62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
Size

96KB
MD5

c0ebfc441bad2f7da8644752fa043993
SHA1

22fa00dd714e43493a0ee9dfd64750dd0d7d92c2
SHA256

62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024
SHA512

65a00e35ec8e646a25584abb5b720da5bab164ebb2a5e688b8ef06f0f3e2c1cb4fd645de71b535be95d4112171430366be330839a5317f0052ff260c65f0398a
SSDEEP

1536:sohfj2/be4woUUh9Qw46S971hduV9jojTIvjrH:sojkfwiwwS9Bhd69jc0vf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe

Executes dropped EXE 57 IoCs

pid	Process
888	Pojecajj.exe
2316	Pplaki32.exe
2684	Phcilf32.exe
2692	Pkaehb32.exe
2656	Pghfnc32.exe
2584	Pleofj32.exe
2616	Qcogbdkg.exe
3052	Qkfocaki.exe
3032	Qlgkki32.exe
2872	Qcachc32.exe
1752	Alihaioe.exe
2524	Accqnc32.exe
1944	Ahpifj32.exe
2120	Apgagg32.exe
1632	Aojabdlf.exe
1152	Ajpepm32.exe
1384	Alnalh32.exe
1192	Aakjdo32.exe
2296	Ahebaiac.exe
980	Aoojnc32.exe
1816	Aficjnpm.exe
3008	Ahgofi32.exe
848	Andgop32.exe
1340	Aqbdkk32.exe
2952	Bkhhhd32.exe
1616	Bqeqqk32.exe
2808	Bccmmf32.exe
2160	Bjmeiq32.exe
2844	Bdcifi32.exe
2596	Bceibfgj.exe
2052	Bfdenafn.exe
1968	Boljgg32.exe
2908	Bgcbhd32.exe
3060	Bjbndpmd.exe
1672	Bieopm32.exe
1984	Bbmcibjp.exe
2060	Bjdkjpkb.exe
2084	Bkegah32.exe
1264	Ccmpce32.exe
2504	Cenljmgq.exe
1868	Cmedlk32.exe
112	Cbblda32.exe
1352	Cepipm32.exe
1160	Cgoelh32.exe
2988	Ckjamgmk.exe
784	Cnimiblo.exe
2796	Cebeem32.exe
1708	Ckmnbg32.exe
2828	Cnkjnb32.exe
2676	Cchbgi32.exe
2776	Cgcnghpl.exe
1536	Cnmfdb32.exe
2608	Calcpm32.exe
2904	Ccjoli32.exe
1820	Cfhkhd32.exe
1072	Dmbcen32.exe
1748	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2512	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
2512	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
888	Pojecajj.exe
888	Pojecajj.exe
2316	Pplaki32.exe
2316	Pplaki32.exe
2684	Phcilf32.exe
2684	Phcilf32.exe
2692	Pkaehb32.exe
2692	Pkaehb32.exe
2656	Pghfnc32.exe
2656	Pghfnc32.exe
2584	Pleofj32.exe
2584	Pleofj32.exe
2616	Qcogbdkg.exe
2616	Qcogbdkg.exe
3052	Qkfocaki.exe
3052	Qkfocaki.exe
3032	Qlgkki32.exe
3032	Qlgkki32.exe
2872	Qcachc32.exe
2872	Qcachc32.exe
1752	Alihaioe.exe
1752	Alihaioe.exe
2524	Accqnc32.exe
2524	Accqnc32.exe
1944	Ahpifj32.exe
1944	Ahpifj32.exe
2120	Apgagg32.exe
2120	Apgagg32.exe
1632	Aojabdlf.exe
1632	Aojabdlf.exe
1152	Ajpepm32.exe
1152	Ajpepm32.exe
1384	Alnalh32.exe
1384	Alnalh32.exe
1192	Aakjdo32.exe
1192	Aakjdo32.exe
2296	Ahebaiac.exe
2296	Ahebaiac.exe
980	Aoojnc32.exe
980	Aoojnc32.exe
1816	Aficjnpm.exe
1816	Aficjnpm.exe
3008	Ahgofi32.exe
3008	Ahgofi32.exe
848	Andgop32.exe
848	Andgop32.exe
1340	Aqbdkk32.exe
1340	Aqbdkk32.exe
2952	Bkhhhd32.exe
2952	Bkhhhd32.exe
1616	Bqeqqk32.exe
1616	Bqeqqk32.exe
2808	Bccmmf32.exe
2808	Bccmmf32.exe
2160	Bjmeiq32.exe
2160	Bjmeiq32.exe
2844	Bdcifi32.exe
2844	Bdcifi32.exe
2596	Bceibfgj.exe
2596	Bceibfgj.exe
2052	Bfdenafn.exe
2052	Bfdenafn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pkaehb32.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Fdakoaln.dll	Phcilf32.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Pleofj32.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pplaki32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Khoqme32.dll	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Fbbnekdd.dll	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Alihaioe.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Alihaioe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1588	1748	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pghfnc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 888	2512	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe	31
PID 2512 wrote to memory of 888	2512	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe	31
PID 2512 wrote to memory of 888	2512	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe	31
PID 2512 wrote to memory of 888	2512	62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe	31
PID 888 wrote to memory of 2316	888	Pojecajj.exe	32
PID 888 wrote to memory of 2316	888	Pojecajj.exe	32
PID 888 wrote to memory of 2316	888	Pojecajj.exe	32
PID 888 wrote to memory of 2316	888	Pojecajj.exe	32
PID 2316 wrote to memory of 2684	2316	Pplaki32.exe	33
PID 2316 wrote to memory of 2684	2316	Pplaki32.exe	33
PID 2316 wrote to memory of 2684	2316	Pplaki32.exe	33
PID 2316 wrote to memory of 2684	2316	Pplaki32.exe	33
PID 2684 wrote to memory of 2692	2684	Phcilf32.exe	34
PID 2684 wrote to memory of 2692	2684	Phcilf32.exe	34
PID 2684 wrote to memory of 2692	2684	Phcilf32.exe	34
PID 2684 wrote to memory of 2692	2684	Phcilf32.exe	34
PID 2692 wrote to memory of 2656	2692	Pkaehb32.exe	35
PID 2692 wrote to memory of 2656	2692	Pkaehb32.exe	35
PID 2692 wrote to memory of 2656	2692	Pkaehb32.exe	35
PID 2692 wrote to memory of 2656	2692	Pkaehb32.exe	35
PID 2656 wrote to memory of 2584	2656	Pghfnc32.exe	36
PID 2656 wrote to memory of 2584	2656	Pghfnc32.exe	36
PID 2656 wrote to memory of 2584	2656	Pghfnc32.exe	36
PID 2656 wrote to memory of 2584	2656	Pghfnc32.exe	36
PID 2584 wrote to memory of 2616	2584	Pleofj32.exe	37
PID 2584 wrote to memory of 2616	2584	Pleofj32.exe	37
PID 2584 wrote to memory of 2616	2584	Pleofj32.exe	37
PID 2584 wrote to memory of 2616	2584	Pleofj32.exe	37
PID 2616 wrote to memory of 3052	2616	Qcogbdkg.exe	38
PID 2616 wrote to memory of 3052	2616	Qcogbdkg.exe	38
PID 2616 wrote to memory of 3052	2616	Qcogbdkg.exe	38
PID 2616 wrote to memory of 3052	2616	Qcogbdkg.exe	38
PID 3052 wrote to memory of 3032	3052	Qkfocaki.exe	39
PID 3052 wrote to memory of 3032	3052	Qkfocaki.exe	39
PID 3052 wrote to memory of 3032	3052	Qkfocaki.exe	39
PID 3052 wrote to memory of 3032	3052	Qkfocaki.exe	39
PID 3032 wrote to memory of 2872	3032	Qlgkki32.exe	40
PID 3032 wrote to memory of 2872	3032	Qlgkki32.exe	40
PID 3032 wrote to memory of 2872	3032	Qlgkki32.exe	40
PID 3032 wrote to memory of 2872	3032	Qlgkki32.exe	40
PID 2872 wrote to memory of 1752	2872	Qcachc32.exe	41
PID 2872 wrote to memory of 1752	2872	Qcachc32.exe	41
PID 2872 wrote to memory of 1752	2872	Qcachc32.exe	41
PID 2872 wrote to memory of 1752	2872	Qcachc32.exe	41
PID 1752 wrote to memory of 2524	1752	Alihaioe.exe	42
PID 1752 wrote to memory of 2524	1752	Alihaioe.exe	42
PID 1752 wrote to memory of 2524	1752	Alihaioe.exe	42
PID 1752 wrote to memory of 2524	1752	Alihaioe.exe	42
PID 2524 wrote to memory of 1944	2524	Accqnc32.exe	43
PID 2524 wrote to memory of 1944	2524	Accqnc32.exe	43
PID 2524 wrote to memory of 1944	2524	Accqnc32.exe	43
PID 2524 wrote to memory of 1944	2524	Accqnc32.exe	43
PID 1944 wrote to memory of 2120	1944	Ahpifj32.exe	44
PID 1944 wrote to memory of 2120	1944	Ahpifj32.exe	44
PID 1944 wrote to memory of 2120	1944	Ahpifj32.exe	44
PID 1944 wrote to memory of 2120	1944	Ahpifj32.exe	44
PID 2120 wrote to memory of 1632	2120	Apgagg32.exe	45
PID 2120 wrote to memory of 1632	2120	Apgagg32.exe	45
PID 2120 wrote to memory of 1632	2120	Apgagg32.exe	45
PID 2120 wrote to memory of 1632	2120	Apgagg32.exe	45
PID 1632 wrote to memory of 1152	1632	Aojabdlf.exe	46
PID 1632 wrote to memory of 1152	1632	Aojabdlf.exe	46
PID 1632 wrote to memory of 1152	1632	Aojabdlf.exe	46
PID 1632 wrote to memory of 1152	1632	Aojabdlf.exe	46

C:\Users\Admin\AppData\Local\Temp\62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe
"C:\Users\Admin\AppData\Local\Temp\62e61e028db7e9266145ca394cb469869d81b1e6ae24ee524be44eb3d1c7c024.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\Pojecajj.exe
  C:\Windows\system32\Pojecajj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\Pplaki32.exe
    C:\Windows\system32\Pplaki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Phcilf32.exe
      C:\Windows\system32\Phcilf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 144
        59⤵
        Program crash
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
96KB

MD5
d5d02c9f86a20e270aceda672b821000

SHA1
6fe67a11c118e20bc5dd0f8afe4ff8013349aaeb

SHA256
dd5adc3070962555c95d8c07eed4b3c2e6adcc8d93fc3e8270e53d4cc540f14c

SHA512
7caf32090635f3e5c66ac4dc9dc1759fd4433bef3b9d3cd8316c42f30636dace3c7f37efc771d5f407399d0ef2f7f67946715173b452b3ac209c8635f2a37bcf

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
96KB

MD5
ac5785f700b4eb3325d57d5a19b6e1b3

SHA1
052d5d34e1911f9d6f7eb40dd5a695934fb0d200

SHA256
59335e22ee711e37611b0016a117d3658e1e228bee81c282edbde0afd86ab16f

SHA512
07643bac0f821315555d5468ab9e76378ce460223101041efcc6aba4a6c5eeadd4996bcc132704364163874defdf26a5ecb3dcaf81e00789dd92434721c68682

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
96KB

MD5
f09de3d58cad3144b06056902e4fa172

SHA1
67a9f7881e7a6029568b8105a0257b5777957707

SHA256
f762f32afea2f54c6017eaa4f9c57b0e50f48bc005b1981caa514573246f294e

SHA512
b80cfe272f0bf643783680f3aa175017cc6ba8a015c765a7372e66d3fdede7d7ffc9ad37ec32da0ce3eb06958f3796910062589b59342ca18244c4bd69fde919

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
6d879e0cecbf670e6f2705067919715d

SHA1
a242e45d0e5f625a73feeecef056853260854577

SHA256
f8a82571a138720115678605040d6c3f9d172de082b6594b1ac39d4f6f507ecf

SHA512
80af36a4aec10157cd03048c25bbb803f70a9a50f8a2e019400d4c7e70c7fa653b207300cbdfb5f789de6f1bcfb4384cb836bacd45d0c1b333c10be1d6065e52

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
96KB

MD5
c3a693f5b952eba2d68235d920be1d42

SHA1
c641ceaa34a841ba4844bf2be121c2f1a369b323

SHA256
5ac20ac26e26e133a7d17f247ac6ef4502c9487cb3eb49a585f978744571d3e8

SHA512
0b27321312c45cb9fb454506a11fc89556a1a4205e9f07e79be03cae92c7f8b7fb1806afd0b15e0bdd734ecaf35a29f4db177b43d9aebfe3da1f288c46b11a5a

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
96KB

MD5
3819bee297f24623b25e2106c3e9da17

SHA1
e7b61291804b9aa0a7672f179b6d5c246350ef60

SHA256
7dedd8a53cc383fbc42bcbb32a036e46f5be1228819acf9bc81e45904301f687

SHA512
5bfd17450f2c5ee68aaf8065d9141fa01248d14cacbc850972be2012cc15e8c9c23ad6de18df753dd76a6e92172d1eecae39b2ba39f734e6b5361f537d5f41cc

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
fcd20b324fcb8b2e188d423092c0af06

SHA1
8c10e34d1ebc1cdc13fc5a7c076b814448eb43e8

SHA256
d3e35d444c2bd798e8d69c21ac9b13ea37f4a9026cdac6b7a27ce63d9063ae28

SHA512
5b38a77c5cdd71240f29624b3e5d3ba8df2159243bd330f1cda6ce1579a8297f06dedda54a9af32688a510c721c4744c32d95fd9d375a72b0c96cfb33a1e12d7

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
96KB

MD5
90edb2e075abd5ae5a61dfa8777c05ed

SHA1
e35a821c332e9ec7aecc8601d1c0bb37652c8d5d

SHA256
580d032ff295d04ea079afa84e554b48f372f2a51f076784010ddbe1657d3e49

SHA512
72caa81257c2730451b87b844abfae33eab2336eeb3c1756ceee33b7bd3c92e7529e01f4d00f0be6e54abe9064db44ab9f092248c208d9457d57ad9fe140d027

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
96KB

MD5
77bea1548297f2e2819075e5466d9de5

SHA1
69ee059b7fead00755edc271ba100bdaa0d0e342

SHA256
884c78b265f94451b0b11072156c71dc09161f3bf467f7ee3fec769c6a5405d1

SHA512
4826464320885d838d6a378f29e51ffeb087316762eecad3ea661b405f95faa9988546e2677248a98f4dac1410634924a2f10efbc6c0bf06033860ce08827493

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
f778554c94e02c5671fd982aaca79501

SHA1
ed6a629cab09262d8b3646afa779c91ab3d50bbb

SHA256
c5bfb3206c93192c11c9ec10f046317875151f3461a793af1c1430c122c1b6f0

SHA512
d5283e1f4adaca4922dd568439ad4899336b00ac6bf754daaa5c88d7ea9e55fc5eb66713f23a066dc596254f451bf960d62e33890cf28ac4c97c94c9bbe02ae3

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
96KB

MD5
f408dc5085ba0bdea6829e2f6f7a7a0e

SHA1
cf58e1641b39f49334c5ab37344e8b923401eda2

SHA256
6a0c8adc607d2638c83c0c9a9a99e8c2caa7c2ec5387bc2bc9d99b75872f65f6

SHA512
9a5828e7ee04fdfbe7b3ed721690572e6766ebe538406d8e104dd69903f72e15743136ad0df3fbdc2efc6978b8be751e61a415410d178c3c07f9c2a9d1ce464d

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
96KB

MD5
d19a467b226364bb0b2978e1c53aa91c

SHA1
9389fdcce05bb5749fb30e7f8eeddf80a4484803

SHA256
0f3f503b9fa806f989fd3d30a1b33c6df97bb5facab2d43553e3fd915d6a3fcd

SHA512
abdab0fdae21f07e79c056923dce09b5445c1307348d95ddc3b407b1539cb3c3236278067936164cf8cdd7bce0d00697a09ebb938f9859c78173692526b79618

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
96KB

MD5
6dc351c64a4efc484a5e71b09d4c3b50

SHA1
3fbc3785fa79fe3381cea8499f360911cbbab464

SHA256
caead60677247d25b365250833374fe322753aaf12acd979c5e3347a951fd398

SHA512
a2602691d18c34ef37592f2a9c12801d37e437c393128abcb3f386d5ecbd6e2727f5799fd6a671c2f22f33ec6b7adf7058d159a06e0cafc4c60440321284b8a4

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
136f4666283e96465ebaae1fc509bab6

SHA1
5e715d2cdb9385f13f6bbf0c92cefe1d776f9c95

SHA256
9c33697a92e10239b1f6c7ce783d84650186eb4b77e190b82afc8f9dee31e3e2

SHA512
744bfbacfc463d3542bc053c97449ca6dc5b4cf5a70a2c1f7687127d002a7142c3c97902531786d52cc81e3da71127f91f0f29f3ecd7c1850d7d25b6704dcd4d

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
c85f043f7e123ffafaed7452fa2bc48e

SHA1
305e50ccdec38d41ca01b57c5ca621730aff4bae

SHA256
34c774fb56d7aceb08963107a143fc1962af9b83c095ea04f495c403b6b2a3d3

SHA512
010ca633755ca0fc199076d271b3e79d1f58d3760aa51539845a7268ae4d60277712817a81abe942854cfda9f6c18fde43b54bb3ca32a5c2bde5d5411cb70c81

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
96KB

MD5
6cbd8a820f8beebbf031ac07d64be7a9

SHA1
b79b4cba0020215127aafa68774fcf284dfcbc47

SHA256
434271ce922e5150254f54fd171abeb8fa57770300d777f2d67a0d10669512fc

SHA512
1fb7ba244ab6457d5718fc1a38bb2f55ea58685ec4da7477bf3b7b2ca3c42905d2f83063ce97b005956ce4ed5e3132e38acfab57ee21da212fcd6858509ab48c

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
6b19530285c0a2b19d38ee81e990eb0c

SHA1
b78e8554ca7ad8259977db91ae137bfb868496fe

SHA256
63413fe0f8eeac9230bb28a4038b38cbf1c3f1a908e42d5766686041135d4826

SHA512
45e90c5186268327607e9e261f5ef797ea11c04853aaff490b1554ec9c3f351ef2b47b6be09d02f6e11b65fe82019227b23672a2cbea8097997e29a5d131d4a7

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
96KB

MD5
560f23876beae45602eeda44c3155510

SHA1
f50d94c829eeafb1445873b0e3de6e72ea82d765

SHA256
161061c98eebe63766e8c57173f8db52ef571e273361661fe45e9c946b0f4474

SHA512
b553f260bbd9c51abc0e8b5d814ed2339d92c522085ce3164840d409d92506b0e59a44719a416b1a9fc49c333e7204181c27468997108105e8d3107f66197176

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
96KB

MD5
f444300bd8e5edcc2866280ad4a8358e

SHA1
80edc8ddc1b27b1f4de4956d97f00e2558f028c0

SHA256
08bf6e3a9ee93d2f604d9795eb832b4e5c03903547dc67b2ff3c9ebc99b09d87

SHA512
734015b5ab61c5d0cff2ea1e7eff57e79a657032086642c67da52b3ec6456d548f9d6083d79ca12b96fa605f941d75c8066a0c0ee04093e97ce9e7338a0c47a8

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
0616b81ae5b4ea78c6ba4bb633e4bf43

SHA1
fbd99c7d38977aebf7d06619996ee4064d068dfd

SHA256
5c5de4629156fd9c52828f2e365f6ccd9e4364a9b226e27a633af8834a90a1d9

SHA512
c6dd0b612225f4067cb42af667c4ba228f9e29d314ff08f0c7e24dd0c267fc9dc2616134d202466c3b55fde60082c08052d7e6ac2e0a312f28677bebbdce9f8a

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
44eff3ec6f64e336d0f40707ed129edd

SHA1
6f0185b590e1b1804cc9cb9281230cbc2aa9339e

SHA256
d9044f12e151158258db6f53c709c2100c62f2ef58459a303da3ee1bd417668b

SHA512
c51476f6cef9999a145b950f39fe309ebda9b1c73353ee9c24c4ea5632caf914358dbfcb4cdbaa137816264fad0606903ea657cad55dff9e9efc0d63e4cb0cad

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
96KB

MD5
5dafafd165654fddd5ca3f3444089d61

SHA1
c88a96ca5e6d4436a0919e8f6f970c97d017efcd

SHA256
595082d547b5af22c38ecce89a1b0885c8638c22ff249d8e08058958ce99fc82

SHA512
0b335924f909e03ad8101bb141c79d1a133b9083f39d26251a5eaeb16375074236f83834562835190f1e3446ceae889abd2e05b4b1ff88ea3e46ee458da3a45f

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
85d19e4aedc71697de24be8cb7b6ff65

SHA1
53cac67da84f58974d154b2c298e2b9804b25525

SHA256
8d11f27904035f7dc749216bda1150647495d74718f1e2449f3686f23e981a87

SHA512
cd0a748c94359158e4b1c6392f81c7e446d8934211a55e5fa36554351d6e6e677bc1eccfc50541c00b2bbfa6833a050654fee891ff64220e60f8be8872d95266

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
cd2408e02e7d013b53897acf6115afb1

SHA1
e97de6405b05cb6c10660b3e28068f7d2ae12120

SHA256
9675caf912a9fbc4953a7694611c3791c5c62c495bc62b2fe0071bd9060ae860

SHA512
929ba50aa1db5422e93e3cd647003c093ddc778f03cb2aa1ff088eca93eca2eda8b553d37ecd60c0a8fd2f01dbce94bbbc09dec962f4c95dc074670017a5fa9e

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
96KB

MD5
d5447cb147cd94cfcc7bffee5b52d055

SHA1
2de6ab5516edaee1b3a55927f1e9d4fd9eeac3fa

SHA256
06a1968edb4798cb1d67bd634e81ab073a8b1fa3c391ab0289eb686d7e71041b

SHA512
b0fc0eaaf95d272ef30037b4c7400719ed84fa9f7bc7d456db5bbf1d0e3597dbaa0420dc4354af64d0f07b042e00b6265c6a0fdfde089d7c34e9c674a24c17d3

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
852b9244b5f2ef7755e3a9c3b17e2659

SHA1
ef6dde219bce860303b0e9225ec99fffb270d3f2

SHA256
bb45eb2ee237615087764de3c60dbf582d0d53a6d0b018f0da79dd29aaadd310

SHA512
5d756dec79624ea25e444cd78819fe9835faa6e2fccd9943c592364712fca0c1be7b08cf1e4a1206d48c8dc51196caca8a32f220446a2947cbd5080f3a2f0f74

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
a96e85a132e4c9627279c9b59386cd06

SHA1
253b19e8d72a03f92674135872219be14dc1a2ae

SHA256
fa3e3b5c5228ba7d7ed2fd81a7b16312db0cf3eacb0ff30d2f7108bcaaa6cd03

SHA512
191a7dbcd06bb6bc2d45b18363f495bbdb0705723213470f92ee6a222bc6ef6c8f7a84aa9bee056a8c6f12614d8a36cf256ad3d4c42337aeef2d9d41cd4e76c5

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
5c57cb9f49855664b540435650722a7b

SHA1
880575b57b59cd5830e37593a0bae938c38b28df

SHA256
3c10bebcbb21c6456128143c3c816e1714d01d72006b3adc159d71838df8ace2

SHA512
c1d6cfdecdb4c5877cfdb4a454cc6297ef02a2cfa209acf64957d92be846aa9dd3ac5f16f99638dafb579597f5cb25bb67d54b2af6c30befe3a03513d1ac8d6c

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
96KB

MD5
58ce02ec0b2cf6d0454cea71cd083c0d

SHA1
cf880e86fbab55ebeab2736a9e0e9c9f44c18996

SHA256
ac29585e3ff311c5077af26a0c99da8f8368700b2c702e117fa33b7636dfd634

SHA512
ea5c3d77928d16f6b15963d527c7d8e1ab78c55765f57f560ccc2919b3e2efec8ec85a3382f3bc0fc140f4478d3e2891650c8de819cb8f1329dc75a8bce2068d

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
96KB

MD5
69bcb9270dfbeef174730afa999b0a69

SHA1
4744b6a0f5e54f95d76bde2eb8eb67d0c91cb546

SHA256
a8565bc06ceeeac6f39c76340551932498ecceee816a2c3840a47835772a2b2a

SHA512
72e24e9a29b7fd40aad7267fda946fe49306afbf6ecbcbe286d413b0f1985fe9b3485b07d3d5812dff6e2ecdc60447f592e2f5ae4d97283dcf71f11c74fb5b95

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
07c7405de26790b000c12f68fd4e1531

SHA1
0dc3902270d812d4de14931a9c37087a24c96590

SHA256
cd5c071e653c760a0cac00fb4d85b03ca01ca0c5126c8e2b80c15ee7b5f2d990

SHA512
d206f3c0f4ece76061a3ffccba71238cd6b909a2a7bb7c83c5af5317689f3d1dc3a055144531ad10bd86bbf3229ab06a711ea4309357aa11abe8bdbe6df59071

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
2747b690d5d89eec5b578e7f5dc0a156

SHA1
a5948a3d37347082de9dca8557cade592d2c2faa

SHA256
6de3a20c8e5a989b95456fd16a10e22ff8caffca775ec09fd2133d012ede8efe

SHA512
e0763f3d386187ccb2c9a420c623f1af8ed8bdc65d9e00b32ac6e4f37de9b500a9b81ef2e26989e0629d75fac00b9b5cad956b092b3afe819ad1462f11c2ec47

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
01aa91858435eb8c0da0ec302e8e54f6

SHA1
8cb5af16b57bd79da89fe22e379e4fbaf2f335ee

SHA256
27656e4a7fe68c8719f29b6c24ada0f4aa6331f02f531c229649d191f705ba19

SHA512
1ae38c06b260913fd2ed3c52ed8ea31a5cbd194ec45e2c0393bd5fe5a72f40ff3c3b03c46f9c3ac9272c981ea9daca00f02462ebf4412c7ee997ed28396019c1

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
1a7034e30a0b1003b2b1232325514aa5

SHA1
4d5d11bc140b59778be6ba20fe7e74955b48119f

SHA256
36c47aa25b81bea10323a4d638993962d163e644b590a30067c9b37928b2310d

SHA512
135845abfb4ee61c35087d21ba53df4c47d1f9f580c49156879dc7c19cd4e425b77c35cdcca66b7fb2388f539b806955c209be108f94541760f73372f6a0c38d

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
96KB

MD5
9ec44d00f3c518b0beaa5db893e8767a

SHA1
cebf00d14abc7bd719dd12da121d852ff6da07f2

SHA256
f3684c46d11473979882f824db05296ab5e4e6cf632db05e7bff1e0d6b55e9c8

SHA512
a72e30ffe7051479007ea4ea405501ef2c2239796ff1697d6816f68fd71ba57bda0e8eef646a88da2c973f1a8508340bb0152fd196b461aadcddc266e3a0edd6

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
8710d757c9fd3381a10d104f271264d0

SHA1
30480975db4e8dda32660bc3d1bb6de7f04262b8

SHA256
2be687085e825f8191a7bfe4ae59d7024a6f4d73d4f31b0044cd08a1fd1b1353

SHA512
bbea56bcd43867cd4a0dc60862bcdfc299d17a47dc95574b56ee34bf86c6096a6bfe51579613438d58cddda1ce54db40823c8854a90e6cbea369e012cb0c57d9

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
e46faceb59c7eae4181e10a1aac3a002

SHA1
e121845a9bbf5c56614c00a1cdd719f8f42da99e

SHA256
77767f379235369f81f027d57242b0bfec2528a69a73baa57b3b04580eba2f25

SHA512
db01fd5403449c69068e65e9b76d8b914faa665326796679a553fe765320f82e2198ae36a2b9000e5f8c036059589ce60bcbad84a536c54ef7bffd2757ec57c7

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
e75e4f55f9f4418a8acaefb1ff6d80a1

SHA1
7907d1ad6f30796dbd9665b7e5716d74106ebb5e

SHA256
e958facce86d3358c38a9057a7b81846459814a017a6fbd76c297b013e6d0569

SHA512
090e3e76bfed0c812549b6a0b03c7f0777f27e5bcf46b303c455bf6372819aff6554905482e3be5be96aa7a5357c11d9958b59f1fec6dae8ff97e9ee45472c10

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
9d6514b62feddb0b9d5c3f77524409be

SHA1
b84d7e3cb2c542c7d03b7fbbae366a3b00941ccf

SHA256
b75b3689984c5e9474bc13223a3135b5acc44d02574f3940e9a94f1b923945ea

SHA512
33cc3539bee7f3dd10ec85431a4d7e9a1799e744d8e888a8e256518d886895b422c566d2adf36511eff892ad8ee73ca577f19a78a85eb14d867a8b1324f8f1bc

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
8ee6cb821095cc22cbb84daa2e317555

SHA1
610904ef0696906418762fade0fb3ce00ecdebc1

SHA256
7d258a95a09443f2c72b8896dde34cc90aa275838ee0c9ccd305b770d3ba3f1b

SHA512
340411824658400861568bd6d8c482c062d0b802892eb770eea2fe533cb5e1d840872428ecf22d098017b303ac205987c4d02b24b48b066b6d8fc803eace83db

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
459e5e42cab1af1efa7b00750088c92e

SHA1
bab7b5d95806c1d1a713b5eeecc7979aa0c38454

SHA256
683462b2cb2cb4732cf236a17a7b1ac57d2e6b5f64268c1b36bdc61e5d800117

SHA512
19b01002a71eb7c7a4292a57aef3d3aed85eb50452f69e0de517cd7eb0c54f99aa49888f62132740443d8ae075c1cc0ff609efe657efaeb7aceb09e21f41ee47

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
07e872d49ca01f71dab12fc699fa3dd4

SHA1
6bb7ed448debd7fe757926d8b087e2844cf2366a

SHA256
2626c01a9c877c047bd0f247f0de4b3711f61dbba9a9fc1d5e868c747149f61e

SHA512
babbf7c4b6dd35c032f3f6bd9cc45e52061e0ee6d0b4a4d246f14376ea8113a64972f2fb199042c5ed893f8d3cdc05fca3e826bfdd25a78736cb13c40a722bc4

Download Submit
C:\Windows\SysWOW64\Leblqb32.dll

Filesize
7KB

MD5
573d2536a7b921310df2aff3803f6f0a

SHA1
73748347a635da9832886c3773037aa6d68e5c99

SHA256
9d3b2d61dda92da6f482eefd444a16f69aa99b4b62249e641fc30490d262074f

SHA512
2ad9bca079f954612f493fd2e9147e47edef1b60ae5a13da2281f2bd60918ba78a8425a4ed8399a86ca6eb724d8f0df8d2d5545cf5316ccf31ac8ef3c9255ab0

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
96KB

MD5
c90549dcba1f26f1e549d5f2684646be

SHA1
e3125079b4e3d8cbf77f61971a7a7a60305b1548

SHA256
81022c231a8ff734fb4399fb63281772f9c6cc9fe13c09c07884d55a2ca9ff3e

SHA512
5ebfe8349fc0f2c0f46ba90c8eea779bedd8a8928932d0fc1b986c37acd6e9fa4c39d8331a03173807fbe8e01509e9fc516ce142bc7a2f6e1903d04137e25559

Download Submit
C:\Windows\SysWOW64\Pkaehb32.exe

Filesize
96KB

MD5
71f4b2cfdad759e85269bb44265b28b0

SHA1
6e1a9bfa70c24d2d7a92510f0d6a3181f76c0450

SHA256
cda75deab9e8d5304178882361627b44c815746f654dcd61dca0f191be4acec4

SHA512
f1832f0b2c1d3f7aff21af8113a7568a182384d1b0b34150194de9a259db1e1c0783fe8c200f2083ad9214dd7ca9143b22174c8f7cceee0142ff5b808b411abd

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
96KB

MD5
a8f05770bb426bbb84d4b01fdd59d6e0

SHA1
c7373385eaed52370ea241da7edddd5060013b21

SHA256
b4a9afebfc05ab299918569cd30141ba7fcfe4899e606d105675103aee2c44fe

SHA512
c8b2091911ff7b4e8bfa848d8fd91d7dd9cbb21db7a516538fbc3eb1980a6062ea8eda0cb5cd8517efa428986f63818786d85b356afa2c272b621ad287112af0

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
96KB

MD5
b6970273866751fffcc74d3468ee84e4

SHA1
ab56ada0e000f99c13ca4a1e47fc5efac4595c40

SHA256
d778c58871b09504e486b0f8aafe2f3820cb34ac58ea22630a4fcfed47ffeb51

SHA512
a6bb53232812ba2cc755c40580f915dc5be795485d94f031a58ab05e37eff32dda62b692e57689f8f05857ef0e983cbaec9c042cfb951f0e7b27521f7ca16fda

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
96KB

MD5
ca2832040191b549303a8dc473e13421

SHA1
5aa1e05bdc6fbf8b0cbe580a988fca6939260b1a

SHA256
de569f923d819ecb86dfb3e40d89ba646bc3b1fe12e84a13c1d9a9cb329c0633

SHA512
b72cd1c0597c2f6c5fd7cbea963ff30fcb933e4bf075b2f6fe7308047011b8c8d14d6a91c7acd4758d26a0cd059e6148945219386789ba309d37f9cf69fb9e92

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
96KB

MD5
4c366b301c30a9dc9cf2ce85c0cce7ca

SHA1
0e31fa11033ea656be29ff56a451ed9ae7478ffc

SHA256
8aa22fb112df21302595a9da731f1e134add19eca14615fcf4707dd1ab5547bc

SHA512
8cba66f1eac617ae7f704add8d7d4a1c8bbdf545497b630426946c6ad29e2ff7b7e124d3d003ddfbda8946b899b4030faec2fca2c88215353e3e7938e7137675

Download Submit
\Windows\SysWOW64\Ajpepm32.exe

Filesize
96KB

MD5
2484789d1cd9810ce3ce9f2a973879ee

SHA1
d3e3abe8a6901d20ce0502f7bd53e92270db7419

SHA256
ed4f6e85cb7a7a539b6e8c810d962734743be172434f2b9912a0bee5aee80305

SHA512
51a63f55e246273bab3fddd4d55e7559ae3a265374216358e65de3006a9285658e0929a063ff75beb5e478f3ec5ce2093f31c28a26bfd5e494d3b6aec70901f6

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
96KB

MD5
a557f2de5ad82b9904931cc2eac8cab5

SHA1
33c1f59735bd5ed1f65d8901a2f6014947a69d14

SHA256
7dbd36ec524dfc6f49d04187dda4297a95602949cf556b0bfcadb1060380d1f9

SHA512
0c3c2a839769071bb9179efd4d62ea84b3046e4900c9c97cc64d3011126f3ad754a28dd34245e73f76cf8a316bcb6e65bd7f8e701ac435ef6e1b6cd192faf913

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
96KB

MD5
839d26e832dfe1de12eee82531153183

SHA1
3eae0525de60414d959ae6c13d00713fbe978d2c

SHA256
41a0ddfc7e529127c3e2b3ac97b5c3e34ab84ee485a57108d9e1f1211a6af6f1

SHA512
75d19645b607aa770dd6ee975df14b3f48452ed89321dbbfe40254826cc6b02314ccb9d1c3611d25dcf094ae4edd04735ab8a3c440a466dd07e05767195783d1

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
96KB

MD5
96d764b82cfe88b2018c26fca631a8a8

SHA1
90130144653664ae878a45dc57d442c04127952a

SHA256
26fe8a92a99ec81ddfd6f095313fafc24598eba9644972966e317ba56f066534

SHA512
0aaccd44273f8d8307d20e776df3a8330c40b31dd647775857ccf2e55e81f99f09b6be0c3afe14a30c714e19021f42d8c8bec6ba625030e66875cfcb47ee6b4f

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
96KB

MD5
1139efcd6293851831e29c35bc9852f4

SHA1
656b1d4e5d7d7c9feb26d7f67148a815c3e0d862

SHA256
5f4bd03247708922f15ebc7216fb033f10bd1e1177a8a95e1b2c9a9281e3085a

SHA512
eeec4ba5a5f55a9306546bc09ca346e751269bb79c7e469ffd219f9e5f23702c540ab0c44d5b63323fbb97e8e1676f813487344e62367393e571fbf63de89584

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
96KB

MD5
9ddeb22f609d85be9d11e1054fa891bb

SHA1
208861d3622870370d08b0db3ba6353e3689c69f

SHA256
1d0543df14f19840a96f33351ba996fbeddf0c6ff6f564ebefef925a83582a6d

SHA512
11fc36539592fc1da4601accf2339a0149b9c8c8dd06eb52649bba53c8c0c13fb061c6bf66d17799be94cb67431709d1de1444db86049ad1c6203306e659e6aa

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
96KB

MD5
f4ea26342fdf4a585a3b12ba1bda78e4

SHA1
b9b9c1207770c3172255d689a108b3fbe93db0e1

SHA256
ddaebf56f19cb7a4a16142fd310a6ca08ff9be4fc839da85a85f6a1373515227

SHA512
66b0202a144666960f5e8fa9f3674d63ceaf987dd10e30322b464d7243f4dd6e000e184bafde57b9286d341918d334e7c5ec4b2c0f6fb915adde6c01a2fefd8f

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
96KB

MD5
6af5e78475cc87a2efd0bf34fbf30eeb

SHA1
9ce61200eff1d420487ad70c38e438ad2cb1ec28

SHA256
6177c18306cb53d772ac860bcfd13d5cd0510abe62b1ddfcf4327c2bdfd5bba3

SHA512
4901966e1e7fa9e0d61a0c14f0ebd633ef160ec51ef179b4765d41beec6d45b7c545b721896efbe37f0cd332125eb631a4a610919ff49801760e56485f3f1e1e

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
96KB

MD5
befa44a3dbf32734f873cd52dae9002c

SHA1
e69d1b2b6face232ad257664c85bc8ae51b985d2

SHA256
552334a2e948c146ce28165c3d0525202366248d4b24c21969c9470edee549f4

SHA512
48d511807f9f5cc07ef2db990008c118af3ba4dc2a6776a5b3375f887c9c790f3d9c002cd930b825d06f44c72a9a5c225e829e0fae6c1892ddc35113fd3462f3

Download Submit
memory/848-301-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/848-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/848-300-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/888-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-269-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/980-258-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-267-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1152-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-222-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1192-245-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1192-246-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1264-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-312-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1340-311-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1384-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-236-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1384-235-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1616-334-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1616-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-333-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1632-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-434-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1752-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-278-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1816-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-279-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1944-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-404-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1968-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-390-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2052-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-465-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2084-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-200-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2160-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-356-0x0000000000390000-0x00000000003D2000-memory.dmp

Filesize
264KB

Download
memory/2160-355-0x0000000000390000-0x00000000003D2000-memory.dmp

Filesize
264KB

Download
memory/2296-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2296-257-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2296-256-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2316-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-487-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/2504-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-13-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2512-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-6-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2524-173-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2524-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-454-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2584-93-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2584-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-377-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2596-379-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2596-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-51-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2692-60-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2692-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-344-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2808-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-345-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2844-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-366-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2844-367-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2872-142-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2872-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-412-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2908-411-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2952-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-323-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2952-322-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/3008-290-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/3008-289-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/3008-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-476-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/3052-115-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/3052-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-423-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/3060-422-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads