

MD5
ef09f836b89d360858338ec57b46ecb3

SHA1
c652424361eade5c38d075dfc018577a72cba0ea

SHA256
b291500df93d813cc6314b0187bfadeef165e6c8cf3e9091c49a3f27edbc400a

SHA512
4ebbaaca1a94ad2bb41241e83a38f95a489a4bce7dafc84c7c375e3b66a140a3cab766c151abeebd6bfa70a3e23c18f335c74a1043b5f1e8bd30c2443cc0cdce

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
182KB

MD5
6a272c0298376ee9eb5d4fc53b5adb2f

SHA1
9e00dc0abbc77f2670934c4040a1ae0394f5e364

SHA256
4dde2911afc8b20acb47ff5856badb91950544187ef45aae48eaf3cd4abe5945

SHA512
fc6d449b67a4b56e8d01f4209e8472c2121e2de77830b3acf209e0014b875ade52f98f99ac31f818dd4c76324491dcbc5917bdaefcb03251d19c632ba94ce00c

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
182KB

MD5
5c30062f06ca43eb7864f422d44b3bfc

SHA1
dfe8a44a3b2835f21b5763fbbd2d5e7e1144ef02

SHA256
a0c74030ce47bea6c93ec4eaea83701e627832c8990b2a2a613f38648ae90619

SHA512
96f0095f24e5c94c92e53b320d590e2e0a48b27b636bf6828cf8ed9c1595eaedce5e4225adf0b3b9ee6008ac8d11d1711f60050ee323fdf3ad65824856212c12

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
182KB

MD5
ff3fb6b5544772d7e84474224cb0924a

SHA1
8c86b6bd178a0fcffd8e66f29971f82a5475689a

SHA256
407e83133a073835e655fd564c5f150f9467a39740b6045893e0d926f0c240d3

SHA512
93752a4e89aced27b2d8d06bd9fa47d36deeca70d9cc5d48de9cbc6eab56c8693043bd5826277f3ab1acc8a9d3e220edcea360ed069f93e2d70a0343d2a8ad90

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
182KB

MD5
4d8f21d71e65aa61c63491e18c7eced6

SHA1
cfea9ca9a36cb7be65ed57b125d0e0b42abbaf7e

SHA256
b222f6ab8692613b24afbf7635d22de4a89c6ebb715a79a697cda27a7ea5eb32

SHA512
07bd3cad11b7fc624d1ce1010a024da1c193c7d04d795863f64c26d504d78cc09f9d95b7013b3ecb249105f6b47b8a5ee184f3d7712c362e72b6dca8a63e6153

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
182KB

MD5
9e2176d98f1c5b8401b42ae20d9081af

SHA1
2097ee2b0b0f716cc43f84be89b9c08377c85e94

SHA256
c144c4354941bd8a9f8f99f344a277efb4e2acb297ff886b20086dfe6baf9531

SHA512
5d2c154ea946fe3ce5455c62e1c7e3f49d36c2875011bed1a0fc6c15127399282668b17c7f3e0925c10436f4f67e4566f0b98106fc5c66ba3b328fa4d5f7debe

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
182KB

MD5
4b2c8761d9b754b6dc3a17f3b8745496

SHA1
bf48a4420e745e0f6b13e61e7223ca757b7129e0

SHA256
f8943cef27b7e7822f0a6d96a3da9d980aea3ec9636bb6020862cb9deaeaab3c

SHA512
8f32dc394e98e31c6b8b45dc823dc3af825a46228de83590c6d6183a60fcf4ce95c767cb40bbe809f3baeb07a0ffa77adcbcb01bb94f7b2e434d460f36e2e10b

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
182KB

MD5
c81a59d9446f157b9669d2293626280d

SHA1
17e0e24f257a161bb270ff140a6dacb4d2844cf4

SHA256
e1320fb66c25a26c1b0e3a4806a911606b79f3e6e074303bb77c338b0ad40fc9

SHA512
76627af94a282182662725761986813ee9c8d9f897f53afbf63e1e4c326055e20c3521217e9329de9c7f5b72ff9111afaee12887f004a486412218972464162c

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
182KB

MD5
6e565ba60d045517ec5bb1ac4f24c208

SHA1
194c6296e77bfa3404f5cda6b3c010338996ecc0

SHA256
845018bc1eba0d628ce585464a1f881fa92437610c9ca1c195ca72f670e9b49a

SHA512
0afe4726ced35090645525f3c70791b5530a65fcee6da1e792cacc40273d2dbcb22861af8d85cca068428f41a3f9120d63d8319734b75179c8ef77097cd97b76

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
182KB

MD5
33ad06944961a0029b5210af05cf9b39

SHA1
f9b61e067ab19aaca5a9f373e66e75dbceeeb054

SHA256
97825ef0a198cff4dcaf848b77b8e7b18317fc32ec02f4c6be2732fe23986826

SHA512
765b00e8e0a05979354640ea0b882ba7a6f1e22afeb1a7b506e0ce2d19ba2675ba4a0508ff67881952faf7276003d6360d53501f3238c8c5be04a368231b60f5

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
182KB

MD5
155cac511914cf1deb6c5edb457d0488

SHA1
f05819a42028a02bbadc5830deabedbf7026ff15

SHA256
3945c7cf702818f448dc8cbfadc633df3f76013bec1f6a94a87eb08234a35494

SHA512
0049b2613e0a31c9e79b9986112d844bde61c41c52eb02e67fec7550f7c37c21c8e6566ccf0a39ee7b6950e9860be691d20f804320b336a33275909567d4bc4d

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
182KB

MD5
4128f6fabc27534e5cd6a18e264491a0

SHA1
8c56f25fd1f9d588ff1bca03d427f9519686caf4

SHA256
0972a312b7b8c79058da6daf36e206902ca6b427b57d7c5a2ed4930345157ace

SHA512
807b2323ca28deec252afea50d6620ae5d041a3ccb0425a7d2209cef58fa4d127f16606dcd37516ae8332e74766609b781c52c9f527b221c3f6885a0091f8299

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
182KB

MD5
3092abdf720494eca4dc37e85424eaec

SHA1
17f3f856fdfc6481a6d0c110ac133801119fd2df

SHA256
15cba8e4b587cc45cb22ccc9740cb39b8a7818436188fe4ad2185bda994c670f

SHA512
baceff639473e4a3979fd9c7c391c7955d2571a2c3a8f2df518b4a49fe98568148379d16315eb2039d6b97adc958c5fbbb9c9e68786fcb1f628edf1e64343edd

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
182KB

MD5
11da681135e0a0f61842c87ed80e3947

SHA1
cccb2737fde6b6d554bdd29f7c6bfbf56f8e7cab

SHA256
e8a74a4c7095c9c50562237e3d6fefcf2513aa8c0c6a53ffcfdf84cbdedb319a

SHA512
52e98f6ae38b8a53a83943d88ad72ed7828533ccaf1c96be537844fa25380e3abd53a2d37ca67c9b9b87cdc20b44a123b49f40574155171ef1ebb6edf453c921

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
182KB

MD5
d6c6d373795314ef35cec1d58f44b09a

SHA1
e965a2f1c266848399864fb43c86e04218b45da2

SHA256
c19a20fcb0aeafabef5f9efc20645611516314c321c7b53bde5601312abcec81

SHA512
49a91fcfb8314ddeefafb8c6e54133108bc7e93bff304cd6ddcf9d5bb92b296b0adda2d603b8f1ef65db92f5b60a31677da21c458f8a9b5ce578afffbd828341

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
182KB

MD5
ec0f453207e121d750f145a9bbf50ff2

SHA1
836bac48a68c6fc1afcfc6342801639ef8781fbb

SHA256
c5a51c5e9fcdda9d73d544a159f9c641ebad93b4c28698bc7aab56d3f75eeac1

SHA512
a3660a6fdab61960401866306d3ddb53fd49c11265d0f8bfaa92b88010b0bf529da0a50d3b8b0c6e642f9f2c2d17cb8503895b6087f93edd194af97ad428ff17

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
182KB

MD5
841b5f3254c1b743f459c9a2e7355853

SHA1
ce434e39b55b982d60cc3e225b82b131bd96d8eb

SHA256
edaf50005c20cea90016be2daac18a005bb1f3d923e857aaefd09274835a855c

SHA512
b407a2dd2975367ae6d87e7bcc33c174b1891086185696ac09ac95d4190f221b2399109dce8d24d432449288a5e11b8217ec7bdb515395c35e3ffa758c76c74e

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
182KB

MD5
c24da4f4e2ec13adcab1dc26619e2a6c

SHA1
f88fd12c964430df100a6c467a71f3559d1feda5

SHA256
6216ed99223f6ece5127549531fac225d68de761cc25028c8c3955274d13d8c5

SHA512
8717f75dd3a67c9dd355b92dfd6bf3008a687e4a8ed686ea0fa1789e6172cd03bd33fae870cab0e9a39deb3898426aca70225c81da5c39db4ac4d0bacc2fde52

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
182KB

MD5
e434103b884592b0880aa69e2c05b2f9

SHA1
9081c6da6d726245a37b92e112972a18c963da12

SHA256
b5091b151a92eca6dfb16e8d2746a5386fb34dac64833a09b8fcddac317e18e2

SHA512
db9d28cebd3d60b185480c7efa00b59ac6d7e2c51c6e61270ba20cd2586c99a12c8ebfd9c6f245f819786914e8e5bdb9713c15b36cce695550b65364d4817239

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
182KB

MD5
83437136a2a19805d52cd702561409d8

SHA1
6a277b1a950045583c561d36bbd87b539db0e055

SHA256
7c66b623313e39cf9c6438fdf1a5ffbf068ef850ca70e422713e558af2dbe38d

SHA512
71ae02bc7ec3b685a6eda3f3fd38b40d55448d3e5796775b848763603ee1fd70a210a029e93095c56c09ae1f5f94a16d77a2c0d5a70e39b95268172527e931ff

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
182KB

MD5
fd93950d9a2be1df2c055bad06cabfc0

SHA1
801740ee53ff930e2e69586f53c4150856733d3c

SHA256
21f694b864ec1ce351d489b68362f3dbdd22e81959e3febcfae2765be5754ce4

SHA512
0675d14f5dff37c79d8f4a95221060284176416f8e163f37820c6134a2555a883307c0704e1e2a198b64de793df97a85a5b13f2110a4546e270e9826faddb82e

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
182KB

MD5
acb93045b3f9f2ead7e5a7d464dc15bb

SHA1
abe5ca8c24dc70fc2b31536c4a18618404822440

SHA256
ef33c70f0d1825e478739c4a0bcde7a0fbc5b393a71c9d3e3c8c9c169eb524ec

SHA512
bfca6dad5a1148e51e9382cafa8ffc39028a8bf267dceecc18b916dac34c0f059b7a8fc74af4470d16c8b8781b69f2cd874940e7c13b41dec8abb88493a78bc8

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
182KB

MD5
1869cb255117ad649b5e44f4472e816c

SHA1
5f77785825e2f61d8e67da6a2a14090eef1794b4

SHA256
90a2d1b990e5bacf331e5874b360e5c814e307c25881ac707b8803691427b508

SHA512
c07ba916a935d5f5ed91b0dc682740fb357584bb84c92ad532d8bfa9a0aeb5e6d1e585489522ee873a917acc13684bf2b2cd2d79a7c1944c571d8a1532867821

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
182KB

MD5
fb35acadd71576c73d9754526ed4611a

SHA1
d0a47a8ab5e668711369377d262346e59c39261f

SHA256
0d90519117456ad73b8417d675abd97f8d169e3ce1e1fd208404b20dc10b9665

SHA512
89738c1b3e0a55eee31b2fa456df9504fc9dad0ced5279c89a97c2b6113e013ec4bc0cbcbea0fc1c1d779bf71fb0e4c89b0a77a93ea9d5cdd1e6d7e1b24b20e5

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
182KB

MD5
f35024876bc96601648a32bf2ac8b79d

SHA1
25d2b2bff878c603620dbf47e043081b02ae8efd

SHA256
572e0633d397ee2efb2431dd618d9b28cab293f402f00007b4c5759f08bbcba3

SHA512
2c3ce4e27a761e228903b9eb6651274e4b4b7ecb6309f905cd7df9120dc55627e42d35ea0aeef0daae6ef551ae9a551fd2f9de46627d5d0eebe670f55f50f32f

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
182KB

MD5
5289ff3d6e4f5dc697e28513c5ec3ac3

SHA1
eaa66d32501dacfaee39dadd8aed63e20190ecf2

SHA256
1626b551ec7a7f02e68103400ed78834a0362d97a789bb2976dd8687da8d62ec

SHA512
25f04f7f6c9ab7c59c0443501e8c087196f8e1e0f99a1863fd9391d4a11b8ee30a2f97d7db6d7656f9e69c5e3368ad464c9337b094b4cee0fc64ced6c4f84ff5

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
182KB

MD5
1d02235f760d9dccd9c1900d109d7350

SHA1
f6483b42b95c32c5797e24333f0074fb22b15f27

SHA256
64c91858dfe4b3c3a27c9b8268ff56c08a672eff9954cf5f21424e9250785b15

SHA512
631f559ac51b8d1450fa9e87c7238a261275929bae5d8726ebcbc388d7cc5f947b638686d8b230f39fafe30eb75b0d8ee6f42bf31ad9fe85988ac618b2d4acba

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
182KB

MD5
d0ba438d2918c3b57e977e2680c93189

SHA1
0bec40e9c16000533976682ec48527bbd852177b

SHA256
c4ac8c436b17d9fe9fe4bdc7b23f935be06d8b8c34297337017d3a4b3ed44b0d

SHA512
5f53cf33f5594384ac7fb8b2d5f6e0f3acc5794db713cc2ae1da9676e3eff1d516f4abc18390b2cafec3faabf2434ac115c1b29ec7cf59498cbe615fb81d5776

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
182KB

MD5
47a681aac31c24bd05d00a516a256cc1

SHA1
cfc51589cc681e88c060d29850777dfbebd4f5fb

SHA256
7ab78715a15966c30aea34a5e98d627bce1933ed12ef7d73da7128efa6eab72e

SHA512
8a1fb10438f3d6300bb4014f070b4a14fadcc389d464b2c14ed43aef17419c569dcde3ec57a79a1276ba147491d7aa965875d59b83b445f5af87406e10763e79

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
182KB

MD5
1ebfe287d236eee040eed96ac89433e1

SHA1
04704ff0ea525d3bcec0b3cc5684e7dcb714a5a8

SHA256
9e93376d4ea4e7dc5ff6c1134226005f312443905a3ab2e42e952eb13c120020

SHA512
61181c9020613fdf0e7e6716dfe6923a1fe73444307fd7c39c0508f169033fe1ceec5f7129c51208fdbac252076e38d910676f5624c3e71fff6db52c9e1e1166

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
182KB

MD5
2120477cc2014b009310a66e34d18a0d

SHA1
4d94af178f2a302f3b65d83fc441468f530ebd3c

SHA256
42ea6a4aec6b16683e0df3db642b884956119592ce99469f8e2d5e0c73f7b870

SHA512
0a9d2042f67a9e89ac007f0366208ab236b1438de80820786aa058b381a9d94025b4ac58df976f937c3e2a32a575158c931547042518add90b6e2f86d05b4194

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
182KB

MD5
a797d5c9184673a9399a2d4963db56f0

SHA1
60013057e45a197187fbd90c12ab3c6838d8b85d

SHA256
ac4d6a1b5ed9679b11b93c9a0521c6b40e7eee94d137f89ca8c90262fb7de999

SHA512
e65e46f93beb481e6ebe6f5a240d91944523da99180639c2fe0723c6936f3ee484dcae08b7ffb7ea7a534b501a0141082005305cb71db6504aa21be89a263122

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
182KB

MD5
3fa4007877aa7e45ddf200f076bab981

SHA1
5b7d9f4660872322d32072826cb363af105bb6e4

SHA256
355d9f628f4f9f56dcb274cb6eda69e45c8d252cbd4595188cc5f91473c2ae4d

SHA512
99b35b98e057089f30c8a8ecb6a2212fbfb355c74b865c7fd94fd7d5d55febddd3af5c5bbe09e6da0c8396685539f42d63278c80d544a6236bc41675b3766455

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
182KB

MD5
fc4e99396968377fd57452ba7a40e7e2

SHA1
cfdb215137a881058b648f44ee0343803f705902

SHA256
8051da1a4f48841a08af42b39c066aa17c5e3773f795476828ec9e91931d3681

SHA512
cd341b73a2d549e95adc56f9ac429e2a21fc172134016f871bd6d1c171f7a6eb021274a12844cd04cf165b87981c90b0e0ebbf94025b5df5c8f7416b31fb9678

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
182KB

MD5
b48bbc5a1acec50f952f23a054069024

SHA1
2d3b0887358f30703e5e835bbc61a194602ed2b0

SHA256
071cd97cb0469740f378d3da8d3c397091c327949a2373ba6cf20c8862519491

SHA512
f6bc2dc70f81683b48f01d6e453e9674bc7c0bca64a77be58c15121c68019db9b7294f4637085f10ea3af5a373ddeedf254540e5908fb07a5f2076afa2760379

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
182KB

MD5
a4c255c2fa02e2c3c45905b1f97a3677

SHA1
a3a606e8e632cbce556d97e4f397775434bcb76b

SHA256
3171176fa2ee50e54c1a849a171655dacf952bd52ba8ec7c8dd9da923a8c0771

SHA512
46e34a6a5a0cb15a9f3b48a03227f0e9f998485ec00603d23c7f9a00e554ed039094d8698b3379775ec59a8212cc8085192cad2030da86eaaead5f5b8d122bd1

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
182KB

MD5
3832180afa79bb2898312dfaaba1b379

SHA1
8675e53cbe24e12e01adebf35a754325c2409443

SHA256
f77787e9752f5db3ba0a050f2f89c47c448778cd1d930282f60d7deef9051018

SHA512
38668ef6ab1ffd504ac22535fe6c541f5e638d259847cdb0c958f9dca17b5f0c4e13f55f1520ae39ad4100735523ca5809902772cdbe25c8aa09901d9e367174

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
182KB

MD5
ba24a2ada9bf9f5fd90f08c6744986b5

SHA1
852a28b9efa12278f03193e693be47d98afb25a2

SHA256
1c7e8f40d15ddb73da0b00d281bfd191b1d0f779dca6fb64fc1102f3a6b626dc

SHA512
71dbb4953af0696aec4776607384f1550f7a0e76e25eeb3918cb26ba4ceabf6d207ebaf1408201111363c6d25da3bfea4fd0bb803406c0da9308d01d385e2414

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
182KB

MD5
32e8060eb384e6a51fd2d1c8b48924b9

SHA1
4c5b8a6636341035e8eccf49b17302ed5d0f5bcf

SHA256
e0e70400a5e040fbac87ef16a29ecd5c786760560d5afbeb372ebdcddf6b3496

SHA512
2c26cd0fcc84984fe30db3817989cd91ee845dd3795fef8554d2e0f8eab4b4337ee29c16f38ef14225f5e108fe8a94901f12b78cde3c80c483a69c2e15fdc0ac

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
182KB

MD5
c2c9616a6945f9049780c84d8f2155eb

SHA1
6c3bf6758f93edb19b623d3ddce4b2cca8021e86

SHA256
e4c8452d6ecba423200bd7e5ac4737c1de07321ac1dfdbdc4a0f6ab380e8573a

SHA512
4d5b6af7f9ffd6fd3f5b8b334651a8c57f96a47a0fc059816419174f24fb2ef5282c16a2c9237802bca928b90541980637ca47271be4990a6e760c72d671f28d

Download Submit
\Windows\SysWOW64\Akcomepg.exe

Filesize
182KB

MD5
cdad4b10d75bd653d5cf13f7e001f924

SHA1
58323811de410c7f7e08a7648bd24de30ace6c77

SHA256
25144f5ec569ad5c64eca5b0d8f2a9205b7ba6cafd8bbbb3cb9150a1f3208214

SHA512
27b9126c8c815cf9ee52e2458f950e2167f1665f165c4bd16454fc285a0d44081e2f3fb60cc69bf15c4f941b4767fea6111f23a7cb5e070e461b9b6be13b41ee

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
182KB

MD5
f883233dfa9cf848180fa981d0041f7d

SHA1
e3873e7249c306c74dbdb32ae110db7bb08a9d53

SHA256
4f0defb4a2166ffa15d708f7810b0b23aa8f4337a323f396801fb00adf25ed8e

SHA512
c5725f1b2c18727b1fd0c283a0b9fa99b569b2a369f0c26c2b55908e1eff64efe6eec396afc2858de04da8096b5d23caf44394ee4f3c289bd447423523602111

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
182KB

MD5
4623d41c5576a029cea832308bfea732

SHA1
beb6cf7feb24fcc37f1130709a43abb6144546ff

SHA256
04bd453a9bbac1e7e63aff46810c1b0a5a99ba828a63b581e910a0b811e2ae21

SHA512
65093bc8c2ebd7591fe3fdbf1c076b7d722528a19350442f7ae24423e2956478cdd9ac15de24660e068af662b8c9026ef4cce2317a2eeb0fbea1f19763157a32

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
182KB

MD5
2afabe9229cfb5b90f81821c0c286dc2

SHA1
7956e44a89d874cc248ef720fd9e1b57459154be

SHA256
86e4e609dd30c18b95274b04f3c8929ccdaf9226b902385a6d187fc4453fa7b1

SHA512
2190678fac56fc65796a4df2d5be904ea4802978f9af5e407be71efbff04ba4cf9f3f1607ced2c6ceb0f6e38a9336347696c8fa62688d5d75990f37d9c1578f8

Download Submit
\Windows\SysWOW64\Pgfjhcge.exe

Filesize
182KB

MD5
0b853afa97f429e8e7d21d92ef3839d6

SHA1
285ae5ab49842cb56c1b4655cf17fc4c7393fb42

SHA256
4c8855054ed3d59426b5c48519dcd608c6d2dba8817ce68d00a13e3a8e2658a7

SHA512
2be01237b74548cff598200845c2bf9c74e54840421d860c8f68f04c10611612b3efe86fdbe7ec6e655ffe4f564de5e88eafc61f49ba71c708b8329f641127c6

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
182KB

MD5
c7b3849dd5641dbc5ab180113a5136bd

SHA1
de6e7339368e3258c24bd8480a67983652bc063a

SHA256
da6f6ada1b2962c50a81befb7f168bbadb2a8fa3bcb322b16bdded4f947b9b1f

SHA512
8962af0179e4d74651ec7812c5734b40fd7d5b888a7aef06bc0621235dfd4ec40ca97738678154049af6ef96fcc1ac68bc2a9f0258abe968d8f12f1993c1965d

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
182KB

MD5
f5d5a48299857261ef794d7f5380378c

SHA1
df29063cb3a34743f42ac5bcd032d4d1fe538927

SHA256
5faa987a32157c225402d99839b9954141ced7bed7eb6979b8450948d11a2530

SHA512
6d4faaaaf7e989106cc8c74e868af98959f2beeb26b269b956c4926febff3d14abd0498e26752b25faf8dba9917ea196952fd7388cabd5b7c5f98eed742a2558

Download Submit
\Windows\SysWOW64\Qgjccb32.exe

Filesize
182KB

MD5
d52eac9facfc9a4707f19d433ea121d0

SHA1
92b0b9ae8361d54e2ee6c6d5a3422697744c8510

SHA256
5b0ce87a02ed40f6198ceb3d96b5bb07ed615eeb4dbd7a44a626dfa5d2fbfa7f

SHA512
cc06b66278a5d76bf5960d821485d044531615f9a9a0c36feafea773f8243e059b2d4a17d56d4dd96fff5a6c6cca1b5c9efe514c61b5d4708a61a1af426fca7e

Download Submit
memory/320-378-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/320-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-158-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/380-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-318-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/628-356-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/628-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/780-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-7-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/780-68-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1012-95-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1012-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-179-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1256-132-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1256-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-131-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1256-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-259-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1356-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-194-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1448-188-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1448-240-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1516-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-296-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1516-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1636-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-344-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1732-309-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1788-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-386-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2084-204-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2084-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-363-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2264-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-85-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2320-25-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2320-26-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2340-224-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2340-218-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2340-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-264-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2440-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-178-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2472-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-332-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2472-367-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2504-276-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2504-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-274-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-115-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2588-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-352-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2696-340-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2696-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-345-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2776-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-133-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-35-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2840-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-105-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2856-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-148-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2864-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2864-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2936-271-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2936-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-322-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2976-287-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2976-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-288-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads