bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
Size

72KB
MD5

3fcdadd4317895f5c8e1a3da0a15fa6c
SHA1

39356149b7e4a50a2a5a037de1b2bde4d24c38a4
SHA256

bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf
SHA512

908c9059e7e5a74fda3b35211ba514e85721c36537f3653894a8424c5d1640f00bc64840717808de321fff709f7063a6692b536a30c19c3e537083ca03ad36e0
SSDEEP

1536:Rsemu7/c21P+OToTQj6gSzm6tpPgUN3QivEtA:RY0/c0OTQjYbzPgU5QJA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe

Executes dropped EXE 53 IoCs

pid	Process
2172	Phqmgg32.exe
2348	Pmmeon32.exe
2664	Pkaehb32.exe
2940	Paknelgk.exe
2672	Pghfnc32.exe
2720	Pifbjn32.exe
2676	Qkfocaki.exe
1896	Qpbglhjq.exe
2528	Qeppdo32.exe
872	Qnghel32.exe
1036	Agolnbok.exe
1884	Allefimb.exe
1280	Aaimopli.exe
2392	Aomnhd32.exe
1132	Afffenbp.exe
964	Alqnah32.exe
1700	Aficjnpm.exe
628	Ahgofi32.exe
632	Abpcooea.exe
1664	Bgllgedi.exe
1808	Bdqlajbb.exe
2252	Bccmmf32.exe
2044	Bdcifi32.exe
2648	Bfdenafn.exe
2660	Bchfhfeh.exe
2748	Bffbdadk.exe
2592	Bqlfaj32.exe
2668	Bcjcme32.exe
3008	Bigkel32.exe
2296	Bkegah32.exe
352	Ccmpce32.exe
816	Cmedlk32.exe
2356	Cnfqccna.exe
2332	Cileqlmg.exe
2764	Ckjamgmk.exe
2240	Cbdiia32.exe
2432	Cebeem32.exe
696	Cinafkkd.exe
844	Cgaaah32.exe
892	Cjonncab.exe
1744	Cbffoabe.exe
684	Ceebklai.exe
2412	Cchbgi32.exe
2092	Clojhf32.exe
2104	Cjakccop.exe
2916	Cnmfdb32.exe
2836	Cegoqlof.exe
2816	Ccjoli32.exe
2788	Cgfkmgnj.exe
2112	Djdgic32.exe
2600	Dmbcen32.exe
1888	Danpemej.exe
1660	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2452	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
2452	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
2172	Phqmgg32.exe
2172	Phqmgg32.exe
2348	Pmmeon32.exe
2348	Pmmeon32.exe
2664	Pkaehb32.exe
2664	Pkaehb32.exe
2940	Paknelgk.exe
2940	Paknelgk.exe
2672	Pghfnc32.exe
2672	Pghfnc32.exe
2720	Pifbjn32.exe
2720	Pifbjn32.exe
2676	Qkfocaki.exe
2676	Qkfocaki.exe
1896	Qpbglhjq.exe
1896	Qpbglhjq.exe
2528	Qeppdo32.exe
2528	Qeppdo32.exe
872	Qnghel32.exe
872	Qnghel32.exe
1036	Agolnbok.exe
1036	Agolnbok.exe
1884	Allefimb.exe
1884	Allefimb.exe
1280	Aaimopli.exe
1280	Aaimopli.exe
2392	Aomnhd32.exe
2392	Aomnhd32.exe
1132	Afffenbp.exe
1132	Afffenbp.exe
964	Alqnah32.exe
964	Alqnah32.exe
1700	Aficjnpm.exe
1700	Aficjnpm.exe
628	Ahgofi32.exe
628	Ahgofi32.exe
632	Abpcooea.exe
632	Abpcooea.exe
1664	Bgllgedi.exe
1664	Bgllgedi.exe
1808	Bdqlajbb.exe
1808	Bdqlajbb.exe
2252	Bccmmf32.exe
2252	Bccmmf32.exe
2044	Bdcifi32.exe
2044	Bdcifi32.exe
2648	Bfdenafn.exe
2648	Bfdenafn.exe
2660	Bchfhfeh.exe
2660	Bchfhfeh.exe
2748	Bffbdadk.exe
2748	Bffbdadk.exe
2592	Bqlfaj32.exe
2592	Bqlfaj32.exe
2668	Bcjcme32.exe
2668	Bcjcme32.exe
3008	Bigkel32.exe
3008	Bigkel32.exe
2296	Bkegah32.exe
2296	Bkegah32.exe
352	Ccmpce32.exe
352	Ccmpce32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Fdakoaln.dll	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Eibkmp32.dll	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Agolnbok.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Phqmgg32.exe	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pkaehb32.exe	Pmmeon32.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
File opened for modification	C:\Windows\SysWOW64\Pkaehb32.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Allefimb.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cfibop32.dll	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Pifbjn32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1996	1660	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agolnbok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2172	2452	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe	31
PID 2452 wrote to memory of 2172	2452	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe	31
PID 2452 wrote to memory of 2172	2452	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe	31
PID 2452 wrote to memory of 2172	2452	bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe	31
PID 2172 wrote to memory of 2348	2172	Phqmgg32.exe	32
PID 2172 wrote to memory of 2348	2172	Phqmgg32.exe	32
PID 2172 wrote to memory of 2348	2172	Phqmgg32.exe	32
PID 2172 wrote to memory of 2348	2172	Phqmgg32.exe	32
PID 2348 wrote to memory of 2664	2348	Pmmeon32.exe	33
PID 2348 wrote to memory of 2664	2348	Pmmeon32.exe	33
PID 2348 wrote to memory of 2664	2348	Pmmeon32.exe	33
PID 2348 wrote to memory of 2664	2348	Pmmeon32.exe	33
PID 2664 wrote to memory of 2940	2664	Pkaehb32.exe	34
PID 2664 wrote to memory of 2940	2664	Pkaehb32.exe	34
PID 2664 wrote to memory of 2940	2664	Pkaehb32.exe	34
PID 2664 wrote to memory of 2940	2664	Pkaehb32.exe	34
PID 2940 wrote to memory of 2672	2940	Paknelgk.exe	35
PID 2940 wrote to memory of 2672	2940	Paknelgk.exe	35
PID 2940 wrote to memory of 2672	2940	Paknelgk.exe	35
PID 2940 wrote to memory of 2672	2940	Paknelgk.exe	35
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2720 wrote to memory of 2676	2720	Pifbjn32.exe	37
PID 2720 wrote to memory of 2676	2720	Pifbjn32.exe	37
PID 2720 wrote to memory of 2676	2720	Pifbjn32.exe	37
PID 2720 wrote to memory of 2676	2720	Pifbjn32.exe	37
PID 2676 wrote to memory of 1896	2676	Qkfocaki.exe	38
PID 2676 wrote to memory of 1896	2676	Qkfocaki.exe	38
PID 2676 wrote to memory of 1896	2676	Qkfocaki.exe	38
PID 2676 wrote to memory of 1896	2676	Qkfocaki.exe	38
PID 1896 wrote to memory of 2528	1896	Qpbglhjq.exe	39
PID 1896 wrote to memory of 2528	1896	Qpbglhjq.exe	39
PID 1896 wrote to memory of 2528	1896	Qpbglhjq.exe	39
PID 1896 wrote to memory of 2528	1896	Qpbglhjq.exe	39
PID 2528 wrote to memory of 872	2528	Qeppdo32.exe	40
PID 2528 wrote to memory of 872	2528	Qeppdo32.exe	40
PID 2528 wrote to memory of 872	2528	Qeppdo32.exe	40
PID 2528 wrote to memory of 872	2528	Qeppdo32.exe	40
PID 872 wrote to memory of 1036	872	Qnghel32.exe	41
PID 872 wrote to memory of 1036	872	Qnghel32.exe	41
PID 872 wrote to memory of 1036	872	Qnghel32.exe	41
PID 872 wrote to memory of 1036	872	Qnghel32.exe	41
PID 1036 wrote to memory of 1884	1036	Agolnbok.exe	42
PID 1036 wrote to memory of 1884	1036	Agolnbok.exe	42
PID 1036 wrote to memory of 1884	1036	Agolnbok.exe	42
PID 1036 wrote to memory of 1884	1036	Agolnbok.exe	42
PID 1884 wrote to memory of 1280	1884	Allefimb.exe	43
PID 1884 wrote to memory of 1280	1884	Allefimb.exe	43
PID 1884 wrote to memory of 1280	1884	Allefimb.exe	43
PID 1884 wrote to memory of 1280	1884	Allefimb.exe	43
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 2392 wrote to memory of 1132	2392	Aomnhd32.exe	45
PID 2392 wrote to memory of 1132	2392	Aomnhd32.exe	45
PID 2392 wrote to memory of 1132	2392	Aomnhd32.exe	45
PID 2392 wrote to memory of 1132	2392	Aomnhd32.exe	45
PID 1132 wrote to memory of 964	1132	Afffenbp.exe	46
PID 1132 wrote to memory of 964	1132	Afffenbp.exe	46
PID 1132 wrote to memory of 964	1132	Afffenbp.exe	46
PID 1132 wrote to memory of 964	1132	Afffenbp.exe	46

C:\Users\Admin\AppData\Local\Temp\bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe
"C:\Users\Admin\AppData\Local\Temp\bfba3a09828e1801a487f50506263ddf1e718f8238e0511528877ac7d455dcbf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\Phqmgg32.exe
  C:\Windows\system32\Phqmgg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Pmmeon32.exe
    C:\Windows\system32\Pmmeon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\Pkaehb32.exe
      C:\Windows\system32\Pkaehb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 144
        55⤵
        Program crash
        
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
72KB

MD5
87adf82c646a710b6bbd1abb6f50aeea

SHA1
64ce0c5ba947c2fdbfae8ae846d2c645473f0aff

SHA256
8f3509c66be28d0aff9ccd81727873597b05d2e76ce76bc13e00c2734579eaf9

SHA512
a25e14d395ba1295c2a30531c8adb120ca2b64dff60a24569e075a9d6663aad428f1bec7211da6b2814de70a43bd4d7e8d390549bee8d1ba24cc38223f608c09

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
72KB

MD5
a01699b114ff721f523554b0145e8364

SHA1
8a4109147c9c685590be5deee15000a6b81a10e6

SHA256
75675689f88e7a5503d2c9b1a427c6419313e867802d80c3cdeecae955b91a1c

SHA512
5d9d4c223889aac0b7d7f2e68d3ced3a143670e101a8138f2dc37ac3917ea69fe09ad53df8de279c29dbe135e6dcb11bbaaab6460aa444810e135796ea6352fe

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
72KB

MD5
2fd62390548ccce9cb9a3767fea1a71a

SHA1
8d6926868dc4bb33dbf33320f36175e0cd611841

SHA256
e8e3a83590ad24e09f27daba55ef15a29031c1240f2795e596c0e5209b0c5a77

SHA512
c344ec0cc9a22ef8bed94e2c25bdd6b8c0d1e53f941dbe3b30499648bfadb29747e77aaa53c253a26bed367969d234500fae6c0b0c8176a3f705098b76a26404

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
72KB

MD5
84e6002ab10568c435f9553b6f589bfa

SHA1
ad91556b6bdb10e8f74843738129cfccce68b334

SHA256
746a958a2f8c6534bdcaf6fe455e65041345c5f8e46b0009c16e8293b7f2f105

SHA512
45abed322d68999bde69eddffe32c62052f5ddea1b49bc253b9d2556db90bcfbb83f18241bd703efa64395cdb3cc27237810760c698f37a474e7599fae91d8d2

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
72KB

MD5
ffb904e2928b1b3b633fe9746741c2d3

SHA1
4e61f2cf9d0cf426fc130ddbc5ea23dbb3c90855

SHA256
667fd77048b357479a6fc504b82241c25ed69bb8085d4ee48dd873f53e5cb12c

SHA512
2416724710a995260b51da571afd16648a1cb1a3a3a467f13c15a0a001df4eb947d0f6d53b2780f4f1dc59918072469101d2d1f399367350d947cb126d23283c

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
72KB

MD5
338ce32bdc70003d5de1c8aa97849bfc

SHA1
60a3ef60c80f9492308fc999de91c837d37c4317

SHA256
84529e0398ee72ddfbd93e2d9a1e7e71a8ac62083b3b1167602164f6db76e63f

SHA512
1bbc5a66e99cecde62a725d6e700b4436cb7f4a3795ca149a12ab1d828f3e326c662f553a34c937aaf63cf637bf584454bc1331f8adf9957b0e1982ce6fdb8dd

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
72KB

MD5
e3246ff6d6d629d0023ea96f8ac83dd6

SHA1
f9f5bded9c2956529cb23690dce0c06ae51d31ec

SHA256
aa3d7d15de8072eee812a16590cdce41b2654b44dbcaaed077166322c07c0078

SHA512
497990d90e1696223561e8cc26aa7fe0505376bf000502df9a423f6e48f41ba8241d2e6069db33abd84c298fb389644b77d97eaf366fbb1c9807ea3f4be4e6f6

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
72KB

MD5
efbbb7097a9252d4f30b875dada80f9d

SHA1
ae6c9004fba6b916d218252e1995d830d7639f5c

SHA256
ed28824360b727e4df20be0f3bc8577ae6f79450b275ed0bab92b975ef6f118f

SHA512
62aa9d62cd233bce4b286c3f582dfc10f98e154e1fc395f7ca3996c69f819317e0f0dd27673511b83a2ddd1e99f453815ece7add1d9711457a4eafe3714e3980

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
72KB

MD5
50fbca3511c1d09a316f3f84b7e47268

SHA1
b72376477bb3b1ad256e53b033eaf3890b7b91ea

SHA256
05a65bb0e8913342a6f779ddbeab85807cef9304eca21aec36465e2bcdac0982

SHA512
370b0bdb1ccfb9c13112724f789bd86c4ffa720f19d884f8e08c162f8cfd11de1b26964e3724bbecce62fdaae23b18af586ac72a3b1da9c5150fbb5f97bb0af6

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
72KB

MD5
e52bb6a64285a98d55760b1af9793a64

SHA1
86b486f4d5409a85cc1ad0fc729cc64bc14296f1

SHA256
a4c53e82e11ca4cb356828cd04b1101f9acabdceb85479778bdb67d7f5748322

SHA512
fe04ffccb5a19b6e8a49ded330aededcddb4c7973d510b9bff1bbe601b8981fd7836ad5aed68f3bd926a155dfb1bc90c639c4f267c1a1327936998afb91659e2

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
72KB

MD5
98b54c6f28bb36e9f2f68e86b96a1be0

SHA1
0c8f358b257c4bf7cc3cd30ec38d31691ebc1472

SHA256
67da72bc3cbd6f916db65714c99cd91d756fa77f7a8d62afff6b020efe7a9101

SHA512
60290de2ec1e390f024f50c438b12dce6cc2dcdd0c0c417178f5dd31c76c438a022e8b47dd258c746c1bd4922bfe4619b190a0cafa235c1046af74c57931ff34

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
72KB

MD5
47c158d69894159155a24a256989d505

SHA1
bdbdf20b5747db2b74d1ebd4e067fa2c608db63c

SHA256
0552f9d4076e0c1f6661bf283e36ad6f2af5934fecf42450d136b3cdd68f1dca

SHA512
313afa8014d0d10928771337d4d8e0151e13094336052c1c4fb7fb08f4a9a269fdba4c4515dec4da3c4b1ffa5c6b654ef8822569c4a4c97a67d97cb402926d64

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
72KB

MD5
e6949bd17a68020ca21b04b56ff5580b

SHA1
610695b65f71c5bf9fb1e13ff334f290584421cd

SHA256
2495ca66fb6be54941b4f9a0c447abca07a34d4e0b9fa40aa8210f9dc1409e3e

SHA512
495626b149632ac56ac4cbe529925ffc83404f4d125202458aa2e8e3c4d3f6c4100268c210e825f354362497c991b2a139cc7df763b55df74b5d84871543835f

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
72KB

MD5
e1beab43bfc80e139909e7c671514119

SHA1
998ca364801bfb09433481034e40a88febed8e31

SHA256
9157132be9804d8c6dcc0305389de22f7f73e1cfa589ebae85740efcbe56f1b6

SHA512
c3b455291bf56d8c457a9b89874d6f411a3f4c9c4bcd335b959bec6ca41b5863cb799b8b73b20377b1c2170da154ce80ac78341320ef9e1682e5654e4ddee0ea

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
72KB

MD5
a660a0986339dd75efd4d06838c93c98

SHA1
59dee7e2aa9ae48b68a9c9b6bbec5e4a790deb48

SHA256
46e70423295ba08b49cce5f76e72ae5b2c7556ebdbdbd877158ab199da7007f6

SHA512
5b549e47c594e0cf02296d03beec1339b10ec8d37ce3c0ca3ab63ca871145a790854982c2f91868d8602b27fab9fd0f9c77d14617499f3a66cd266fc65a57906

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
72KB

MD5
bb4255797323bb7b644d5a99cb156d43

SHA1
13fef3bd25e6069e6c0c81deddc790a0f6778b0b

SHA256
d4cf0c15df7d9e1e4c174dc1fcfc7fa4d47e529f495f9b5703dd874e9c31ee2b

SHA512
ce5582b203c293192687b77ff9fdca66a80514d2304b2514dbe4ad135cafcb18a866840437d5376ba988c904097e708026bee05c20f2ab96b507d8840de76c3e

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
72KB

MD5
94763bd59c5ef68eaeb8069f20731e64

SHA1
7671b3d2e43d89b6d25e4ddd1e837f5ba20556da

SHA256
a6767b429ecf815c2e675a2dd5431c4d2687cd165ce40caa1e1edfad33e470eb

SHA512
f8e0134c3ea400c8268e96581faa67e6ef692f21bc8dcf8ba0d7acf9b42302230d82fee1094ce93f05c11c0b486f1f6cf2af7885cb25d8028d4b515ecca7c783

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
72KB

MD5
1035b750beda27af20483739e52bd997

SHA1
923ad932c305ded63a808dfea9648c0ff85e23fd

SHA256
9145995af48bbd793f8e26f0a176d66e7ac7b8dd7649c67dfc2d20dd2d47a322

SHA512
faab5b1333e1afe96ef4cec9b12ec03e47e87db5d844f0edc41cae4feb282a28ce2400c69122e29b532369351235bb50ebfb21b84d30d695e38fdb472859c352

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
72KB

MD5
f77f7d404207c488915ced3f10e153f4

SHA1
0e67ce91f271b2a9e3f3b5a97187673a5379b035

SHA256
7c7cac55451e46b1ec1982bcf138918b52d5a0e793d508e630a0e44d15975eea

SHA512
0e2236993025ce94257df6f3fcb0e09093e55c680c19a62141dacba84e820a9af54b0fead164742a95f1daf81222dc137c65f8c11669cf93753ed4a3491a7ab8

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
72KB

MD5
46bdb5d53a8c2b071dbe77b91a8b1254

SHA1
85e7cab0b9913b8c7f374c9b245337065f02f604

SHA256
6c11411512067e33bf5baaab7291392a91571390542b3b4236db14df42d5a729

SHA512
a4a2597d265c4e01c1928e3cdceb540ed5389f13fd90ecec9b2559338527fd0f7b4708e02dd1f265091bbe8c8ff6dbd992fa9288229fd319e6358e801c694de0

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
72KB

MD5
62e57f5d241ba1b670e30ef895554e4f

SHA1
0555e5f01f75d7a71163dc86eb3bb23726d31f2c

SHA256
4ee19008d7288e65f8a2a19cb0ab1b78f09c40ba3e6b140b7a5eb68664432330

SHA512
96803ef527337ca468ca7ee8339e340838d4de5c3234bb6275af2de529a035949ea28446f1181bd8f83a04f2ae445d7ae3acd7421fca0e7c64778a5cbaf940d5

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
72KB

MD5
7b97dd04af8c6764ff4fc2d2cd3c8941

SHA1
f0b3db18957284c2a9c5ba63a1473ec8d19f4e53

SHA256
17895c3c8799a8c057ab463f96c9b106fb5bf29f9ced9ecdc39d69d5008edca5

SHA512
816918a100cca2ff3336d343ac3a30eb709bf26263b9345a36a3c0dcef83b620f58488ebc7bf58efb21ec95be8a73100404d30915026bdd4d75fe86904ba0efa

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
72KB

MD5
97472c9d0cef80cab71b84841c122d68

SHA1
4640b3a074d0a2e824825be6fb4de8988bf7b0b9

SHA256
76c7dc928dc615aa174022c529eed81530dce8a7313539659d7fb1149fe2df81

SHA512
6dd61613bfdddf184da0cdba55ddef71f1ac5019cd572124415cebc9ab383737163c76415010e883fd2e3dc5e8e8bbbb0aa98ab1aa42d152282b4cb962dc5154

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
72KB

MD5
e1a78b1cbe7f4bbec355deed4d4f14a1

SHA1
502be5e8337274001328c65aae525035d2a43c22

SHA256
27caed3309864d9715df2cf2be710f5621e2154564bef95888e32a1f62276092

SHA512
fc551ae6a798db6efe8916bb928845e590351bc5e174f5b664d3cb9788ad5a689d0fc4e49ec3e361c9724db1c56ef68dd03e4f44907acb8d3a47f44a120e7164

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
72KB

MD5
2bef9ccdcd1e5531e0575ab2855964e5

SHA1
3940022f3a8dd99d385b4f0a30f341182aa12c76

SHA256
66fc869f703e43b963af1470ee01318570b77213a1868acfcd381a3a64266912

SHA512
11ae14fcbedea03a55ece27e8035c15f8581d78990429fbc66b9131d33d208b255d060fc4269bdbc6f79e5115509860398ec91ef7f53ccb6a31afc33b3823ba3

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
72KB

MD5
86a54381ce7053f7e5fcf39260a693b1

SHA1
7ac4ff16ceb617f9a9e14c71737c85e193453439

SHA256
67818996b72630194018e8bdea4fe26ba37d673121f9592527b5d5039320e120

SHA512
faaeec1bb49bc3b049b7f2fd83d1264ef9357d42911812252e60e7ca34aed0441538010dff1f9010db51ddde20bd59e74ef9cf41fe16fa7ab90209b122cefdff

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
72KB

MD5
250f022502c5136d9d44d68de6bc6ba5

SHA1
378ae732b20505f51285b3d94d78b499c685e2bd

SHA256
47b225704bab2696b8c74a4df8b9796e8b4b69a15ca2749f521b802b8d7ed229

SHA512
1d0bf25388e18e009b634ff1243e9efb68bbac2995fe63c539e0eeaa5448120b4e6aff7becb177a6669216bd49d611481d772045a1b859b5730a7b2c193d9c7f

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
72KB

MD5
1156ca0231e6f04b8c58580807556a64

SHA1
30a9ee94d9cded277b72c6c3b1db6386c39cd570

SHA256
83062eee7d41b115a640e395238ed99dab2b51930b2b3b83d692c08f066e2174

SHA512
78a73208a5965b600f37060547848e302e01197be7ffd79020674db78e51892a309460a2dced653a8609db7fe2cd08f95a7babc8275a4be56c0fb596812c4743

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
72KB

MD5
13b7f250f1bab65307d03ddb08af9bab

SHA1
312c55acdfd1aa24c977309394b0c56a4bbd6e27

SHA256
cabbb597e99c13643560c2369685f1de99684ee425510e8ad70afaf86584e9d9

SHA512
4176cdf642610933d6da776c99163403c3716fdd7d84d5e4fed1860b9483eee4202f16eeafb713a7bc8405cd71c747f26e75f18d3ebc4f0f56b8587c2b8468e5

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
72KB

MD5
6861e97f122a4d86e55f069484b8e4f2

SHA1
1ff78e75ec3103fee28e1b5e22c60dd344ae2d98

SHA256
357a58cacc30898a8f52a9779ef18266e5632ccc0f8fcc51971a85bb8dc1881f

SHA512
35a00464fac3406fdb58132050f08422d8b19061e84041ef71b8d1c4371cdeadb90cda3ba03afeb3a17fe8a5aee0fcf7aa0807a8d5daa7e846839d7a0b1bb746

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
72KB

MD5
92565fcf9a86f67b4bcc6bd2dfd16fe3

SHA1
5d9cc1d4d315b9b5a02983cd1322ed940a25db96

SHA256
e469b496cfab4ea3165ab6d926529ce08789d12245f6dc15052cd8eef2a8ae2e

SHA512
e754f5ce85c34c64506a353620f405e4abdee7a6e3ba232eecdcb27cbcc569172f735d676b97449983ad3790f991c940562001326d90fc36c7e3c9174027442b

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
72KB

MD5
eb1ab0b4e737b70eae969d14d1a9f890

SHA1
05ad5026eb9d7ba1e3f5acae7f134807c7a8b95c

SHA256
3c0ff99d3893aed3cedab40186f57d90e4a58a28dca514466e2034719d85b83b

SHA512
dab11278f47c5c699dec06faee66ac8b95d2d58a6e934cde9d04920d676e2fab48797054a58335b88d42b18229b956f42e5ac0c5788b75355596c88c8b5b02c5

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
72KB

MD5
d3e16c35de68e493140d84bb2d6688ba

SHA1
4dc5305d36efa3f122866c69d8df69dec52f4a01

SHA256
508535207c086273f2081dc612536d90ee25785935e77b36fea53657d7bac749

SHA512
9015c2920b6ef69efadca5e4791f8aeee63dcc76fb76dcae69eb897c07ba4f64a913f2f73f3630b03c8edbb457d0e2805592ab49c92ab11f12e220373a73a3b6

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
72KB

MD5
0b37466d258d2b209f40252e798a6770

SHA1
9e98775d3c25b48e41aee6ec230a96728b2efc5a

SHA256
6c6c353af5a71e4caea66ca50c343be7c54a604d779fb0620a4bb53120ae6aa2

SHA512
d2569a5514101d90fdfdcac1d0a3f320464a1b9783cef04afe51cce187e8672f5b44f5383340c0373497864849cdb2ebd2a9d4fea9417bbc1cea8a7dcf904b00

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
72KB

MD5
8ce13d3ad11f8b15bfb31f03c42bc621

SHA1
8f4c27df7c9785ac1a2df3cc82a3073428da48bd

SHA256
d8f2fbe2ff5a45c639263d1799e0678e64ec6d4c71a79d754f964080be26eeaa

SHA512
0d799b90bfa126db512efd3e6ae4dbc6f0b0be6ab84ed8b273c76d44e8487d936c3bb02b741b098319b4f56c51391dba97e496f70fa92af61308cd6bee46b101

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
72KB

MD5
e3f4bf62d98655f9f3722b09ff12ccb2

SHA1
b90facc8f9df27078a717f506251d337c57e4dd6

SHA256
7e9f481ad01c2f9259082b51e50d8f775bb610f907f4becfc46af843908f31b6

SHA512
8a4a31711edd4090126b336fc597aa25b0669a5ad79dae0addb4b16daed2b03cf77ec8171d1f6a5b46c2aed70cfcc0f187eee335d47524d4d3a0fb64e3adc0c4

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
72KB

MD5
c0d0fc07b337011972a883a328839ed2

SHA1
9fd8703caf4c34cc664cfb0561442676722dbf61

SHA256
dec24df17a6139c5439cdbdb1be9175a9e5df6627df404c9882d056657155bb7

SHA512
51647c10343232375a803601fa2ecfdb67fa25c99db7e5d58152308b884de8cbcf28df17b99ed3d5a0743babd6948effe4d39f710b8ae86cee0b45fd01cc3ab4

Download Submit
C:\Windows\SysWOW64\Pifbjn32.exe

Filesize
72KB

MD5
277ac6ae87188d09d40804bf93a4689d

SHA1
dfb8dd2527779c623d6a2b27d7427ca1e1bd822b

SHA256
7baaca7a0a22a17cac160f0e68db0003979fae29ced38e6d5142df348778f693

SHA512
63eec2aad61251e2d744bef3348a1fd9617a384fe499a7937bc865fce8ff4e4de59671ae7bd37a9ae386e03e04dcaebe9bffcc5856daa6275b3eba848ef8a20f

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
72KB

MD5
d586343b883791ba990441a46e3b54fa

SHA1
32c2fbe15c8c8268f1f573b033e34ec546a2dc92

SHA256
e45c2436f9f9b7bcc1177c219c35b6812ddeb32097baf2745348561774d68606

SHA512
c94bef5c96156a87d2996bbed48a2a64df5c0bbe7cabf93a902c73de9082a8251d9fe6a126e9f5d3a6d9ee15191cd0f984b47977e34bde2f2a7b2ab7d5ef29b4

Download Submit
\Windows\SysWOW64\Aaimopli.exe

Filesize
72KB

MD5
91a62be578689a4eab6a9b46ec6adc77

SHA1
e68683a214b7551a61296a3f7134a71ceeed4de0

SHA256
d45fb253c88702439760782c493d9b7607295e7f37526bd32f43ed0e8a882850

SHA512
9884426f0f4886a5cc04a9bf9a8522ebbb8247db91d861a545d9e03069bfea6b06665770d48c4c44b370bf270ccea797349252f83e7dc7f362ef9fd0d5397946

Download Submit
\Windows\SysWOW64\Afffenbp.exe

Filesize
72KB

MD5
c06fcd9340815333014b2f5fbfd2f01b

SHA1
3ee8cdd29ab73a40fea44e32dc1a0c719ec8e4f4

SHA256
6834afe2919ad8a274052ba3ef6e516ab9f99bfdf4be8dbcf807c0855638dc62

SHA512
0f6cfa48864f6db65d92a404a2e28e9ff028a342c386f33299f2392dd96f1f0a2cd9bfee52e1267c97e950525c2825532f0c773de16270e2bb92d20f3f287e21

Download Submit
\Windows\SysWOW64\Agolnbok.exe

Filesize
72KB

MD5
8ab8ab3921a8c15af470256e28fca4b7

SHA1
add43f36b6ca99ed8acf8fd6c5a68b79a2eb1952

SHA256
717a8a83419cf1fa872226730dc937310778208df84f76206d0a346b4fcede00

SHA512
4cef4e28457e7c79a26bdaa39f979de5547729aa4b1890572cd3b417d54310ed5d77f2350d04661b81a345dc8360f5a50be390a26c602b5a37b2aad82891c838

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
72KB

MD5
a86375487af5e7dc26716d9041a0207c

SHA1
2a39d758630ad1121a079f332fa2802873d81f84

SHA256
b8fcd369358bc75a75236d188463bad0c959d4bde89a3028aef8076306c198d4

SHA512
af5e06d3945f856c5cf77e5123f7514842428e1ff4e0de76394c26648b320caaaac3fc98f99b5618d2bf1cab037f8c342d33734566a2e659b9c669c5bf570a26

Download Submit
\Windows\SysWOW64\Alqnah32.exe

Filesize
72KB

MD5
5be0ea22211f2a0c4ccf19998e2548a7

SHA1
6c5d13e17aa89518da4547a269c57075e1237a0c

SHA256
c20a9bdb853a671254d1713638a7b204c24edc6c6429059dfb9e8ff73018ae0c

SHA512
2002e9ef3c321323581ca65577792ea2d6ea61cb7ca57c9a41c04cb0fab2a879dafa46bb7168e4275b1720b5b9be9e0581b8ff0fe99dcd4898fe88e5715aad02

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
72KB

MD5
1e5fe8127194916ede2ccd9b64bee743

SHA1
172cd72766c94551c89b232b0665de9481e5589f

SHA256
a0f289b40feaf1872a5f7cd4f839cc1c43d3a1365f792e2f4597e1cf67316d5a

SHA512
54a03239cadb6d20f22b4cb743616ae75ea91294f8f2d5c7b3a8603e758e79c70d90fabc569f0d7634cc724f8628b5c1221625e60ac064660c4719dbf97b542a

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
72KB

MD5
8ec81c5ab48a0c63d843186b916c7de7

SHA1
e6b8b38e973aeb64fbedf270da18f45f3c585296

SHA256
8155d9aa78ac94867fe816375855ab0c10bfd4fc64520aa18325a6497a171cf8

SHA512
6a0875979fdcc26077cc0db14c475e8f23a61a81a57ed152ba2f5c45be6edceeed623da5c32f388e63d8d9d8486dd0b61e751935c4a391162fe372220aabafdb

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
72KB

MD5
58e3539d5b4b3113e2f6a829e9f78d8b

SHA1
0addbb5d3ddd24a5d1626138d99765fceeb4282e

SHA256
f1cdf7b787832b2ceee6cb9fa04d950d5dba3b8511db7bfa68e219a7ddaa2d3e

SHA512
ee4d6f2aec81c1f24595e81431022951e360b24be4d134f5a96067cf9b8ed03e7503f6178cfefb0e7a21d165611b54df5417cb57fe77bbc688cbfd0cefb4d6fb

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
72KB

MD5
1df080c76b8dbaf89e82e0e501b3c3e8

SHA1
d848950276abe177837b7db3c7ce3a609d4f492a

SHA256
71c890ee2c52c0d3364ebf7f41804c5fe095a844a5a1568542330f6c0a3c9dc7

SHA512
adc0204798d6fb3e89bb9b7458dfdd7b2c5dacf227c766aede3b0a7160205dd2f23e331b8cdd374c4a97cf0360e851893f97d8724cc83d83ca7dd6311eb52d8b

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
72KB

MD5
59c5bfcec6d043bb54cfa7a1039059e3

SHA1
1ed257a164caf41097a3fca57dc164ccd3f4a3e9

SHA256
38b28145ec38d4a1cdcc7eb9fe1bb937787a57ce6abc532135569677fcc6931f

SHA512
7994f99bb3a00e9d988c9cc58a51d43b3e08cdd7be7bcbfa718e453427b179cf6e0f3c1c7bbed18b293c105cc2e38b8bf5463789fddd9f49a40cdf7ff005f4f7

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
72KB

MD5
4ac8989ce273871cb004e5124fa7f521

SHA1
3932c778dfe07416be64cc20042837d8be7405c4

SHA256
e22f5afe7509271a17eeeb90cc57d61b8b8507b37efe25e5a30c0084e40eb3e2

SHA512
17ce386704fdd33c49c8962b019c691a54f749eb516f913986a098fc1b867037854ece6b894808380f47dd8798bf289eb1a7d85dc260e2c09fffbb0c1ff68d02

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
72KB

MD5
bfed39d1455c6d584b8cc8a6fa59c484

SHA1
91b7752db3f5f784b91c542b8df469b7abf23c6d

SHA256
ac93c0e954d0c351fe31d13f80e5e7c97921731d694b9cb55583ad33cb3395a7

SHA512
7df595d0d6acfa8fc97656734fb9dff8dcfd70364cb2d528bb30c84749e40832699c2272d833f226ebe4d764386d8de097b3bf1638f0fe72fdaa6bd7f48766b6

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
72KB

MD5
427dde3ad69d74e223cbe8d31a61d8b0

SHA1
dd0b2cc70c7763005f236c94f6e2ff4c8064b1f6

SHA256
a30d1c935deb0f97d9252b25b7681256b41614168507aac37463efa2262e955b

SHA512
3cc2fb01e5d9e1515aecbbd71a800d6184e0d6a89d2f48cdb1734283d718e26b7bc163b24b53be843360ae8e09d81a8cb3571a5a381b7a5d21ceca48e9f421bb

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
72KB

MD5
79a82514c79108e0303f3b14f1cbc9ef

SHA1
8fffbba796afab1c283e785f5cc29f029a947873

SHA256
1efd5ecbca15d929d7b00f25d185e510da185f58c6e1941f08eb8b56287d3ab4

SHA512
c75204508a8c87e9192a2b1192aeffff68c65570da7eea516b8aba6077f450b12a86c3ea3b4e29d815c3c388f57f238c0cc1cf77e433daf209d0f1656d81dd3f

Download Submit
memory/352-410-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/628-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/628-298-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/628-259-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/628-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-310-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/632-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-276-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/632-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-315-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/816-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-418-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/872-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-152-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/872-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-240-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/964-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1036-168-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1036-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-265-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1132-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1280-244-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1280-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1664-287-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1664-323-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1664-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1664-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-333-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1884-231-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/1884-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-182-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/1896-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-122-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2044-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-318-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2044-353-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2172-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2172-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2172-74-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2252-306-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2252-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2296-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2296-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2296-395-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2348-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-35-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2348-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-212-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2392-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2452-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2452-13-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2452-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2452-12-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2528-188-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2528-140-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2528-187-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2528-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-141-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2592-400-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2592-364-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2592-399-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2592-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-329-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2660-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-376-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2660-340-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2664-48-0x0000000001F70000-0x0000000001FAC000-memory.dmp

Filesize
240KB

Download
memory/2664-92-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-372-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2672-83-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2672-128-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2672-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-113-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2676-165-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2676-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-94-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2720-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-349-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2940-63-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2940-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-422-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/3008-387-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/3008-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads