7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6

Analysis

max time kernel
87s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
Size

90KB
MD5

6857e4111f34ddad67537cb41b941470
SHA1

9443c2fa5926a19975e3e2f03aa835959c3276a8
SHA256

7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6
SHA512

120ccc1bab9825066e8d0d83d7b5ed3f5313668a757d6848731d1c3f342a407fec22f8252ae15cb0f94a9e975b84576372bd6a58e174afe1e11b5081882675e6
SSDEEP

1536:uDUK5ym65436O0Fdz7l0Upe3Ef+fMTHYJcAEmFByVDMAETIWSNDH1ro:uDUc6OeB4Ef+fMTAcAEmbecKNDVM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe

Executes dropped EXE 56 IoCs

pid	Process
1052	Pljlbf32.exe
2712	Phqmgg32.exe
2680	Pojecajj.exe
2656	Pdgmlhha.exe
2876	Pidfdofi.exe
2704	Paknelgk.exe
2996	Pghfnc32.exe
1764	Qdlggg32.exe
1964	Qiioon32.exe
2360	Qgmpibam.exe
708	Apedah32.exe
1908	Aohdmdoh.exe
2200	Allefimb.exe
2052	Acfmcc32.exe
1112	Ahbekjcf.exe
1604	Aakjdo32.exe
1488	Afffenbp.exe
1736	Aficjnpm.exe
2500	Ahgofi32.exe
1756	Aqbdkk32.exe
1960	Bkhhhd32.exe
1956	Bdqlajbb.exe
2640	Bjmeiq32.exe
2740	Bniajoic.exe
2924	Bceibfgj.exe
2644	Bmnnkl32.exe
2560	Boljgg32.exe
2572	Bmpkqklh.exe
1512	Boogmgkl.exe
1800	Bigkel32.exe
1056	Bmbgfkje.exe
484	Coacbfii.exe
1400	Cbppnbhm.exe
2888	Cfkloq32.exe
2852	Cenljmgq.exe
816	Cmedlk32.exe
1516	Cocphf32.exe
1356	Cbblda32.exe
1812	Cepipm32.exe
992	Cgoelh32.exe
1788	Cpfmmf32.exe
2164	Cagienkb.exe
1592	Cebeem32.exe
1988	Cgaaah32.exe
2756	Cjonncab.exe
3064	Caifjn32.exe
2800	Ceebklai.exe
2524	Cchbgi32.exe
2212	Clojhf32.exe
2812	Cjakccop.exe
1972	Cmpgpond.exe
2516	Cegoqlof.exe
2880	Cgfkmgnj.exe
2788	Dmbcen32.exe
2972	Danpemej.exe
2364	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2616	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
2616	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
1052	Pljlbf32.exe
1052	Pljlbf32.exe
2712	Phqmgg32.exe
2712	Phqmgg32.exe
2680	Pojecajj.exe
2680	Pojecajj.exe
2656	Pdgmlhha.exe
2656	Pdgmlhha.exe
2876	Pidfdofi.exe
2876	Pidfdofi.exe
2704	Paknelgk.exe
2704	Paknelgk.exe
2996	Pghfnc32.exe
2996	Pghfnc32.exe
1764	Qdlggg32.exe
1764	Qdlggg32.exe
1964	Qiioon32.exe
1964	Qiioon32.exe
2360	Qgmpibam.exe
2360	Qgmpibam.exe
708	Apedah32.exe
708	Apedah32.exe
1908	Aohdmdoh.exe
1908	Aohdmdoh.exe
2200	Allefimb.exe
2200	Allefimb.exe
2052	Acfmcc32.exe
2052	Acfmcc32.exe
1112	Ahbekjcf.exe
1112	Ahbekjcf.exe
1604	Aakjdo32.exe
1604	Aakjdo32.exe
1488	Afffenbp.exe
1488	Afffenbp.exe
1736	Aficjnpm.exe
1736	Aficjnpm.exe
2500	Ahgofi32.exe
2500	Ahgofi32.exe
1756	Aqbdkk32.exe
1756	Aqbdkk32.exe
1960	Bkhhhd32.exe
1960	Bkhhhd32.exe
1956	Bdqlajbb.exe
1956	Bdqlajbb.exe
2640	Bjmeiq32.exe
2640	Bjmeiq32.exe
2740	Bniajoic.exe
2740	Bniajoic.exe
2924	Bceibfgj.exe
2924	Bceibfgj.exe
2644	Bmnnkl32.exe
2644	Bmnnkl32.exe
2560	Boljgg32.exe
2560	Boljgg32.exe
2572	Bmpkqklh.exe
2572	Bmpkqklh.exe
1512	Boogmgkl.exe
1512	Boogmgkl.exe
1800	Bigkel32.exe
1800	Bigkel32.exe
1056	Bmbgfkje.exe
1056	Bmbgfkje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Mdhpmg32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qiioon32.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	Pljlbf32.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pljlbf32.exe	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bdqlajbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	2364	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Acfmcc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1052	2616	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe	31
PID 2616 wrote to memory of 1052	2616	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe	31
PID 2616 wrote to memory of 1052	2616	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe	31
PID 2616 wrote to memory of 1052	2616	7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe	31
PID 1052 wrote to memory of 2712	1052	Pljlbf32.exe	32
PID 1052 wrote to memory of 2712	1052	Pljlbf32.exe	32
PID 1052 wrote to memory of 2712	1052	Pljlbf32.exe	32
PID 1052 wrote to memory of 2712	1052	Pljlbf32.exe	32
PID 2712 wrote to memory of 2680	2712	Phqmgg32.exe	33
PID 2712 wrote to memory of 2680	2712	Phqmgg32.exe	33
PID 2712 wrote to memory of 2680	2712	Phqmgg32.exe	33
PID 2712 wrote to memory of 2680	2712	Phqmgg32.exe	33
PID 2680 wrote to memory of 2656	2680	Pojecajj.exe	34
PID 2680 wrote to memory of 2656	2680	Pojecajj.exe	34
PID 2680 wrote to memory of 2656	2680	Pojecajj.exe	34
PID 2680 wrote to memory of 2656	2680	Pojecajj.exe	34
PID 2656 wrote to memory of 2876	2656	Pdgmlhha.exe	35
PID 2656 wrote to memory of 2876	2656	Pdgmlhha.exe	35
PID 2656 wrote to memory of 2876	2656	Pdgmlhha.exe	35
PID 2656 wrote to memory of 2876	2656	Pdgmlhha.exe	35
PID 2876 wrote to memory of 2704	2876	Pidfdofi.exe	36
PID 2876 wrote to memory of 2704	2876	Pidfdofi.exe	36
PID 2876 wrote to memory of 2704	2876	Pidfdofi.exe	36
PID 2876 wrote to memory of 2704	2876	Pidfdofi.exe	36
PID 2704 wrote to memory of 2996	2704	Paknelgk.exe	37
PID 2704 wrote to memory of 2996	2704	Paknelgk.exe	37
PID 2704 wrote to memory of 2996	2704	Paknelgk.exe	37
PID 2704 wrote to memory of 2996	2704	Paknelgk.exe	37
PID 2996 wrote to memory of 1764	2996	Pghfnc32.exe	38
PID 2996 wrote to memory of 1764	2996	Pghfnc32.exe	38
PID 2996 wrote to memory of 1764	2996	Pghfnc32.exe	38
PID 2996 wrote to memory of 1764	2996	Pghfnc32.exe	38
PID 1764 wrote to memory of 1964	1764	Qdlggg32.exe	39
PID 1764 wrote to memory of 1964	1764	Qdlggg32.exe	39
PID 1764 wrote to memory of 1964	1764	Qdlggg32.exe	39
PID 1764 wrote to memory of 1964	1764	Qdlggg32.exe	39
PID 1964 wrote to memory of 2360	1964	Qiioon32.exe	40
PID 1964 wrote to memory of 2360	1964	Qiioon32.exe	40
PID 1964 wrote to memory of 2360	1964	Qiioon32.exe	40
PID 1964 wrote to memory of 2360	1964	Qiioon32.exe	40
PID 2360 wrote to memory of 708	2360	Qgmpibam.exe	41
PID 2360 wrote to memory of 708	2360	Qgmpibam.exe	41
PID 2360 wrote to memory of 708	2360	Qgmpibam.exe	41
PID 2360 wrote to memory of 708	2360	Qgmpibam.exe	41
PID 708 wrote to memory of 1908	708	Apedah32.exe	42
PID 708 wrote to memory of 1908	708	Apedah32.exe	42
PID 708 wrote to memory of 1908	708	Apedah32.exe	42
PID 708 wrote to memory of 1908	708	Apedah32.exe	42
PID 1908 wrote to memory of 2200	1908	Aohdmdoh.exe	43
PID 1908 wrote to memory of 2200	1908	Aohdmdoh.exe	43
PID 1908 wrote to memory of 2200	1908	Aohdmdoh.exe	43
PID 1908 wrote to memory of 2200	1908	Aohdmdoh.exe	43
PID 2200 wrote to memory of 2052	2200	Allefimb.exe	44
PID 2200 wrote to memory of 2052	2200	Allefimb.exe	44
PID 2200 wrote to memory of 2052	2200	Allefimb.exe	44
PID 2200 wrote to memory of 2052	2200	Allefimb.exe	44
PID 2052 wrote to memory of 1112	2052	Acfmcc32.exe	45
PID 2052 wrote to memory of 1112	2052	Acfmcc32.exe	45
PID 2052 wrote to memory of 1112	2052	Acfmcc32.exe	45
PID 2052 wrote to memory of 1112	2052	Acfmcc32.exe	45
PID 1112 wrote to memory of 1604	1112	Ahbekjcf.exe	46
PID 1112 wrote to memory of 1604	1112	Ahbekjcf.exe	46
PID 1112 wrote to memory of 1604	1112	Ahbekjcf.exe	46
PID 1112 wrote to memory of 1604	1112	Ahbekjcf.exe	46

C:\Users\Admin\AppData\Local\Temp\7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe
"C:\Users\Admin\AppData\Local\Temp\7ef648261abf6855ec5f9ad4043541a2496b35f298759442fe27ba6a10797da6N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\Pljlbf32.exe
  C:\Windows\system32\Pljlbf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Phqmgg32.exe
    C:\Windows\system32\Phqmgg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Pojecajj.exe
      C:\Windows\system32\Pojecajj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 144
        58⤵
        Program crash
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afffenbp.exe

Filesize
90KB

MD5
13cf35ce759584e28da94107bcad7396

SHA1
05323c7c7145405ffabebb09f7200006b9853b1b

SHA256
ea6383c627cef63032e268bc512990665b8242dc14519db014385ae261e1f3df

SHA512
56a85bb5fbdd11eeacc406c84e80cbbe28c79db29d0c05b1bd2ecfad3fb1cd096f85110f15f2181abf646e277778c3945d991804b87dca92fe3c42c87f5bfcbf

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
90KB

MD5
4fc98e7cce74c679e5d48eae44fb705a

SHA1
a7d18a4c4ec63d32100d7d69f58a148d1f8fee6e

SHA256
3017f8ecf689d936fd4076f9eb5f3975daa76bf610f9d041b1161bf67b79c822

SHA512
2bc739ba3fede8923e7c1321b7705e8b1661428965fe1351bff6aa513a716c74e6c392af805bb0b8c8016c7842c4070274c85fa1bfd527c2edea1061157fabb1

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
90KB

MD5
6ca022a6442f9f27f38e7992f2ef1889

SHA1
d238627a89296adcb5fb27a9179ce7476d02037d

SHA256
d4b2a6a5c468b3148a36d276e5ef7e843caa3dc2ea426559e9368b6a5ac792fb

SHA512
7600c7da08977f93f61e5316a136f937a7d51334356d33ba98988471b8a0c1048e6daa444265d70b1302a077f9ba0995aa45ddc0112689f80e21a685775740d8

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
90KB

MD5
48c6b0c673007977aecd625ef2c8aabf

SHA1
81fdf3d06b78fd0b943ad4c4df46ed662f668c46

SHA256
47294c512e2233cac89720b2be251a661fde6b521af8f907235a11e5a46ec01b

SHA512
af602cf3d20effca70e1db6f82f54965cc1638a6a2d97fec5cb72ebfe25d7a4717ca13db5c965661ec6b8954c638b6c96f5f648c313880a4b275f90075771e58

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
90KB

MD5
107d3d56f826b257a0d1386c69928754

SHA1
f6d2f7492ae61d31519d81156cadd0327de435f7

SHA256
97cad16d064b83c363a63b782ee57c16bd14638fb5ca02105eb4d59949a5b2b2

SHA512
0443fb2f4967cb92acd00213f3f2cc91813201568cb01056f636e9c5ed73411d4c00700aea7ca9441f335764c77e13f6e5672391a2ccd92cad207bcdf73a656d

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
90KB

MD5
3c92e2724007e411408efbdb3c1e9984

SHA1
90420c36c35c04f31696e6a4e5fc5dc0e5e11017

SHA256
823987956abf97c9989318f003a1643c52d7be3f905d3f4219f41836bd7d0877

SHA512
9036d149ac819f481327a6e8721d2250d1ae5f8bcb51d1e4090b438ab55cee20b49014c002ef7e30312e7b90f21449e60e6ea48a1fd735560559da7714974ba4

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
90KB

MD5
3f7130dd8a9c6e1eff74bd973ddc08db

SHA1
67d7e0de72676d50ce19511b902ec8ed231c1e10

SHA256
4abcc8fa12aa7793531e7b4c6e6620cfe00a37e559b65287595371e1b7220109

SHA512
5589995b0861195a02c640f0aa730e7d6c03c0a45988c5d3867b876398e5679e9d6d801c79961e5e5543160dcd3f42860126ca9c2a4336499eba25d5565f6491

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
90KB

MD5
a4ea92ec8ff19925fdc59daaa4adff64

SHA1
904898379f04a3b1f5b444858c9710b46c482e3b

SHA256
e581d49a930db1a8bb2f9a300d6d8b3bad7d4529809dfd135c99a3940a230ea4

SHA512
ab4634da5eac619e4c2ff9b7d8be262210c620ab32035f525575254ed9e51a6dfb3a2e6606655e050f3b9001d01affb504294a185b12b080f58aca753d06906c

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
90KB

MD5
13f79c31207f446a8389308450d490bd

SHA1
1ded232fd4163c6472ec756d4cdf3b97c6d0c4ce

SHA256
558411468f0403852f28e1aa5657fb801cbf4f1d3006fd59ebd5ee2d53b21a9a

SHA512
a9af2378b7399852ebb794a20a63ea74b5be520ba9ff76eff7eb7fa571953d4e60d00ee07520d1fc9e2d0ae71545989d9c600633634af73bc9175358cabcedfd

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
90KB

MD5
35b128891332831ec3cccaf4f0987e76

SHA1
a3903c8fc475d927a11a226f03d65ff91ce568ab

SHA256
339c83ec5a561c737bb098010632f800d77a291f918046af1e0ff4f1ffe1bc6b

SHA512
b482f23a932bd309e45dfed99b24472285ed3d0b67136cb16cc1aaecd37dd71a756d2586fb30ed81aee21ed20476c4e6038bab72a0ac746e474c412314bd2be1

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
90KB

MD5
e637f228553e6fc7e03f9f2ba5ae2e63

SHA1
6c50d4624f802476da1934064430a98e9dd5e7bd

SHA256
6a4467dc63fba813f648798802b15f19c5cee12edf317851f7de6774af641dd9

SHA512
8a437c80daa858ca64df30da34ed2d2994077df49e693ccd3058ef5f664cfce5572fea4e9b07cf70c8c8f34b931451a80227a6b6c7ff950b1e418d6e1c6d65ad

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
90KB

MD5
d1f8c83fc5803e0d0942844497144083

SHA1
39b632825367fb2438c8241a54676dcb58ed6e0f

SHA256
5122ce1a333927601fee0c879fff86b6664c5f8d707e15bc9a47c58b77f77798

SHA512
228efcd86546cebdf5cfaf1cb1a0b209514d647237704944ab1c99fc26376e916cb52e6c5fcd27ad9e6cbac8f0fc841ff11e6ded94ba8cfd45ca146aa6e5d607

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
90KB

MD5
07f52f3f47919b76b5e83e22ddfb29e4

SHA1
2be4070b715cc929b0742d30cce18e6f5518dc12

SHA256
3ed3e201d31c234d89386d8114183029a212fd2d15121f12f5de5c9168b0a978

SHA512
1db77013df2d61ac1dcbde67ef5b26dc8be3f0d6efefd84741580734bae0dd99d043e995bcc1c14317ee3415242ac5808718f39d734e3f278eb78764a0c7233e

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
90KB

MD5
2df3b5a117942db15e3698d9a60eded8

SHA1
390b86e857da3da11d3ac86a65c27cbbf749065f

SHA256
07804d272953c15fd4e506b717528dc5be4768b658c9a9d11b3732f4a9e1e1b8

SHA512
0b8a59c7b5f146ebad2b67ff3cbe30e1c420a25e219179d1bfc40cf17ea05f2bef1d709a9521d3acbaab40ba974076844bb76598e464ec3dd7d25f03ade38f45

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
90KB

MD5
182b1497be18b2728c2e9fcac2003e52

SHA1
80e1dc90fc3a72f22490e66ebbdc7a1de4b379b5

SHA256
6a058e8cb247a8c396ca745fa53293cdbb139e46f58bd6406ea31420c35b7e5a

SHA512
000ce505045fefec49cc929cd7dd0a0d3d88ba800853f1965f3879885b7e27c36e0409725009ac20ef8d1c30da044ae556597a09cf6066bdf2139052ded80472

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
90KB

MD5
63e66a28049b6aceab370ef0f53af4d9

SHA1
076afc8d3521cf42a78c1c71672d1c6ba1645a78

SHA256
15b8946f8ace2475bb263787f6ef24b38e450922315d75fc7ec92dc6f7a9e24f

SHA512
975242a99c0e4de6e891c5fcfde9de0f302cc8ac0038e59fbdd45bdcd21f24b43beaaf78e90b861bc408f521f3209e3ee446ee368e9a8d105854d5f93c6da293

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
90KB

MD5
fe516f6cd12e7425c36aad098f7cad1d

SHA1
056334c1102b3c9c8b06dea2788b2fefa36ea313

SHA256
df22b475df151fa292eea25d1a4fbcb7800fbafe1be08c9b31c51669ba707bab

SHA512
fa770e8692766a5a61d6ab68e7c40875dd05778fa18e5afe1099831e3341ccd1cc8f5ee95582575422d53a7fe49d8a1dedeb98bf0ca89f1cd00ce2ddfedf4709

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
90KB

MD5
3b0d90e33f06f9f2a7f745d49c2b6bcc

SHA1
f35770c8fefe1ce5581175219f95844f6fbaf9e2

SHA256
185ba28619d14792db596488d2f7a6cef5b85e1925cde9f6996882b309067e30

SHA512
cb63f55fa7ecc8a188fc1093361adc15f11c34991401936c8db51bfecd627f668c4b02ee0195cdd16285e5238f63138d5cc3e052cb56ce980a9cc21e6abc5b9c

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
90KB

MD5
8e7bce3b7f91628a4f2e06212c111da7

SHA1
52d4ce759ed28f8047473749c833b5ba271f0ef4

SHA256
fc8c88866caf14f9aaa8c73d8f135700985c22a1b18759bcc714fdf66a5f1d31

SHA512
acbb03fe026aa28403d82bc1544257ed22412561ed9df9ffe40a37c0beb47da52cc910ed17177f498a2add176c6aba4c576aa661260f87ea5c0c3668ed30ccc6

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
90KB

MD5
f88dc3ef809628a47a57e38a9ab8f7e2

SHA1
47306082bbd4d2e42f9abdd0a725646de201a5fd

SHA256
2ae853cf70999d76524ddd9da0cbcc5784fff7e32fcd95ff4db11a0a2f0db5d8

SHA512
02cbf2cb371caf8d9f2c2d73597938eccf74eea8bdc3431ab9e784c710db1cde9b96e55ca214f4d8d2f3830f27ad7c2a9a47cf1a3d1df652e7d55ba244f2a3d2

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
90KB

MD5
bd0ed9c59acbd3c9b2231a2180beee4d

SHA1
59cf5067ef4f6b1f45eb3e4537661f894d1e4b57

SHA256
ae41a413eb5639982ae75a21c0ce85217913f09758c7d8c7919934134ac30c38

SHA512
433259c64b29709f3df395b7813f3bb89c68e0d9adb83b2f528eea3eabb6da077819ae84378e25549fba0c6e74aa4145c0154cee56de8329961a4761bb99c13d

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
90KB

MD5
79467b0948d9b4a8faa335838b0420a0

SHA1
a79e8514c911adfced47f650c43345a0e3aad5f0

SHA256
5855a2d8202fcb37b904ca98e537c0387442e625ca9d76c11683cd8dc32b79e9

SHA512
8ce09d0268abb35caeadb6424dab15d51b5b4df34c4ff4e4bc19038afb2ed8ae5bb8c37b0116feb97d96e425df2b55b3c072ade31df45d09ed8c79b51b6a3de1

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
90KB

MD5
b43f9d8a39db54fb83c599285e00bb66

SHA1
0576e076ddcce4199a4fc27cae28b83cb961455e

SHA256
690cca44a4aae32b48aecbcb8d728f0adf7e1fcccc14c05384fd822652bbfd92

SHA512
08e5347c4602ba7aa3fbe358814cc54343aed6d486612b8bda34337cd335959b106deaac7fe808c6a5fea954803d1a88fb62449fc8b7de89c6720d88877f218f

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
90KB

MD5
aa88d6cbf5c80fef32d30b090b398f30

SHA1
9b13569ef452684ac7cb579fe236644953cbe6ec

SHA256
d3abdd26cb886f4d7a3b2e22bde2efc4677c58506a6a6ca29f09fc2903627834

SHA512
a436a7a59ce72acdfc874ea05446b25778cd18534e99df2d1f2cd351348ce261b5e4dd933843ac3f55583b40447ccce0f91714f0551cad2f8a36f743f9f69a00

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
90KB

MD5
62be42ea34e9a9949cbdff0df5785ef3

SHA1
40c4243fe0a625396e5487069c254a465c6d8443

SHA256
fe38245b324582a75bbef1ec85166df8bb003576bc9b89abeb4b6134358a3c41

SHA512
a5c67559ece59337b4f7e118389277e910377df667094040040f52c4253f8f024cefbd595b7d52a9b7572c3244c196bd3f93041f2f4ee4c56514c1758a8f8ffe

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
90KB

MD5
d6b8827864985938776f80bee84cbb2c

SHA1
61c6214ddebbe556dc937d43879cd5f560493711

SHA256
e548b74441bd3470b19ff3fb49af0067cade05782652b2edb40235dd5b255e43

SHA512
b0a9d46b5e3658c3b95964ce2996556bf583b8487a2826acdd9e65f779e3ec1e3b6872fbce528babd7603e16213aaa1176c976e5dffd1eb87df22bda853b0a9a

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
90KB

MD5
a7a6ece07159a834fc59535e965a8962

SHA1
9dbdbd66469d30ec09590992b430d94f7b10ba9d

SHA256
3edb2cf04a5ad4f126d8ba142b23808c081b9bfd5e513850ea91e1daa799b19b

SHA512
8f51f98270b4b448458d5c2c653acb9b6eadb792c599662400b6761dbd348bb8f63dd01fea0370654eec9b41d365b228a50f2d1dfb064292ffd88ef795dcd7a7

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
90KB

MD5
b4bc9cf4565a4518e7806bfac855f9b7

SHA1
48a0fbd3938199f9b425e4561fed76655c67d823

SHA256
e94b366a04a69751e94a0eb75ebb16c417f921bb9ec9f3c8516e249ec5490b89

SHA512
a4cd2634c679b7a07579c44385669e4d77b0f9f486a6f24ba41cabb5c55935b2ebf2e57c0d0971493cf3c34b51cb88a3f1dfa2a050878074906378916e9397dd

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
90KB

MD5
b8c730dca914d3b76a954c62565a3fcc

SHA1
e7d6e2e0bd6c63aad1b56f45701eee880d8e228d

SHA256
1ace3984b40743a6d0853d2edf9097f12ccafe8411fec76a29506ab5ba49bc99

SHA512
cfb50d089474d9ea66973d11db42a65817044918c51a802b668a20e58ca098e6bce024e503e5175b09c0646cea94d70006aff01232ad4be10e2fc080d3bfbe15

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
90KB

MD5
5e057f8cbc0f8d896f40ddd348b88f26

SHA1
1accde2b5c546647885a1689e20c6abdf6bafd08

SHA256
a65a719f867a2979293ca36c321c514f5758beb8e4865cd444685ae3d6cd9fb1

SHA512
dda0b3c6abf27085bc257f9ba5a200cb32dba712d99dfa6307fe8bcd9090f5970c39ebec98ada5b6ab2353d1d6fde509db5a0fe533b34ffdf0d99f060f595816

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
90KB

MD5
ef1d06136868d39b16d85cd8a4ddfe73

SHA1
b0c5c91c25da79a905dc38fa3fbf66f0116198f1

SHA256
6154497edd281fe0acc2a1ee46622a07ddbabc76ed72c99c8f81e3de5a287e68

SHA512
cede1f08a9d7afd856138ef74fb5ad696c0c761bfad4f0818bd377202bf4346a0e1f02573f8ea4ad1cceac4a62943c94edd15abd2317b4e745006b211bbaf5c6

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
90KB

MD5
8605dc064bc3cf976cf1f17e12e430f4

SHA1
8481d9dd5eb1b7255ba35d0b8ae2774db6fe3adf

SHA256
773698610a181007a64f66d82284a639de996f39587d3079ad616daefce83ed1

SHA512
dc6e105073171646778d3f72314be1a85f0c9e2f6a0e7ce8b37d749767aa69c0544f8a8b54744da4c1c5ef63a69092a714d6a3ae5df51fa924b11130934c6939

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
90KB

MD5
6f0a1e308fad90b582b399c64c055e8c

SHA1
4e9e883d17a825087504171e14ac1424fa0da2d0

SHA256
ecf7b2d0bb229723cec557b32b670e19f7529fe270c43fd543093bc2e6247fad

SHA512
a0139a902fa7b0fe78009f0e3a8e20f6fc3c4be87d1401e6b34739e16923c9f9f3a5027b90c00d1d9d0dff19a0348e649560760a10cd0aa7c2503f555381fb93

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
90KB

MD5
67bf82c9c9eee4309ef1bf727beb9ec3

SHA1
0fa42b511269a7303ada78d962c011cb73c654bf

SHA256
f69dfc2ce977c04886705494993de5bfd7024356a71df5b2e1245b021aa3da42

SHA512
3f2cdd33a6f3ded99dc0d165f1b27fc3cf42c6be2220ed48f388718bb2a4b1932482a0daaf02bf1594aa4f0684bc7b161ef0c785b95bc7b6497f2687414c029f

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
90KB

MD5
34a7a32a9d51ce99648395e49c4733fe

SHA1
d84e200e5e1578e5f2c389e7c75a67dadf901c9a

SHA256
f85e6571c657f1ab7fa0b733cfcfe7d99b25bf9cc0b1143918d8fc35e5e730c2

SHA512
67cd5ec0ea62a6b6a173dc4d4c249b6c2ea96471f323a145a66d2b8310207aac79fd32fb3de1c66f80f27602e5f138e446c099f9fa027a7dc0de53038cf9d31d

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
90KB

MD5
c7f90aa20f5f905d996266a14aeadd89

SHA1
ea5fcee984725201aecfe3f89f646580421dfc48

SHA256
59c2e606189af048f18e8a65cf5b78d8d7177363fec16e74ec310aa1f463cf48

SHA512
53d311a985b00c7d36ab8a0ea152b934c7de327ad7e81e80fa7c2459abf18684e5bb38c959c9857b829fd4650691c95277a404847f9fa058d232e9bed4a2cd39

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
90KB

MD5
c4d00da531b206c794cee167cdf1bdf7

SHA1
d66f7c1d0faeb9a6144db740f4982a5c4f98050c

SHA256
5184f6bd4e564e70e7a13fe2f77e81d6a2ba40a5bdfec5bf5b6bdc6cd441adf4

SHA512
aefaae6092d5211dae0279936c2027825581e86029309a837fd2857a717a1a449ed363777755bceba4ad16597eb63e0cea4b96a50bdd80d6190b4028cc3ece10

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
90KB

MD5
5faa498d01b8e02eac042bdc016ea82c

SHA1
e944f5abd2192ce3e60d7f88778facfcd6124dc0

SHA256
27af5bec881be8ff144eb978ec82bc06bb329850be93e07d7272efe618079dcd

SHA512
6f0420144d30672bc1a899f3d0e5d59a8ceb77d809b2f5bc971907c977c51d72f448ed6882a67c378b103ebfcb5fd667acaebfbfbdcc8d5169230f4b3f7cf32f

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
90KB

MD5
07c5ce10a5d8894456ba1c75bc5d725b

SHA1
894e9da8acddd0e9159e06fb8806729b4f7c0943

SHA256
eccc665c8acc09aa502ff392e910692f2c916e598d9171702280e3d85866c960

SHA512
7efae5dcfb379d5fdc85e17c792e1cacec83a0afad480b935bdd9162affec4c4b4d0b4258d03b6843c1bc80aaede1df54667a76d43ff02f7c539b0404a9651a5

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
90KB

MD5
1d01cb384d2ff4d9273c0242ab0b4b27

SHA1
87fd9c97a7d3656a625da568d7a9705dfe940bc3

SHA256
1704e4b51a4eea16604ac4b65e72d6266314a3d02667b30df1a69e79f71ff045

SHA512
fd96e543f1db32ca38edadc7c04c812a7b0fc93a7b365ee629604126903dc0ac054a2c6852f1355de97a7b569113f9d42344e8f1b0690b8a208e6a458eded60a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
90KB

MD5
be5a505d064020326303270d6f0852c8

SHA1
d86ee3de85d1b01f8df9789e2a86dd4a6158def7

SHA256
f55ddc2c1cdb32ecb5095d7bd70b0b64f0b4b71c4c6e21dfc47e46b67a47caa5

SHA512
43de54a9d2e6f4cb6ce6d06723ec5568b4800f3320f2f1412b72370ad52814c0420674f9b67701014496073419e12006eb9ea512d790c774f4ed4887ac8451f3

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
90KB

MD5
b198275ca4d7e2dd65ec9017f0b15324

SHA1
7dc60a00544fc3e34b598840604bbc99f88f5da9

SHA256
a51b85ed0774d04e67f5f63f45fe03577d827ea6071f79219a89e2158e081ee4

SHA512
773a7a8aa2a4e434d76e2a7e550ba706b4c0d192e9865a665f483489bfc4ced6c16073e252fee9932d30ea87070d2081ba0964ce977d8f4fc50fd257aafd0c10

Download Submit
C:\Windows\SysWOW64\Kaaded32.dll

Filesize
7KB

MD5
e93a56c2fba09eab68f92c25953431db

SHA1
37394e45e3a52dbea9124eb69ee0d672bfb14bc2

SHA256
1e459afd38c8a2c5e4bf82215c1629682980cf535eab8aa70449f360219f8793

SHA512
b4657b0fcd2ea31043a6c0490b31da96087338f9f7db0238357e13bff38a9960f38470bead1b8bd92098c7f668a2199fe5f5c3a363ca11cefc1135addcb70434

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
90KB

MD5
df67101aa8cd9a944987b37c71ba3d3d

SHA1
d689fffa0d8a1ee189541e67137ce4aeeb319c98

SHA256
6cb852d364f8bf2daaa4b85c3980a275a87f7a1edb36e5ace1056e7faddae1da

SHA512
f0ef69e1c12feae8179c09ddc338611a5f62d61c40b2bfea3a18bea2081dfa4e414162928f1cc4bb581962a3416160c662a7008fea9191a1c52522cb9311960a

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
90KB

MD5
d6522ee42606808425db1b7cd5aa8850

SHA1
acf2ff366e2209449b67f210f2a414dcd2bfb4d3

SHA256
9dac69a99c6aaa8e894405452b6f27b2b8330e834bab33293f1f45152303ac9d

SHA512
3faaa27fd89430b18b438a2cd356b84811a569cca2e9c7d4772773a2b0ea98ced48deb977270b560dc5ac7e1eebeefd139407daaef9e3f2866c8a4bf7fd5fe05

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
90KB

MD5
b335b7b2861307ebb566a91e838137b8

SHA1
1711ac54ed9922c1ab5355fdb368fc27d29b5bc4

SHA256
8253c7503df5c0745995e45eeef0e630b67d72a5a640ada6a86529df1516b125

SHA512
a2867ec0d9fc060a1fcd5fe5ae2aa7bb598f7136db78d3389d8f0357a23d7f0fc936de4a168a1a05ecaf6c993505b38a6c055bade1118a63726f9560f219a374

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
90KB

MD5
76cdaa22fc34d053a2f700ddaea055be

SHA1
ca5b8d64e9e26dc85c7eebbcaff36b4442f3c77f

SHA256
d4de58bcc8526e3d5e40ff410d68270daa19fb9fba5278b9750c9b9b6cad245f

SHA512
82ba24ba83b4e40aff75f92b8abf10ce9e9b75d14fa380da296ba123fa2dd5bef3f9b30f8bc7d506e5e4127f043f3b918141b5d2a16844cf29d7f26f7b2b7922

Download Submit
\Windows\SysWOW64\Acfmcc32.exe

Filesize
90KB

MD5
4b7db85f46995e77c9aed4d8ba5f5533

SHA1
ab24c4351fa0eb5c679bbdfbcebd79d554a36ca3

SHA256
6becde0452b45123055c5ad6db9c895b227e4282bed71d120cfb1a6d97040458

SHA512
d1eb67cdc7955cf3358f3e0f16d4d3bd1658fa974f68c40609c6119391ddaf11e185ecd348bd14e8f001a323a4058ebb56d6a292f11836ebb2460f4fb0f43361

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
90KB

MD5
94c6a9d04b094e25299b51a11b0ee115

SHA1
41e0b9350cc794823f62f2f97c63007e897cd3e6

SHA256
7d7f7d0453110201e4f884f996bfead2681fb49ec0a07c1f6ea2851ab7ffbe35

SHA512
199893288e03db152a12183f334f4948b15f424e6c51b607a1fc17c960858da860546267b046d42bd8369b8a1808af58a2a1546a8394f25eb2161cc678a3eee2

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
90KB

MD5
5e0225e8818e1ca0fef9f631b92c06a2

SHA1
7cc798ec61c8cb2798673d14bbf98b1ed410d3fc

SHA256
111cdb06608226bee954eb4594f03de7bfea3c9135dd63bd9fa444f8ba1501a9

SHA512
f3fa5b7e562e0cc3adc32194ff4f5658d7eac56a51280c83fc81d4cf243dcc33a851a1548d0ae91f6cfb804f4e629154e55a9d84efe9670610476f622d584667

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
90KB

MD5
d1dc1ae9a30efeb8bdbb90e61d45fbfb

SHA1
468a2160be02d6e6a7f5e8210c1de014b3b0b9f2

SHA256
3c20926bdcb87542733788cf29241c8769614ba5a4576a6d3e2e3337c44f2ac2

SHA512
c8f511c96c183f4f3788a8f59c5b5927d622d5d93334273689b17e37ec1db6bab60a966cbceaea9b0f59068e6662521a949a2f407ea08543c2c9d75191e79610

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
90KB

MD5
d631d13d540cb1bb24187d005eeaa523

SHA1
bbb8188f59e5d90d92cd108bc61d5ad261af2ef1

SHA256
8052911df2bc301b409fc07236838f787bfef7c3f8a3dbfe510b7c5e040fdbe7

SHA512
935a6309fbfff97faf5187a03c769fa67e8164b6c0763afff7684fa56b8157d2378a57dfa7591ef967d8623976108221af31f6af546c69f0a4e6f2d5a7d5f0df

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
90KB

MD5
de1a91c457c7291f19f4d8749f2cf3f7

SHA1
6e9041e3faf9f7a3c37b2ec377b1d0c0c00e1609

SHA256
3dd09148800c55c2a571e2f1cde05d951bf78295dac2f996ddfd4a654cdb12ae

SHA512
48edcf8ff43824b8e769fcf2aa2384c0c30e8cab698da9d53bf542ae5f44a83b02b4e51d5292523d7fd56fc166de27cfd907993f83992bb654afa9c606027833

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
90KB

MD5
ef08476b2b092f84eddb57a2bb61e27e

SHA1
fc47f795343175ee88e801116ebe13cef162fd67

SHA256
1b42de29c17509ce2b3f9d30c6ab406934b33fd11288dae752e129006840c655

SHA512
bcaf63ebf46f74bf124afb74502f7deaf575781853d202dc580185f843b1e45e018d9144fc01d0a403cae4cbd3e28aa364309736299a2235d6a49c04901be22b

Download Submit
\Windows\SysWOW64\Pljlbf32.exe

Filesize
90KB

MD5
fded2120332a7a9634de3504b5fa4d6d

SHA1
a7842bf2f512f1ab9ed1a55604762c545ade854c

SHA256
7ffb28485bb1e8cd1681239ba07f046116536ddb869f39a7eba92467e887e02f

SHA512
1c257764349e6fbb05dc1f8edf038faf71b3c84c37e82a37ef0c91193d15cd33a08449e102c8cbf7bfae3a3e2005df99fb7e345c231e473dcbe1db6eac747b92

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
90KB

MD5
f7c54bfa881feb1c966da8462ba544c7

SHA1
5ecab5aefb29234ebea636bf1a8160fae3cbde2a

SHA256
27e4691cfbfd6bbeda967f671ce55797dbf07d8ab887006674f6d727eff90a5d

SHA512
f8fbde3c448d81d3cb75b161f81dc4b65477b929f493bd43eacb3f8d0b3e9a41dcf54265053f48d286b051bccecb158aae6e0fd8266463db4a3f6c407e313b1a

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
90KB

MD5
504c1808a38283b20530c25194098483

SHA1
df8dd8a56ad02b7c35518e7e17847e4dfeab7cff

SHA256
1ebcf5267bc79e668777ce7880e3ce59a9d4a66de75b34d63070e2e6f93014ba

SHA512
f880e3796d5446d939c4faa387314c1b1d60242877ed2c258f6b30d694a996d1bbee3b9cd2a109ecad15d951a6ad3e717c97fee62b83ef50f75d47379b2aa889

Download Submit
memory/708-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/708-232-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/708-175-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1052-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-26-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1112-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-234-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1488-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-309-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1488-259-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1488-266-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1488-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1512-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1604-252-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1604-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1604-298-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1736-275-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1736-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-317-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1756-297-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1756-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-292-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1764-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-177-0x0000000000360000-0x000000000039C000-memory.dmp

Filesize
240KB

Download
memory/1908-250-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/1908-192-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/1908-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1908-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-366-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1956-367-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1956-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-322-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1960-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-305-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1960-310-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1960-344-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1964-144-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1964-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-206-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1964-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-224-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2052-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-265-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2052-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-222-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2200-201-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2200-254-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2200-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-161-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2360-223-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2360-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-375-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2560-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-390-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2572-389-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2572-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-13-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2616-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-12-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2640-328-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2640-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2640-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2644-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2656-69-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2656-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2656-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2656-123-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2680-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2704-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2704-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2712-39-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2712-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-340-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2876-78-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2876-84-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2876-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-130-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2876-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-139-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2924-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-355-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2924-360-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2996-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-107-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2996-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-169-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads