2dd2223ba740746f7971428583eca89fb19f9a03eb9b31c6cee112df8716f822

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25e7ea7b1e5b34362b8dcc229aa81710N.exe
Size

80KB
MD5

25e7ea7b1e5b34362b8dcc229aa81710
SHA1

4da347d1537f1bf5aa0f027f4a526dd687b0455b
SHA256

2dd2223ba740746f7971428583eca89fb19f9a03eb9b31c6cee112df8716f822
SHA512

747c57aa4dbee1841fb6de89e91eca14d20ca457af954a905418123b64096d2a17466af2c4e6bc9eed23e9b15a6ac57cf3e5d05305b9c61374edeeaca4ee654d
SSDEEP

1536:tlRKF9fQP6ZxHa2eXaQxVEnHrahb7xS3nZsh/CYuceaD2tiS6FeJuqnhCN:tlKfoma2eXaT2hb1CshyceZ6FeJLCN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	25e7ea7b1e5b34362b8dcc229aa81710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	25e7ea7b1e5b34362b8dcc229aa81710N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe

Executes dropped EXE 51 IoCs

pid	Process
3024	Pgbafl32.exe
2820	Pmojocel.exe
2632	Pqjfoa32.exe
2312	Pcibkm32.exe
988	Pmagdbci.exe
2836	Pckoam32.exe
2004	Pdlkiepd.exe
2984	Pmccjbaf.exe
2456	Pndpajgd.exe
1972	Qflhbhgg.exe
3052	Qkhpkoen.exe
1280	Qngmgjeb.exe
2180	Qbbhgi32.exe
2508	Qiladcdh.exe
2204	Qjnmlk32.exe
1060	Abeemhkh.exe
2296	Aganeoip.exe
1208	Ajpjakhc.exe
912	Amnfnfgg.exe
1784	Aeenochi.exe
2216	Afgkfl32.exe
2340	Annbhi32.exe
2356	Aaloddnn.exe
2372	Ackkppma.exe
2560	Ajecmj32.exe
2208	Aigchgkh.exe
2672	Aaolidlk.exe
2172	Abphal32.exe
2348	Amelne32.exe
1632	Acpdko32.exe
1608	Afnagk32.exe
2464	Bilmcf32.exe
2148	Bbdallnd.exe
1372	Blmfea32.exe
1804	Bbgnak32.exe
2140	Bhdgjb32.exe
1444	Bjbcfn32.exe
2804	Balkchpi.exe
2272	Bdkgocpm.exe
1316	Bhfcpb32.exe
2292	Bjdplm32.exe
2468	Bejdiffp.exe
1612	Bhhpeafc.exe
1660	Bkglameg.exe
932	Bobhal32.exe
2116	Cpceidcn.exe
2400	Chkmkacq.exe
2772	Cfnmfn32.exe
2396	Ckiigmcd.exe
2688	Cmgechbh.exe
2176	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
3028	25e7ea7b1e5b34362b8dcc229aa81710N.exe
3028	25e7ea7b1e5b34362b8dcc229aa81710N.exe
3024	Pgbafl32.exe
3024	Pgbafl32.exe
2820	Pmojocel.exe
2820	Pmojocel.exe
2632	Pqjfoa32.exe
2632	Pqjfoa32.exe
2312	Pcibkm32.exe
2312	Pcibkm32.exe
988	Pmagdbci.exe
988	Pmagdbci.exe
2836	Pckoam32.exe
2836	Pckoam32.exe
2004	Pdlkiepd.exe
2004	Pdlkiepd.exe
2984	Pmccjbaf.exe
2984	Pmccjbaf.exe
2456	Pndpajgd.exe
2456	Pndpajgd.exe
1972	Qflhbhgg.exe
1972	Qflhbhgg.exe
3052	Qkhpkoen.exe
3052	Qkhpkoen.exe
1280	Qngmgjeb.exe
1280	Qngmgjeb.exe
2180	Qbbhgi32.exe
2180	Qbbhgi32.exe
2508	Qiladcdh.exe
2508	Qiladcdh.exe
2204	Qjnmlk32.exe
2204	Qjnmlk32.exe
1060	Abeemhkh.exe
1060	Abeemhkh.exe
2296	Aganeoip.exe
2296	Aganeoip.exe
1208	Ajpjakhc.exe
1208	Ajpjakhc.exe
912	Amnfnfgg.exe
912	Amnfnfgg.exe
1784	Aeenochi.exe
1784	Aeenochi.exe
2216	Afgkfl32.exe
2216	Afgkfl32.exe
2340	Annbhi32.exe
2340	Annbhi32.exe
2356	Aaloddnn.exe
2356	Aaloddnn.exe
2372	Ackkppma.exe
2372	Ackkppma.exe
2560	Ajecmj32.exe
2560	Ajecmj32.exe
2208	Aigchgkh.exe
2208	Aigchgkh.exe
2672	Aaolidlk.exe
2672	Aaolidlk.exe
2172	Abphal32.exe
2172	Abphal32.exe
2348	Amelne32.exe
2348	Amelne32.exe
1632	Acpdko32.exe
1632	Acpdko32.exe
1608	Afnagk32.exe
1608	Afnagk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	25e7ea7b1e5b34362b8dcc229aa81710N.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Pgbafl32.exe	25e7ea7b1e5b34362b8dcc229aa81710N.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmagdbci.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qiladcdh.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Pckoam32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cpceidcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
756	2176	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25e7ea7b1e5b34362b8dcc229aa81710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	25e7ea7b1e5b34362b8dcc229aa81710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjnmlk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3024	3028	25e7ea7b1e5b34362b8dcc229aa81710N.exe	30
PID 3028 wrote to memory of 3024	3028	25e7ea7b1e5b34362b8dcc229aa81710N.exe	30
PID 3028 wrote to memory of 3024	3028	25e7ea7b1e5b34362b8dcc229aa81710N.exe	30
PID 3028 wrote to memory of 3024	3028	25e7ea7b1e5b34362b8dcc229aa81710N.exe	30
PID 3024 wrote to memory of 2820	3024	Pgbafl32.exe	31
PID 3024 wrote to memory of 2820	3024	Pgbafl32.exe	31
PID 3024 wrote to memory of 2820	3024	Pgbafl32.exe	31
PID 3024 wrote to memory of 2820	3024	Pgbafl32.exe	31
PID 2820 wrote to memory of 2632	2820	Pmojocel.exe	32
PID 2820 wrote to memory of 2632	2820	Pmojocel.exe	32
PID 2820 wrote to memory of 2632	2820	Pmojocel.exe	32
PID 2820 wrote to memory of 2632	2820	Pmojocel.exe	32
PID 2632 wrote to memory of 2312	2632	Pqjfoa32.exe	33
PID 2632 wrote to memory of 2312	2632	Pqjfoa32.exe	33
PID 2632 wrote to memory of 2312	2632	Pqjfoa32.exe	33
PID 2632 wrote to memory of 2312	2632	Pqjfoa32.exe	33
PID 2312 wrote to memory of 988	2312	Pcibkm32.exe	34
PID 2312 wrote to memory of 988	2312	Pcibkm32.exe	34
PID 2312 wrote to memory of 988	2312	Pcibkm32.exe	34
PID 2312 wrote to memory of 988	2312	Pcibkm32.exe	34
PID 988 wrote to memory of 2836	988	Pmagdbci.exe	35
PID 988 wrote to memory of 2836	988	Pmagdbci.exe	35
PID 988 wrote to memory of 2836	988	Pmagdbci.exe	35
PID 988 wrote to memory of 2836	988	Pmagdbci.exe	35
PID 2836 wrote to memory of 2004	2836	Pckoam32.exe	36
PID 2836 wrote to memory of 2004	2836	Pckoam32.exe	36
PID 2836 wrote to memory of 2004	2836	Pckoam32.exe	36
PID 2836 wrote to memory of 2004	2836	Pckoam32.exe	36
PID 2004 wrote to memory of 2984	2004	Pdlkiepd.exe	37
PID 2004 wrote to memory of 2984	2004	Pdlkiepd.exe	37
PID 2004 wrote to memory of 2984	2004	Pdlkiepd.exe	37
PID 2004 wrote to memory of 2984	2004	Pdlkiepd.exe	37
PID 2984 wrote to memory of 2456	2984	Pmccjbaf.exe	38
PID 2984 wrote to memory of 2456	2984	Pmccjbaf.exe	38
PID 2984 wrote to memory of 2456	2984	Pmccjbaf.exe	38
PID 2984 wrote to memory of 2456	2984	Pmccjbaf.exe	38
PID 2456 wrote to memory of 1972	2456	Pndpajgd.exe	39
PID 2456 wrote to memory of 1972	2456	Pndpajgd.exe	39
PID 2456 wrote to memory of 1972	2456	Pndpajgd.exe	39
PID 2456 wrote to memory of 1972	2456	Pndpajgd.exe	39
PID 1972 wrote to memory of 3052	1972	Qflhbhgg.exe	40
PID 1972 wrote to memory of 3052	1972	Qflhbhgg.exe	40
PID 1972 wrote to memory of 3052	1972	Qflhbhgg.exe	40
PID 1972 wrote to memory of 3052	1972	Qflhbhgg.exe	40
PID 3052 wrote to memory of 1280	3052	Qkhpkoen.exe	41
PID 3052 wrote to memory of 1280	3052	Qkhpkoen.exe	41
PID 3052 wrote to memory of 1280	3052	Qkhpkoen.exe	41
PID 3052 wrote to memory of 1280	3052	Qkhpkoen.exe	41
PID 1280 wrote to memory of 2180	1280	Qngmgjeb.exe	42
PID 1280 wrote to memory of 2180	1280	Qngmgjeb.exe	42
PID 1280 wrote to memory of 2180	1280	Qngmgjeb.exe	42
PID 1280 wrote to memory of 2180	1280	Qngmgjeb.exe	42
PID 2180 wrote to memory of 2508	2180	Qbbhgi32.exe	43
PID 2180 wrote to memory of 2508	2180	Qbbhgi32.exe	43
PID 2180 wrote to memory of 2508	2180	Qbbhgi32.exe	43
PID 2180 wrote to memory of 2508	2180	Qbbhgi32.exe	43
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2204 wrote to memory of 1060	2204	Qjnmlk32.exe	45
PID 2204 wrote to memory of 1060	2204	Qjnmlk32.exe	45
PID 2204 wrote to memory of 1060	2204	Qjnmlk32.exe	45
PID 2204 wrote to memory of 1060	2204	Qjnmlk32.exe	45

C:\Users\Admin\AppData\Local\Temp\25e7ea7b1e5b34362b8dcc229aa81710N.exe
"C:\Users\Admin\AppData\Local\Temp\25e7ea7b1e5b34362b8dcc229aa81710N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\Pgbafl32.exe
  C:\Windows\system32\Pgbafl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\Pmojocel.exe
    C:\Windows\system32\Pmojocel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Pqjfoa32.exe
      C:\Windows\system32\Pqjfoa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 140
        53⤵
        Program crash
        
        PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
80KB

MD5
c2b5098d260f6bbc9533d0277edea1ce

SHA1
ae14c14bc3fe410fea3f0a254a6a22c5c0006756

SHA256
f0423becb84b42f3c885e56790478d24bff3d160b1707b1dafff775a472492e8

SHA512
279c7c380d99c74cb0f6fe5d0283f57eb055ff3a2b936ed00b036ceaedb4d52b084339f652d4a389780b2b0961b807ab4aa61cd259d579f31bbcfa4e5a667a08

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
80KB

MD5
9ac63ffc47bb8c2147393fca98745e59

SHA1
d0b1ae864bfa98349a51e7b6f17054c9390f39dc

SHA256
dfa9be89283aa05b0d02f85f727893fe35193476d1ca0fadd96e49165017aff4

SHA512
ccd9b9edd1ffefcbaaafbfaf58729e69ec2205c5898c8fbb0e8267cdea0e598249d7aa064fa6d187a0d9a53fe2b7fe7309cd0280d2a5f07f96e80210378be680

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
80KB

MD5
64172cb2ccbc160d1be8fc22d4bb2c52

SHA1
a46bb9af30278abc0c0231696d7b0d5e7136b470

SHA256
1d8b9db58691dbb6c41fa326f1e96fbfd8dfb488e37caf7ad573d4802e32bda4

SHA512
e8b67a340f787bdb850648df3fee3049f5568ca36820c8d300d75c045632633846d16b9060583dd64889a17822bbe105cc54d4dba1d998f729d4387c1bd323e2

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
80KB

MD5
e7ae18e1a76b310a75da7c2f9aba09e8

SHA1
471640027f4ea2da641a91453e368cdb2c276ca4

SHA256
f6d434a469883e1aa63965fa5eb00de71238afb162593ba291a5865cf133a153

SHA512
3ebf0c86e2d8ad836bbe39b66a0b22d69ddace3550a638d4998ed1c9b78f5177cbb3f464458e87b6d2b550736dc462599dc7410c969dec15df4a207ef614b960

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
80KB

MD5
e38c2951a168395e810286c22d74a8e5

SHA1
f550c2f06feb1bde3298ca954dc5a953769315fc

SHA256
22c894ded892a2c5743339e1f855d731a2b3d0e4985e75df9c076ee4188cbe7a

SHA512
04fd0c0e208e6814b88b3eb7fac8c46a2ceb0e5135a4184c95f028cebc7e52dc5f96a070931e39f9ec36aef90df0e8984ee7fc683ab1895314e5ad979b3dc21c

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
80KB

MD5
480d354a9c1121e76efe0798c1ea938b

SHA1
5d398c40f77de3952c46c6804939beb6a4a9cdf0

SHA256
896bf24b815c22daa1e04630d2ba22933efe42a7219733932de48f2c1d3fea80

SHA512
517eb71a2c7863413017d713b1961b44d1992e0190aeac5483c9fa38d5f93893996bc9e3091787fcccbe4e4d53b70aa4915e17fc6a7333058f22611f5b3ab5c4

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
80KB

MD5
44462321d6d51c25c7f62bb5f611e46a

SHA1
4f2792a4055aac3105587b91cd2153689cd73252

SHA256
1819aef5b3ce165260503ee192d2c1dadcdfbf366d52db9754b8a2be217d6adf

SHA512
bd2c5b10cd406e61e43abfb7773523a9d6fdf9000d2d55af5b979499bfbb797289ceb104074534e6fc096dfae2219f7a164371a2444a4d021cb772e7fa7c1d19

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
80KB

MD5
82571199cf76dbaa9a1a67c37046d2cf

SHA1
2c35881be703250823c3903ccfc4a4aec85cba17

SHA256
fa192e58864c81d7d7b848df0ffdbd3be7ad761eaf90972aa8ec72011f0a88c9

SHA512
cc4c3c974be34b76d5b0e17f3a1ab231d9c80c4ded973b6beb9b18d3cd7a5bb7be1856d4add950c383779070c36181d15fc46f8a68e81f7cab1b30edab3d7d2f

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
80KB

MD5
942476c6ee0ec4af9afaf156f13025f2

SHA1
cb7b17b61550147201f1303bd46db85abf72b4d5

SHA256
2564f2253f002738dcb42750fc531f2f737b4c7af71b4b748c15879b9a9e4eed

SHA512
3bb8da1543ae00afc259f537f7aefef14eddc294e28b1fc31588dc6fb514131aca427430b9180103b65d76454ecba9e47a51f56d308ae1fb6002089f71b4531a

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
80KB

MD5
f7259cb2c9405802386b3d064831407a

SHA1
904ba9afc84687a9af054ba842b38f90c5d8e8eb

SHA256
70980fb11975a5edf403b394d740721b9ef9eb9d4345db8453fab559596dc800

SHA512
d746b8a5868110baa45d742655608769283a823781181c37afd0ae27690466b03bb5764ae399b7e51c2873a247e3d7fb3204b6708ed1ae84fff66100ab15d79e

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
80KB

MD5
980c5b0b551b916893d12e33380bc848

SHA1
3e0426eeb587d8f844d3617751a549aa40bb788c

SHA256
10a2c63eb894ec8045309a32b6b916a653f0f2b8540eeea53d1689814cafa74f

SHA512
d6b8c521ced876c536ddea31f11c903beabc0193b188e757c84bda5d67c849d64ca5b74c5d19d7938cc042528d5993228a09e8f4a2c9b4ee8c70bec32f8590c5

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
80KB

MD5
29d07e49e6d580821fc517659516835e

SHA1
d3a744480a937ebe68f5590850d3b635f7b63682

SHA256
be16c80a182decfeda0f1331db8b98a1fbe434a87851078bdcc907b7dc776072

SHA512
844e44c99accac5299a6683833513d74b5e9dcb1d6661793b3f92b3f39491e13577d45ccf2f8b6bd72acb9ab94529c526cdf233c89450d98e4ee6792861eba44

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
80KB

MD5
2326c57ba6df33cf783002190e05de0b

SHA1
f7ba16696ad0b8abc7b263f7b640efbd45dcf87b

SHA256
b463801f96c6eba33fd4dbf63790fdc453b1056101d9bab91ce5ea74df48298f

SHA512
72644865c388a466a60ed9997620e99989e296c6579a4ae95652697b6380e42bf3b202b56caa9d91f919565299783d3361d4dd91a6bd5a2330e7a1e488fa4d5d

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
80KB

MD5
0aae9efec4b91cc10a79fb03ab819e34

SHA1
aa01372e8bf8fecb49247f6f716316f8db5b74f1

SHA256
e34315d7a13a14d4ac9b1547d96f6dea4e3aeba98dc1d77952bc5f6387c7a209

SHA512
b7060f4a953e466eed956d4d6c605b82806861f3ef758784b6aad747aa84e3b0d31c19a4968ea507e3dc02e4258d556b85ba8a48dcc9e66869d413886d73dfa2

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
80KB

MD5
49155852af4c0c4d3cfb8a01fc9cf67e

SHA1
02523843f777daa00daa818c51ccdb0c91d94faf

SHA256
6f67354dbcccb4e10637e9c6b6b977bbbbf11fc2378f25d0f3272e134cabee22

SHA512
084189eeffe7ce24ac6ea9c4fbfb678184816188f2c6734adf4071b259294b2a75bd36728434bd4cebb74ce9efba2d9c86b49e6446f2298c8b2fdb7a265a7e7f

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
80KB

MD5
bd4d0a6c2b23d9645303b777488d92fb

SHA1
58d304e18d301fc2da8e769d0308ee5d90c5d946

SHA256
463006986c7f3cc44534f29a7f830c91a035241b5aba5ad887fb797a51a8cadd

SHA512
cc54d60a4deac51c76e4d2e8dc383a914298b386b887947854c1fbed682061fec076054bde14109aa8c14065ea43a50664289a39b6e68bfcfbfda7fb58c340b9

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
80KB

MD5
72ccb06885367a24a30ec901a074709c

SHA1
bf52a51213a3b0fd03f0745184678c3bab6af443

SHA256
ccdeae915f9242dfcbf02f3737ee22d9224bb35e766d8d2ad4e16d11ce557651

SHA512
05264a826070a6e15443a2ebf5cae2901034b5b1cc47ac7855018c28699cd304d779c4141a3725beb7d64c78f3471d0cf697256ba2eb9a3538e235c1896f230e

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
80KB

MD5
73b7a4792b729c44d1696cb06435bd3d

SHA1
aa564b3142e0cc059ecbc84bbe56167390bfce3b

SHA256
34f0dbbb9d763d3189d8cf0fa41c200360a1605500741eb9d18a38b57ae0d388

SHA512
f84513cd7c7899fcbc1f22ccf2d09175d31a5982fc021853733dcf21b54d6e7972ac8c3d8bc59c3a479cf62c177329306c5ea662f428680ca08878959cd1e0d8

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
80KB

MD5
42ba0e25e3d8b0a6c2cf89d3da43316b

SHA1
ee35707f464372ab84c17c3600e650c1c09d5f8b

SHA256
370ba8204191a3761ad9feafabd98bf4c8c6143c0937959f6439bd127d7aea0c

SHA512
54f3da8930c4556b54983590f6447119a76e13f11047f884c34ff818fc4ad3bfc2965185674f8c99e53c6c031a2ebd6cd02ba8c46cff046ca0f92e2f3b2027d9

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
80KB

MD5
b534791b042c1fb413c0b2166574b432

SHA1
c5c4eaea5f6ce0be595ff90e1b0f029624fbcc2b

SHA256
30b39e7f29954ef6ca56e64265b601f03d5d59c4a62bfa2bbddc930da95825db

SHA512
e139327ffba89a87acb1f964d32656281ad3835c2d330ca66b8284cda3b200d26411843bdf0832dbd382b4007c364ca99983a880316dc77a4dc5e9a157721479

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
80KB

MD5
862c5419a129a1907e4d93a87494f68b

SHA1
855d670294b97fb43c9ceead4c2b216a137e2477

SHA256
22f4d5fa654fa4e101b2b8fcf73de4415b049d3f41db419bcc196cd04759d658

SHA512
519c151560f88f43db4107b5bac4fc49b4f4209a87300d186d5b1003fc287696052b059d31e5a4fa999a617103803b05b57e892e32b73d939dfc95769d61f168

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
80KB

MD5
26163bb26a65ced7e60b29430baa52f5

SHA1
ea2d3bf5ee1946eec841e98156840eaccf4944ad

SHA256
2e7521541c1315ea9bffca25b7ea920f6a967b9aaa7231390fa33b438f2bae08

SHA512
b6eaf1159bcaaf50352e47f3a7f2bbcefe91ef6055f53e76798116f967b9dde7060a62aa4a25d3ac08b0c8f927827a8036accb246bc0b65715aff25ae370bd46

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
80KB

MD5
aba73f0233a3ad2596e4f6cb663731c9

SHA1
22f6047da0cff5039088f9a560dafccf4f5b5850

SHA256
c3b632959efec4cdbe2f9894e53cbbc3d4a07e20acd3a1e2930fef26dd603ac0

SHA512
56f5ff252d628e18dcd20f846a36d789dbe701294e48c4b0f1d99c385f698b188b5a9f3f9bc01d4660ed5850433d90f4767ba0ef3255081f4385441292ab0a63

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
80KB

MD5
76e561f48a0f34fef02869d4c0d5ed32

SHA1
8b6e4fe31d702b5be0fae4e9a73e8387a8d77731

SHA256
28576d66c0c0d4b0c6795bd46c0b65fee6a6a08526fa40661663de7b392092be

SHA512
16ab4cd3aba73a2406b7d845df5ac3e039edeccdbf077735ca86406ef7cfe9fd10690ba4aed3e4df9cb528fc07eeb948367f044f45b90825fa90a4f12314a167

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
80KB

MD5
ef30543fced5b567049d7a271dc6137f

SHA1
ff00110c64849ce3e3cb3fe08a75974e02339f34

SHA256
495e4c2c7ab66d9f904007004bbb9d62dffa8806b067567e6315ddf83b061f05

SHA512
9f5da91761478dc0836707aec6968c45e2ae60539d529a646dc2b32e66a5c17d624338a3c2f1b107f092896a0f885d0346b27b03090f1380005ea2f9c474f322

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
80KB

MD5
b5a0fe4e9467553c3fb806d2a1de2e77

SHA1
e437e689aea5070a050ec8471119c8e1e21cfafe

SHA256
fa5eb723582983e56f1d1af391be03a7d1aa0f9da016641f1c5045f41ab4ebb1

SHA512
e44c007b31ba7a71b038b2d65e6dd6e76e44ce9adf0437a54c0be11825ad460f6989fdacf817981ae4df327b303ade709adb7da102271b0148636a0ecd379f45

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
80KB

MD5
f50dbec4ba3226d19d6c274f05e30efe

SHA1
5b813fdc196cca3c3c322c8a3b76b04e31d848dc

SHA256
c630ead321a34631c91614b2eca8cd4dff9dbfc9467f5d80eee0c3c692913b60

SHA512
3a8c600c4c2c97875af5ed86df5d368d31a4c869446e07f7e66034bfce1145875aa95cd541c1260743232c801edb316fbebe1b4cd983b3362f8cbb664cf88a76

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
80KB

MD5
e7c8fc47e9ce9783887d65517c915b32

SHA1
6a29b413dc0dead58906808d25d51210fca58bc3

SHA256
23122b42df37f1e5ac9d1ce8a42ce4f531845a76290e52a5550ac0bef88b3420

SHA512
b17f94fb6e598a2f6fef7dcddc5e42ccad4aed5d20de1eed64ed4b1fc054596f50a7710c306175fea48fef2e6a786bc272ec037b6c253d9bebd690f77d966eb9

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
80KB

MD5
f212e6a61134ad5f01222408757a6d80

SHA1
ade9ac6cda2a1fdf1b58cc40f836998028518241

SHA256
84cc7cef3037c27d368ec9ccc1acb8b1a0d4da2ea7135c7fd33f2fe1510aad22

SHA512
d2e06e7def989072bd8ee9439cd91d56cd1228019943a47eafcf58aa7c3f834196b47605d18eb4166d3bcfc64b03c5907e1ff2dc0b12f9682541fba7a2c460a6

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
80KB

MD5
53d4d9c3b1a5ef942364699381c33d0e

SHA1
d08a8473424d796784594ce8a031ace02b17861b

SHA256
140949734b8965c22968dc33af78c813ba8b53c4bbc310e101a200636a4f2deb

SHA512
847e4a395b93d53011514987281fe5b2afa0fcd16a577f00c927476dc6bbb4288d47163c756c1fb6598711496e34e24a2e3a9ccc20f93ec087cd3d2d8b4801ab

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
a66605930ac3dd77dc5519b3f0c1bd3d

SHA1
29aa2aac3aef41ab2ea1448684729703f335b72e

SHA256
9c6d80dbf563caf03fcd26b25d0252ac8401dffe54fb66dbc4a1072f30ef43b7

SHA512
80cfec20b206be4bea6be6695e6c5c08074f688b0c9a2fc57d303f10782190097273f068fd19bc982a77bb7a60de57af0b08a5ef6a1899e78718af1b9dbce41e

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
80KB

MD5
bea5b1a96463c9fbb8eded783b83baec

SHA1
3547a945c2bd9187af0f1535acbffd01810a855f

SHA256
388848380c70e45dce5fe461c6fb9d58a5ca75dc501a35af653db6bdd05c6c14

SHA512
8dbc1025895c4797e25681f6de36addc91f7f4a9e6552b62f1c8a854a7280826b4ddc8749323b1c3c79e7baeabe6f806b1c0812f52cb512dd7f9c72f14902268

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
80KB

MD5
2f7d4ca8718c790d5769c39c91ec1903

SHA1
5e3a7fd11639517b50f7cc68c4072d25f9f2f1a1

SHA256
1fe10458539a9ceb0ebefa443f00bcc9fc73e868e92bf6867ff5f16866a10f81

SHA512
8c9d62d782fb23a8b6c4a7c041540e6d8576369fd828158b0650dce009f8d22c24f3583cc5e360c2ab29ac68377a966d09f155e28084c869d968f91cd62867f8

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
80KB

MD5
3173df7a8d5588116f69a22a9682fa50

SHA1
50849f4071a6ebe2be37c7855ad19e414ec489f8

SHA256
cf6dfac1c4a1684fc61b33d940df77b8b10034df2c349ea5b0eb90c5e7e41e91

SHA512
a666a5b3613ace61b1d92bc06dce5fd7c5b4128d5a1758d7b4cb719fd6cfda93493f61dc294bf0b9a327e1ac7e268f0b503de3e65a62052c7b67600121fa279b

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
80KB

MD5
9bf8fc4a578d2a9781772949e9a33e47

SHA1
90c2b3b1f64ffc4f13f5f32907c754fa67ea0764

SHA256
e6abb8999f68a6f4210d0002690225c47d9e4c31915f5ab666c1c7ae052106a1

SHA512
79935f64c66ce6fde7c1c03f8ef96482a09b9a157009334a7f5f0c8920b28a5bc40422ea8d1deac864d0ece5bc5358e627f479bad2c1ee6c06a46e1f594bbb57

Download Submit
C:\Windows\SysWOW64\Lhnnjk32.dll

Filesize
7KB

MD5
a65916f1d4712bdeaa68356afa437e36

SHA1
063e2b68af6d4a27d2eb52a0b3ed1afed0bd584a

SHA256
9c3d6a7a4d030eeb5057a0118e7ae8c7507e0bae52c69d183290c7c250519721

SHA512
0b24bf46ab2b9356d085fac18224f4f1a98bce77977968457851a66089d371037730b40c7e9e58ea75a86f92a018ea683420b0de1fc81e6ed86b412a9d3aaf43

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
80KB

MD5
42c3a89b0f9ba46c1adfd2831d887085

SHA1
eb8f05e10e2add0fef7785639f11b6daeb7aaf5d

SHA256
3a9b0cb15645ff00a156de40cf6756fb9924a9f2e80b00b9fa0b7635ce195959

SHA512
b0174f9f32825690a2d35bcce0632d08cbf2a9ff24c9d98b3fbb0d707dab0d69ee3d25aacb24fb659ff770cb0f75a0c6a33eb34c0fb4db451a85db35491fc980

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
80KB

MD5
308cef892a3ba8e6bcbb0a88a2736842

SHA1
6668387f1b3bf87362b31f3b6e21342550b8342f

SHA256
6b9909d74a6e24b022c8c236d2d24967789280b40a98295678dd5f98839c0db3

SHA512
8c176424fb81b8aab0c1f7e66943a0eb3619d3ad576d280ad9a9f8bf2498bbb00298430949ec723ffb7776809d4159b48f5f9ea930ed115b0259b774902a7bd7

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
80KB

MD5
00ea3c3f51c71a6d7dc1385f95432307

SHA1
76666c706ce518326403599955a9b3f659dcfb95

SHA256
0b1c714cd6d48a4b226e50f87ac6849b5d5a4bfdc8e06b4b6e5c275922426111

SHA512
20ce0507c5cbf7ce24dc14c2e0b49fb2dd290b786c062cfa0dcd738acaed84ca491df5ab93e76d30052b811d97c70a7d91ade2195a291e9e3da16c60acce5e3d

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
80KB

MD5
f7acb0bf224b82334462cc33125543bc

SHA1
1bd64be9aeedad306faf15a7b49b2589e33c5511

SHA256
296a55c039a0fb1abd78b799f1ffb684d4dc0b0c8a3ae7f31e64183f5f902034

SHA512
d9b057d190c5e943abdeb87fe24567c3e9a4ced9549be89fcdde7a5428bb515b1b0a9de61a7646a0843609c041a531e42e979d4be43d6af90ca18b005069a375

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
80KB

MD5
d1ce5fe903a219bc194924da1a9b16c5

SHA1
32a896e42e6378c1723d519d055906bd12968f89

SHA256
644d1b37f07174392dc8ce5eae98dfd957c1bf288682c01fff478238f9d88799

SHA512
be745b1712c5bd7080ede4749ec62f882874aa68e0ece836a550f79062885244740e3e47f788eb088204c3b3321c62c25302191b9e30aec933ca8afebe896465

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
80KB

MD5
b10c01bad2a25e38c906ae8cbf51e6a7

SHA1
148f9ebd328d0a0f61efc0f5ef8f8290907ffa03

SHA256
723d24e69b71cf200961523fd5bd9da76f92f647d71a69823b4e4c1d8806d8b4

SHA512
ecc55832f9d4d4235eb281d0d824a3952da0403b22b6ea80316e5e6a7f1aec7f5c69e22c4fb9d3b3e8adda716e2d40509b7abda5864aaa60fd2d59e53687ccce

Download Submit
\Windows\SysWOW64\Pckoam32.exe

Filesize
80KB

MD5
438cebf61884d26532d00dd18a3b4f1b

SHA1
09488148c83f703a62459e352182afdfb1d3c63b

SHA256
7b9ef753e2bd2ecd4703062576b9f496b3bcc140b56351d4dd0c8038f3ef3fe2

SHA512
618b4b0535b1ad4c9db1b81456f352a20904fc8f6f77234ffb0fc5a119514c17bcf5393688efeccf0bcc9c00891e1bb7ac8cd9cda7a8f676dc01703cd08194ed

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
80KB

MD5
94615d4ca486fac18c4a7bc53b5619e9

SHA1
82eb7d6b580c9e4621655bbec38cbf0818760169

SHA256
860823313cffc13fe7b68d8ab889fc9e26a83bbd19f8bf46b2548a753aee4300

SHA512
aca3c4c204e33d97510226c6f12d7da43b8f7d4444ce147c14b0746da052761bb5db453660ec9ea96f4a73bc74ab9bfb76367762099936bf8385527071838231

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
80KB

MD5
ef9ddbed4d583134c557b2d03223ea9a

SHA1
b551dbcd6947e4880141e34f32bca4fae2d76df0

SHA256
d6e6180e0165ae8250e44180b130f8f04ebed909ff10d7d7148da505f89fca24

SHA512
cfbfc5965050c6a1097db398174781c94cc323666f9ab01985fa7dfbe637079d8513c5e56d42d287c5fd8ef17c3c76facb38d99f457de492a95a945175236bd8

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
80KB

MD5
48729f9230410656e4afb88be3c03ce0

SHA1
1bf7d898a061ab77a50b2ab123b8ba27cfffddce

SHA256
852875ae8eeb43803683f16ec5479c45b4f13ffd4a035dedc8036d4bd7de7620

SHA512
235713e121037c4e8bb1c9fb6c08f4fd2ceb92355a644d79d6035a79b40a7a434861be02a60f7831dbe35272b92150e7ee23c8ac72b229864b295f4e8663ba09

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
80KB

MD5
22755b281ee396b4b9e4df5c46a2342c

SHA1
7e14d0327a9841bdd19bdb305e43848e346bb689

SHA256
a337f9af89570ebeb245d0e1411553d5a972e98acb4a377736f2721fee8c2b2a

SHA512
1b175446912e6f191958f553cff517d807657c430b81adbae535edce4dcad45a0462e09a034bd605ac0529511f60a5dbc962fcd21f14edcd90b07fbd37d5ce6e

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
80KB

MD5
a4506b25d51f126d8f831cf72184eb23

SHA1
e5e4c625a99ec8b78bc24cf2ca7dc9b1e503bc0a

SHA256
abeea32d88ea6551a610cd243684531a9fd3cd8b3f7d1fb821d6d3c7afcd5a16

SHA512
dbd785467712574d6b4fc70ea464f81af918b6beaf957f865f5ab07c44cae59c32143b61a2f58cda108525562eda9321c5f021beff2d2fb5a460f1e87cdf4ba6

Download Submit
\Windows\SysWOW64\Qbbhgi32.exe

Filesize
80KB

MD5
4eb0f47aa8346b4007d647a100cbd598

SHA1
a06495f9bece7efa5f09bba21d4ba69eb5ab53ac

SHA256
fb34c1446634fae6fdf5b29b03d5a8baba805d9f586becb3340fc152d34268cf

SHA512
a0ee48b8bca3845b93efc05b9a4706bfd2c2035975deeda66517e68df4068ab3fc8d3e6912b24729a264df739a872306e3abafe6224d4da1d60bc7b15fd7146c

Download Submit
\Windows\SysWOW64\Qiladcdh.exe

Filesize
80KB

MD5
b8c448a16aa63a064372cbba3988d6dc

SHA1
801300dcdd108cf706f17502471757f2cd121fc8

SHA256
e787636b5c3c923168269ec28f6a517dc1e6ae6c7c01b114f7bdf60f7921c36a

SHA512
bfc4c4a2962e24d24fa51a01d4089d25650a4742e9715584ce65aceb0aef85e1b874584b1b44fa09425ab5f570682d1aa7eff941d7578746dc83432ac9ae52bf

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
80KB

MD5
3fe55a1218ad67c93e1232e5ad50e3bc

SHA1
75d55ba837161c932767d5ae22cce145bbec8089

SHA256
432cad7216cf6d590a980b30e1a1936c4a42509acc0ee1209a2989c8987ff944

SHA512
975d0da6382b2e2cdf9f954b051371f66a16f94d4bbbfc4226c2a6a5732bc22c78d90512e55c9872461d1c75f58fefd08b0b2fa037a084221e9500ba6a04d5a3

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
80KB

MD5
411e85f0a4eacca9aade329d65576cd4

SHA1
390b17e31c7818aca4eff0d6cdd9ba7a9992b895

SHA256
f63c86ec651f69241179c6bc2142ccb487809c073e4245dd80ab4180108f74ee

SHA512
73e51dfe1e984cc81622225da2fa0938dbac18fee86877ac52fab3edd525f7ac4224aa9c87f52600b22a1158d7a85844bb38cfa4c5989203c12f49b6157ea984

Download Submit
memory/912-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/988-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-221-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1208-240-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1280-168-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1280-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-479-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1316-476-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1372-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-383-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1608-382-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1608-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-370-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1632-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-259-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1784-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-426-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1972-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-141-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1972-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2140-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-405-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2148-404-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2172-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-347-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2172-346-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2180-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-209-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2208-325-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2208-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-324-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2272-466-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/2272-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-467-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/2292-490-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2292-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-231-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2296-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-62-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2312-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-281-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2340-277-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2340-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-288-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2356-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-292-0x0000000000780000-0x00000000007B5000-memory.dmp

Filesize
212KB

Download
memory/2372-302-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2372-304-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2372-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-393-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2464-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-498-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2508-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-195-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2560-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-317-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2560-318-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2632-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-49-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2632-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-336-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2672-335-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2804-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-40-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2820-388-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2836-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-88-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2984-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-115-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/3024-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-369-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/3024-25-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/3024-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-359-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/3028-12-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/3052-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads