29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299

Analysis

max time kernel
87s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
Size

96KB
MD5

d9a41978194e54d1148749bc96826820
SHA1

165255886ae4b4c92e36149847e8586e5f3d45f8
SHA256

29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299
SHA512

50c040e12e91fe20c41aaa907aebebbb8173abf45de77ed5decb87426a27164f68710c93aadeec2d4cc70b821715a00649cf574d93efd966b142ff42ebc8ef02
SSDEEP

1536:mympJIyUYxqTX1Zir4sV+DniedGzaS5zNy5buFbnGpTlOoIYDOM6bOLXi8PmCofV:mv3dqTX1ZeJ2nirzaUoLDDrLXfzoey

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbglhjq.exe

Executes dropped EXE 54 IoCs

pid	Process
1052	Pepcelel.exe
1956	Pmkhjncg.exe
2640	Phqmgg32.exe
2660	Pojecajj.exe
2564	Pdgmlhha.exe
2644	Phcilf32.exe
2604	Pidfdofi.exe
1976	Pghfnc32.exe
1780	Pkcbnanl.exe
2424	Qcogbdkg.exe
1716	Qndkpmkm.exe
1312	Qpbglhjq.exe
292	Qcachc32.exe
2888	Qgmpibam.exe
2156	Alihaioe.exe
2928	Allefimb.exe
1356	Apgagg32.exe
1812	Afdiondb.exe
2136	Ajpepm32.exe
2720	Alnalh32.exe
1524	Afffenbp.exe
3024	Anbkipok.exe
2224	Abmgjo32.exe
3048	Akfkbd32.exe
336	Andgop32.exe
2464	Bgllgedi.exe
2912	Bjkhdacm.exe
2336	Bccmmf32.exe
3040	Bkjdndjo.exe
2548	Bjpaop32.exe
1808	Bmnnkl32.exe
2340	Bchfhfeh.exe
1664	Bffbdadk.exe
2492	Bqlfaj32.exe
1400	Bcjcme32.exe
1200	Bigkel32.exe
2860	Ccmpce32.exe
2364	Cfkloq32.exe
2416	Cocphf32.exe
956	Ckjamgmk.exe
1784	Cnimiblo.exe
2780	Cgaaah32.exe
1804	Cjonncab.exe
2216	Cnkjnb32.exe
1636	Caifjn32.exe
1280	Cchbgi32.exe
892	Clojhf32.exe
2256	Cjakccop.exe
2692	Cmpgpond.exe
2572	Cegoqlof.exe
2800	Ccjoli32.exe
1920	Djdgic32.exe
908	Danpemej.exe
708	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2616	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
2616	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
1052	Pepcelel.exe
1052	Pepcelel.exe
1956	Pmkhjncg.exe
1956	Pmkhjncg.exe
2640	Phqmgg32.exe
2640	Phqmgg32.exe
2660	Pojecajj.exe
2660	Pojecajj.exe
2564	Pdgmlhha.exe
2564	Pdgmlhha.exe
2644	Phcilf32.exe
2644	Phcilf32.exe
2604	Pidfdofi.exe
2604	Pidfdofi.exe
1976	Pghfnc32.exe
1976	Pghfnc32.exe
1780	Pkcbnanl.exe
1780	Pkcbnanl.exe
2424	Qcogbdkg.exe
2424	Qcogbdkg.exe
1716	Qndkpmkm.exe
1716	Qndkpmkm.exe
1312	Qpbglhjq.exe
1312	Qpbglhjq.exe
292	Qcachc32.exe
292	Qcachc32.exe
2888	Qgmpibam.exe
2888	Qgmpibam.exe
2156	Alihaioe.exe
2156	Alihaioe.exe
2928	Allefimb.exe
2928	Allefimb.exe
1356	Apgagg32.exe
1356	Apgagg32.exe
1812	Afdiondb.exe
1812	Afdiondb.exe
2136	Ajpepm32.exe
2136	Ajpepm32.exe
2720	Alnalh32.exe
2720	Alnalh32.exe
1524	Afffenbp.exe
1524	Afffenbp.exe
3024	Anbkipok.exe
3024	Anbkipok.exe
2224	Abmgjo32.exe
2224	Abmgjo32.exe
3048	Akfkbd32.exe
3048	Akfkbd32.exe
336	Andgop32.exe
336	Andgop32.exe
2464	Bgllgedi.exe
2464	Bgllgedi.exe
2912	Bjkhdacm.exe
2912	Bjkhdacm.exe
2336	Bccmmf32.exe
2336	Bccmmf32.exe
3040	Bkjdndjo.exe
3040	Bkjdndjo.exe
2548	Bjpaop32.exe
2548	Bjpaop32.exe
1808	Bmnnkl32.exe
1808	Bmnnkl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pdgmlhha.exe	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Pidfdofi.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Pkcbnanl.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qcachc32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Phcilf32.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Andgop32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Phqmgg32.exe	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qcachc32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bibjaofg.dll	Pepcelel.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	708	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pepcelel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll"	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll"	Pepcelel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cjonncab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1052	2616	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe	31
PID 2616 wrote to memory of 1052	2616	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe	31
PID 2616 wrote to memory of 1052	2616	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe	31
PID 2616 wrote to memory of 1052	2616	29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe	31
PID 1052 wrote to memory of 1956	1052	Pepcelel.exe	32
PID 1052 wrote to memory of 1956	1052	Pepcelel.exe	32
PID 1052 wrote to memory of 1956	1052	Pepcelel.exe	32
PID 1052 wrote to memory of 1956	1052	Pepcelel.exe	32
PID 1956 wrote to memory of 2640	1956	Pmkhjncg.exe	33
PID 1956 wrote to memory of 2640	1956	Pmkhjncg.exe	33
PID 1956 wrote to memory of 2640	1956	Pmkhjncg.exe	33
PID 1956 wrote to memory of 2640	1956	Pmkhjncg.exe	33
PID 2640 wrote to memory of 2660	2640	Phqmgg32.exe	34
PID 2640 wrote to memory of 2660	2640	Phqmgg32.exe	34
PID 2640 wrote to memory of 2660	2640	Phqmgg32.exe	34
PID 2640 wrote to memory of 2660	2640	Phqmgg32.exe	34
PID 2660 wrote to memory of 2564	2660	Pojecajj.exe	35
PID 2660 wrote to memory of 2564	2660	Pojecajj.exe	35
PID 2660 wrote to memory of 2564	2660	Pojecajj.exe	35
PID 2660 wrote to memory of 2564	2660	Pojecajj.exe	35
PID 2564 wrote to memory of 2644	2564	Pdgmlhha.exe	36
PID 2564 wrote to memory of 2644	2564	Pdgmlhha.exe	36
PID 2564 wrote to memory of 2644	2564	Pdgmlhha.exe	36
PID 2564 wrote to memory of 2644	2564	Pdgmlhha.exe	36
PID 2644 wrote to memory of 2604	2644	Phcilf32.exe	37
PID 2644 wrote to memory of 2604	2644	Phcilf32.exe	37
PID 2644 wrote to memory of 2604	2644	Phcilf32.exe	37
PID 2644 wrote to memory of 2604	2644	Phcilf32.exe	37
PID 2604 wrote to memory of 1976	2604	Pidfdofi.exe	38
PID 2604 wrote to memory of 1976	2604	Pidfdofi.exe	38
PID 2604 wrote to memory of 1976	2604	Pidfdofi.exe	38
PID 2604 wrote to memory of 1976	2604	Pidfdofi.exe	38
PID 1976 wrote to memory of 1780	1976	Pghfnc32.exe	39
PID 1976 wrote to memory of 1780	1976	Pghfnc32.exe	39
PID 1976 wrote to memory of 1780	1976	Pghfnc32.exe	39
PID 1976 wrote to memory of 1780	1976	Pghfnc32.exe	39
PID 1780 wrote to memory of 2424	1780	Pkcbnanl.exe	40
PID 1780 wrote to memory of 2424	1780	Pkcbnanl.exe	40
PID 1780 wrote to memory of 2424	1780	Pkcbnanl.exe	40
PID 1780 wrote to memory of 2424	1780	Pkcbnanl.exe	40
PID 2424 wrote to memory of 1716	2424	Qcogbdkg.exe	41
PID 2424 wrote to memory of 1716	2424	Qcogbdkg.exe	41
PID 2424 wrote to memory of 1716	2424	Qcogbdkg.exe	41
PID 2424 wrote to memory of 1716	2424	Qcogbdkg.exe	41
PID 1716 wrote to memory of 1312	1716	Qndkpmkm.exe	42
PID 1716 wrote to memory of 1312	1716	Qndkpmkm.exe	42
PID 1716 wrote to memory of 1312	1716	Qndkpmkm.exe	42
PID 1716 wrote to memory of 1312	1716	Qndkpmkm.exe	42
PID 1312 wrote to memory of 292	1312	Qpbglhjq.exe	43
PID 1312 wrote to memory of 292	1312	Qpbglhjq.exe	43
PID 1312 wrote to memory of 292	1312	Qpbglhjq.exe	43
PID 1312 wrote to memory of 292	1312	Qpbglhjq.exe	43
PID 292 wrote to memory of 2888	292	Qcachc32.exe	44
PID 292 wrote to memory of 2888	292	Qcachc32.exe	44
PID 292 wrote to memory of 2888	292	Qcachc32.exe	44
PID 292 wrote to memory of 2888	292	Qcachc32.exe	44
PID 2888 wrote to memory of 2156	2888	Qgmpibam.exe	45
PID 2888 wrote to memory of 2156	2888	Qgmpibam.exe	45
PID 2888 wrote to memory of 2156	2888	Qgmpibam.exe	45
PID 2888 wrote to memory of 2156	2888	Qgmpibam.exe	45
PID 2156 wrote to memory of 2928	2156	Alihaioe.exe	46
PID 2156 wrote to memory of 2928	2156	Alihaioe.exe	46
PID 2156 wrote to memory of 2928	2156	Alihaioe.exe	46
PID 2156 wrote to memory of 2928	2156	Alihaioe.exe	46

C:\Users\Admin\AppData\Local\Temp\29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe
"C:\Users\Admin\AppData\Local\Temp\29f3696b3bd36ac127a64f7f80a53ff86a613e353111ffa80d120c57458b1299N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\Pepcelel.exe
  C:\Windows\system32\Pepcelel.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Pmkhjncg.exe
    C:\Windows\system32\Pmkhjncg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\Phqmgg32.exe
      C:\Windows\system32\Phqmgg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 144
        56⤵
        Program crash
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
96KB

MD5
cbb266f3dc0808b6079dcc735598bdbe

SHA1
9ccc8d6dc43ea764b5c7ae8b079f60b59c7758be

SHA256
79a7340486744132ee20468a796839eab448fe489d9596c8505f47ad09d88cbd

SHA512
eaadc7162ad3e4e9cb10631e543400ade3a17d97289c8e832d8295339d6e6e02c4a6b19f8ca7e1a41fd4af30c64b70ee6475632745341a5f6603d7d2ac706244

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
96KB

MD5
d22ebffdad05da203766d8496fc0552f

SHA1
cb894d648bb4223eb9ea9e9fba43afeda932e416

SHA256
96b4d1ba7ebd51c1dc049f170eb228fb02154f2e711cf797f0c2d6fcabaa946a

SHA512
1db1486fdb23b8fc3a525649817c9b402e2e83e3560330570f56cb118ff76e413ff98c9c1f5255c8c3ebed3779df9511b8c53b20a459a6ff3d3c821c9a2386dd

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
96KB

MD5
745e8b5aa27a7ffff62a06ff9d9b94b4

SHA1
2fdb78434e739248328f6f2adb0575101439cf96

SHA256
e27c6548623eaf3f26a3a479454518212096f93998f14ad828066ec27184b950

SHA512
b03ad64a2bee7732fc3fc99590f530ab0908a5780bd1da6b4bee36bec57d330e6960d57c95fd5f44bafa93d16773ac5160fa4f758209394138a417d05aed3b48

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
96KB

MD5
da1dc268f69e932c6e4bef4c6191f1fe

SHA1
6102ec4ddd2a42d9ecba659f8e89dfd2d0f85ba4

SHA256
f4918f1f583f517ab1529a53e61fbcd6ff87c426f043d09d625686eac397f3a9

SHA512
f2fdfec051a36ea24decf5daa7d26f2c80e20eaf25627bcbeaf5207b00444065c46b7a8bd604f0bd61ac1e7a93ad3c75eabbd3662b5c119fb4d96441dda70476

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
96KB

MD5
4be2f0551f417f60da2ab39606b165e9

SHA1
b2c8b08f669217e61545131bb631fe08c417f9ed

SHA256
457e9af7b931067d64b28d31f7fca2943c105e60fbd84dbc71fc68e299ac6fe0

SHA512
57d15d8bf3150c89943d222256ddab9fa6f5df9e706afdbdc51ba4307010978a0f178c659f46fdd4c4c0054c7e9ea37682c51989b3aea2c4e371ca28524e4a5c

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
96KB

MD5
9c3c20a8e137b7f5d54dda29d42789a5

SHA1
5e176f6a70883aa5125e29f826e1f31f4108f6d5

SHA256
11bd92c7afca6c974558ae36edf646f4303fcb4c0f0f7fc17af224a349b6e3da

SHA512
128435a8494fdd040ef702209ed44c5e048bd24f86619b190816582d0aa72055cb15d2892a48f5a8ae118420750ad0a35afd3db7fce29342b7a8fde2799d9c2d

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
96KB

MD5
d66db1b550bd1054ee12fdb31963489a

SHA1
15ae5bc7d3c39f4606277a296f85eff782658e53

SHA256
54c5ed923b5376a19c10e9a6d276c306e502ac317284e289e26bd0c10a029fe2

SHA512
8ef435680225d74f60d8779524f868ac797ed7686e7012b05b084e2acffab77a17f1856598f51170295f23cd020d39c65791cdc3a619b066a4dd9d1c8f91d6d4

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
96KB

MD5
2de475b773553aebc67ada89520f947a

SHA1
8aedd5677875342c4a56f09a287a691fb68afed4

SHA256
ebf6757b03ac6dab58bbe4514b46cfa2580363fc151c9786e5e526f42de576ff

SHA512
8ea769c2b0022a2df6f8ab92cf946fcfb34b7172eb77b227f647945d666f2e01742cceb5039568e467b4ad6590cc56f7ae8f1e36acf99c865b492f713769a234

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
8009e0a7327fa5be452c86d452671048

SHA1
dfed5d9f52b9a5ce725398e56cd5ca3766a45295

SHA256
3a31019c000ff1beb2c7fa71fef2897f671b11f7cd10dbe2934db39226e59ca5

SHA512
d89843dfc5c47838e3670aa6a8c694bbaa37dffb332984fddca91aa3770f6f9c6bf776d46cc2561818dca4637acab463792f4412ad0055eff3859ee7b12230af

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
96KB

MD5
df5366ccc7ff1ab1e370291c81ca8676

SHA1
3cc768214b0581dcb2e046e015e17ad8a365e24f

SHA256
8127b4753d6a34f09b308c80805d5ff2d3bddff31978d6bf8feb32ef13a8cb17

SHA512
e6a949c202d60c66f993a16e8cb6ac9bea863cfb754270d042b72b60b46b6465c3306f1033f573c6c24c699f49f08b09c382637623414fecc36cacd741ccebfa

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
96KB

MD5
174d9c1d13c413e981e8da2d411727d2

SHA1
f69b0e110951c8589152fb917e3520ea6ca869e3

SHA256
796712f0309115289cf3e5634bd9fced7ed679b16532c5acc28dc45e753f4083

SHA512
77b91ef99679bdf9031996b59592cc80edd2609201890e0ece318f2fd0ac84fc9b8efe584b9ec426067cb32b2bc0747a07f71e3b751f22d6e215b573c85a39ce

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
25ecf4cfa3133f566a0da26ef1dbe5b5

SHA1
ef13948e342b19430bd627663493165a28e576c2

SHA256
1fd7569dbfa869a761f6f36f5c89b39a686d26c3d2449b3cee90229c8df541b6

SHA512
de76f619ce0f03fb50e75c02f2e756c9972ffef547271936d4957a682e9a6d21aceb1edf604a07bfb07c5cda8bab0d02ba0cf10e41ae2942f5eb2f87cc46770c

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
96KB

MD5
264583d4375c4d188f70fbe99a664670

SHA1
2f96419c9a8b5901e93247e98e08178c4297f3ee

SHA256
01a3428d571169ae0ae89af8f472b40cf14f7fb3e6e818d5aa1d501525de6daa

SHA512
157dad3731d438de3f317718f283df33437f5a46979c6ee88f7d84e00ee7ea5c19cc47ce460516046dcc4684c914d59fff3f96651d8b09a205250480c7999167

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
96KB

MD5
67e5cc4304c319014e0a5a92668549ab

SHA1
79dad102a80adeba7495163f3d299fb6a466d0b4

SHA256
bf0f6fc4cdd5c4c73ce863209cc1f205bb550abd7177a5ae75c2f0a2a6988235

SHA512
65140e6c584a1da86ac57f08380c78e1712be280a1bdb2b711aef117b437d95f83db99106ac50a49a51910863322711ad8d8052979d2e5cb7b0af83c83a8b6a8

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
96KB

MD5
efbe18618c854c3325ae19e332acd7df

SHA1
e11f6d39087795184e644a2f1ed2e07412a8fcce

SHA256
451a84785439461c865427bba4dfe94622fcd725d20d04a46610687ade6e9b3d

SHA512
0cd9c27617cf23bf5534236e99fc84d101aba9e50f28e40b74ba03c3ee59765c9bff88cf1d06126d9266b38443211f196619088affe8fac2dd0e79dae44effff

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
96KB

MD5
ac7d9c64760c122ffce80239be8c8c51

SHA1
73fbb72f53c46a964a18613054ec08fd616c0be5

SHA256
e764be21dd91bf35e42e6da839b32bc722893ea2553cbada3c87ee0bfd060bc1

SHA512
ffc640da141ff54b9cacfb8db35f209f04662bc18fbf94fd89ca6788053cf8b75831021719eb5b88c51fca3ca3cb302a90abd6511af50fbb00473ea8776be927

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
96KB

MD5
edbbf31f00d08bab9b34467303515de0

SHA1
82268db2caea550e35431d5778e07d002570ac1f

SHA256
539a23390ec179e483bb3657654320dfb96cacb1594ee9011ac4a04c83a20671

SHA512
d2c93404dd10a8ef7ed411ade65551255ea83cd8345d6b1a869f284b4b55371a7db6234cd13c9330a967e4a9fb35abad6655b914aaf4e15ed07cd5b971046415

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
96KB

MD5
d770f2f642ef6ab6bbe68750065a2ce1

SHA1
d5bd7e7f0141c1de10853fe20c1967f121f99569

SHA256
0a6e559f49ca28aee034e22f9ec5a78311b133ec7995880facdb29075d14dad5

SHA512
d0c7c7b56ee5479cc95b29855c03402556559c41442f1d262ff86648d49488596dd781efaf85285450af566b6daec5ce454da0cab06924202a4dc437d156de86

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
af3bea155e1ef22e4f9de241df823d70

SHA1
572fab3f82c00261010e70c35bd3a78a1a60d7ef

SHA256
4d35e859646bc85c4d97f2125547607b7e5279e134b88ba0dd6f63c7ddd7c8e7

SHA512
93711ebf1242dcbf95dbfb2088e64d4bccbaf161f910cde1fa31386664d0629b15f4a60d764026d892e3ee2f18ff255a014b967e9abb3e96fa980b7d3fb384f4

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
96KB

MD5
4f8c0350d2582d7a2bf78b505ad1574a

SHA1
89c5e06ffd9f5258efc869380fa7e69698c1cb19

SHA256
0d1ea684d6c12a6257cf35b501deedd96a6d5bb10f0a4e0404fb6f0d3bf1d2cd

SHA512
09a4a86661db22be326970aa5170c0d474e0d836b918adb4e09256106e9668cb89835fe6d8f4c74610fd196aab3a49a06b7668c46800cd57853df7ec124c56fe

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
f1c8ee583f88b0590d374b81eccb2452

SHA1
3666bb6b566f0d511c45cf1137ddf4c38aa45737

SHA256
f3acd0ab42a34086ed10f48c72cf2be39a740f57373319da6583ba8f5531127f

SHA512
e70abdd60eeb7d494193ffa20585926c1232539a7c6cfa62ee604a50f7495cf76d7c03b4e78e771a660a41bec87207922cbd1e3ed5ac69c15d25f9cbc31e58de

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
3e1ad682df926249cb239e5003042826

SHA1
20792e7c627dd94a429d8f51e0e27953754aaf9a

SHA256
2a06bb574818cdebd5a00d255f3558f2f4cc5151a10fb540caed896ddaa20f03

SHA512
d07fd8827b8418185b14c47561e4e576afead3dec384220b0e2c44ab8a1e225706a5e0120b2bb1efe0f419c253d09c60c612d71cffc798b7300874871f3f3968

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
c8234fd9a68c3e4f0f294cfa105d9f3d

SHA1
816ea9fbc8465269c8ed3f9db130e17b72fae7d5

SHA256
9133a75972faf0a5691b687ce51e10b70396ad8708eabe709074f1e3846f71e4

SHA512
1c1c8020f6adb958467b6f608449e7447d370a05e748414fff3ca09e380cbbe0b5850b942232828a850d3ce5b042ab63ef69d45e0702b3b4b0e64716662ea9b1

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
67f99e543238f09be9446cbb9a72cfc8

SHA1
bbba98af410db9162e0c53845bf5e8becdbc5a76

SHA256
3197f25d930c1697c8b0b6904680ce16aa2d10a6c1ff0c231c1236506b8dfe3d

SHA512
63ad5b872492b21c3c8b74af229bfd0c0ee6d26fe62f98fff5e84ed887dacd92b75ad6a0bc3eb2295b362797318ad5f9b2f78a9e051f5182978237d3d805bd6e

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
098071f29b746c32003bb7a7df64a5fe

SHA1
fe64b2681ab861e8eda85a5fb2e2135aae928c8d

SHA256
ce89e41bf842b6bf8abca8a557d8c998a87f47d036e8e55d1880ba08a704931b

SHA512
e9096e49b95fb9789df25381f8f799f759851dc3e1c07a9ce9aef7dc1550a9294a30ef8f4e45b4cccb71bcc780a8b4ac104ebfc3220990f45daaf68a0442d330

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
d977a430e58ac51908d209cbafbbac0c

SHA1
4f660db96551d7be1a2c3457fa5901aa7cabf2b1

SHA256
70b325634a45fb6a2533937fde574cf49807af5e39f1458dec0f237f188e7b7f

SHA512
20146aee50b78bde81c85a37ad8b09d3bfa9fe1bc5f513cf5a15e4563a707486c2289633ee14c4ebdedb20b4bace422c390c6d43e7c194d350b65f7cf1d12954

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
c2491682cdd4581c85d1535599e4d423

SHA1
756e55fdc14d15653022f9908d067b065f3f840b

SHA256
b5717783b619a008671bd074415afbd2396e09294c724d71157f4dd1b361ef2c

SHA512
f22fb0e0b10f284848560ef2c9a77195df2ad063e744fd315e95c8aa8a97fdb46a227733e2c67ec546f43de2da2c13c2292f98e1d02375a73593241a052793b8

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
5d0d196e1f992471d853b4b6037cfaf0

SHA1
9cfcc07c06f4b7ccc8853e712de61daf100122d0

SHA256
216fc7f55b0dac334c713f74a62a8e62caecc7abe54efe8f00cc1c94b5da1fbc

SHA512
9a33e130054a03c1b373087a9ba6b4b3a785deb7a2278a80c31083b49267ec2179475af8a7362095ee1a3119178caaf5a92d05a65167c162d3a3c7755ff0eeea

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
96KB

MD5
a19e9fdb60aea9350949a53f6cce9e50

SHA1
2c564fad07e5afb604d28ef53ba6c1e37bfb79b1

SHA256
a68f8d88fa452613089b68686a38a880618c3eef0b656b2045d8bcb51f46f062

SHA512
8cee5b6092ea295927c575e39126bd2dd9127e0dc2e0880379303c49fc404ae439388627bbc49f24f767e1a1c13d2251b11bfc767fbf73e4b6beab0da7e37596

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
719813d00e5cf533af0c6b8f96246b41

SHA1
bcebf904c8789c428f5ed2aa58442dfb4ee383ce

SHA256
74e18eff2eadce80123777685197e3f015ed043ffc0b69cf7009f68c4b43a824

SHA512
a855d5b17d6752a03654e027f0f70dc94c82ee113b15e17b7be268bfa8b9b13e92c45d9bd4bf3453110b7699766d55a5673c00ca78bec5a5db23cd01e263258a

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
96KB

MD5
981668cfae17f7cd2972b466703ee98f

SHA1
df91c8ddd17f273159c0cd4f267e1625ca8bc4a2

SHA256
00b009d686d5dfdcf841f7f5afd46029d94af507efc0f61865affabae75f8285

SHA512
d6268bdce25332df983826f3e32b088c0d41746758070c72cfdca837f1c69ae5e66cf55ef49df6ab4847fe2bb54e48e7ba2004343280245284ec2f09fed964fc

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
9c9ed83f15b9eff146b37d8075daa665

SHA1
9ddcd18a1e38c70fd09164bd9333c63ac52f065e

SHA256
c4ec9a7505f7647d7d8d8990895b43828c16f4f92c62f49771394d43563ddeca

SHA512
4fba40122d8bdea9dcb45db4794401c53f82d0d9986ba4443df28a1615057104f6b1bc28281be397ffe786980cf4330b43ea85ecd0787a0a71303a0fc56ed799

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
ceeefffdf4d8fc5e54717f88dd9e3bd9

SHA1
492e99b8747c2622d31eff88f8c7cbcc5fe274e0

SHA256
77c551d94a194cff5b98630c5ad068094c4eb3b29a2d8c4e68cdf0e54e730b51

SHA512
e366de9df44e813eec62dff8f2a14bd5e25aef76e75f89b777d0791260946eb441670c77d39ba6d3fc62f391d3f92fccff94a5736c80f599f0c579f3a475b688

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
f53ccac63a399470bef4c74fc68c8d5f

SHA1
0d8b254705db4a474e872345b19647f72e50d1cf

SHA256
69d4b5ff4f8d090dfe9908c1f007ed61b0cd9193c990b5e22e54aa1852d90877

SHA512
b74276b42bd050e1d52c38f9414ebca9941d346e5c9510576460f11ffd15fc7b785b94b6cf76fb29883bede9e194a77337bf7b4f3a3d2753a7561f1b8af10966

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
66e2b006c6299d5d99627496b5e6d346

SHA1
27b80f3148dd8bcfe995384f8706d5a59883c10d

SHA256
abb7129ffadcc90c82397ad8ed7320aaa596a25754669be16ae985a34c7fa182

SHA512
669c191610f0f932c597d53ec07ed9f3f5142b24723d821a9b7adfb8cad08d1b4e0d416fb3a70b1a15d7fbca9cf7311aa0d218031dd0c1c41bbd8fe30d8c3cba

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
dada254054ada58bd90cf04c8c877481

SHA1
80ad92bca52cb5fb85d484f70a8934793a038320

SHA256
d2287f2e511c9c75a06b996ef55726bd2360a01b28eb3e9f3f4eff7046a7a634

SHA512
7a2d77c857d1897727a99af95cabdc7ffbbce6d32e0f2b05fa2bc79becdc01771a80bf09cbddf190f6b49265694facc5236362cab0ae9a1ec6d828b6f00794d7

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
96KB

MD5
f4c16d32dc45c69ecf74c070174d837b

SHA1
ee3277fca18db421ce167d9f6c7986ee7a4cdb6f

SHA256
76e8fa5f6f978c91c0e3fa42fff5d8c0dfac5107f94998230c83863660d6047c

SHA512
550470478af5d4c5d94287f2566d6aad00c5452e1590db1c782ba6ada3edb6d0aac37ee4474c7bb1f730d4365326ddbac78c3694b8fac606ea9f33f14884ca6e

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
60b34280496375480779615df3c66f9f

SHA1
3aae380089d192cdd692e3c2fe3c680aaeaff5f4

SHA256
2dfe409eaa63ac10951b2a74c49677cf79ff93e875715a63ad5517f548734be9

SHA512
48530e0484e3504a567ba3b77d61c1c4641b1c8fc93060a4f78b001a5c93acc3f6ccc47c457dbfd2afbf8bc1142a3553d0019781de07d7c930a96052b6d83c87

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
b474851e26ed5a39d9e44ad5b8ef8c7b

SHA1
ed321b19f5ad8b263f0391ff543716b9de0d64aa

SHA256
7611d2538941bef59fea923de1defa8a34323368e047c3675efec217d1e84205

SHA512
39a551c8f176d890158d9f0669565391752bd2b93249cf9071955102e80ae55214d189da5a519eab920c8fc5dcf96763d5f598829fb8c3f2b5a24d38be5b7caa

Download Submit
C:\Windows\SysWOW64\Mdhpmg32.dll

Filesize
7KB

MD5
b867545e1c05a9e8f693d9e7dba629ea

SHA1
cce3359e476d1414f012df03459d5e0158f0692a

SHA256
3e184b253ab87fc228e69f2cb79bb870a29ed6712d5297bd115355ce0a7aae9c

SHA512
ce89e05cadb04927be7b735b1fe68c660240608d3d957063fba1403bdb998e0d2d0ab5924517ed9289c063a8f2bb977a642d6a134992b2d3f51aa11ed2d2916d

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
96KB

MD5
ba166ec218645987f239c41f554bcbec

SHA1
574b8893a6d3511f4bb9eb5b8b480c7eb1a83960

SHA256
7fb0d726fc8283b7a24cdbb0811398f13dcb7a686186b40e877e2632db5736c3

SHA512
b85c965e2162996e5bbee87d69a7d17bb85037fb71f3168cc08a57857195c130a5086bb577235e4797674aa1f3e902951e7023fb4c89b8e966789c8fd9d705ff

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
96KB

MD5
e023e6769efcbcaa3534d5fd5a053d60

SHA1
79df49009fb0f2915bf386328105d3679a653a04

SHA256
3d1eb9d849d44d6b2c6e8d93f98a30a57f0c272a708ff2154501021b77a2088a

SHA512
837042d82708e67157c04bc5aa70d85baa1699a9d983686b978cdfc4f942cc446fb8d9bb775518e06e9d696e67e71b8cb99e763144f7605bf8b622123cd4f0ec

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
96KB

MD5
3b9e42bf52857f01456bb512922043cc

SHA1
2f8caff124c8358c384f695df0e3fa928f2bae41

SHA256
eb008f53a15f4e1e84382421850e49be8bba1038abba195744744cb6fc26b787

SHA512
9a426f1af6dbc009bc1eaac1c6bcf15b25e80cb41b817b3f47e9ae8e67059cf4e56c880a4495e1c55a51f6096d1c416b6df349a51525a7b1f587377158ae2739

Download Submit
\Windows\SysWOW64\Pepcelel.exe

Filesize
96KB

MD5
ff3aa69a5ea82ce6f3b51ba7e7245de9

SHA1
c44879a98ce7ccc4a2f30d0a93f749b67244d761

SHA256
b951476e96408972c77bc48b46b5967bc98fbd10a5f861d8161634ddb0036759

SHA512
5dc1f87e460b1f4eade403a79c056ffeba3922a195baf3b755e48f6c4f3d87da0b0845624a22ca77c27d15b48cb31a42f1fabbef61d29c4aa9b6019b9a4dda0c

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
96KB

MD5
75e4ddbba02591fe624734590341a941

SHA1
079a177249e687e3d4cc661ced1213c58d6c9a21

SHA256
0adb06218a6e1672b8e59ef88ebd846bf0eaf7ed8c6b5e428f578627c5fe76cd

SHA512
bf64cc8a8214375f883f52919ade1dafd70e2af686c19d9ab659c89eafc9995bb4327dc960b6b617d9b9d0ed30beebaf71be3d3b918edb8947446189f0c857d6

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
96KB

MD5
4d06f4a769369e5ec04acc386b23940d

SHA1
001bef9cc85825b4ff96b0aeac5701aac2f67bf9

SHA256
8f1947b4fbd81626ca52a223c1120754c14e282dc39ab249c627005d23d69322

SHA512
6cc6181ceb711a24d926db268bd5d3fcb7b6f25418322660a4a21771d804ffa3294d5446809eae0f3abaeafad848f5101d843dbc1661d0a0c2ea1f9a581574ad

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
96KB

MD5
12d8737d8b7786d6e09a6db94848fee6

SHA1
cf21b2dd1dc0193e4e4e93ba4da4e0f8e1dbdc69

SHA256
606f611a5117d2d68fa62137f22bd7cb8da96df9551f8ab833d492033547372c

SHA512
77e65ff0ef31d6d17fa097218d9c0a62a60a5315b0cc4e8b62f524b84551f394d14122743f0b6920831d9650d624b4c62b83ee028a2009b19f4e676a3c60d050

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
96KB

MD5
3619478b9d600079aa0c61f5ff1ece91

SHA1
11ca05081ccb44ecb5f85131e38e944917bcd051

SHA256
abcffc3cdd5b686c9c10d1281675352ecc869221a2bc8961dd77764710c411b0

SHA512
f4a487e18170a1d75eb450f49c7353ce521b8ee0dbbea3c78bc965cfc22c15212577c0f4160ae08ae913cc927505d427bab2e61725226b929cb20edf4c7afa4c

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
96KB

MD5
f1e64523da04703ac9bb62531b1d6982

SHA1
c77a78e5fd39fc865ba018fa78ed8cecd6e4c5a3

SHA256
db58ee8bc5696d3dfb115fba9d5a223693cb6e83ed5f91adf889a86999814c34

SHA512
2fac3ced5c3953ac009b1fdb2562c282a40d1a619db105cdf12fb3f4693c5313c6f73e5488ab59247f27bf090300cbfa86b53167a2bceccfbd5c0f2c39642075

Download Submit
\Windows\SysWOW64\Pmkhjncg.exe

Filesize
96KB

MD5
22534f83b10b0531f677b11882487b15

SHA1
8a7968d79f34a6d258b18e03448ac7dfd516444d

SHA256
98dbb90f0d9041885f578a83f900822cbc900f52d2358d238db8f7cf65183cc9

SHA512
4ba6bb6885f20efb8ea9e352d4cbd5545c5858aa815618e8769a75e186fde0c2499f0f22fa087ba2791cbe6cc3a0121ac46bcbbc3fe95e4c00e98222155343d0

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
96KB

MD5
5a9a01c51854b6c011c03f11c4aefadf

SHA1
fcc6746ac2268d9121fcb224c94ab1b649225bc1

SHA256
1308f9083117a77381fe675c857df50f89ea5b2cf1f9f87ecdac033feb74b3ea

SHA512
3478a4d9b58bf686e53c310f85861b80dac3dfbed6afe78fd3ee4d89dbe4e2fd075ad4eef94b92309106f2b3df49c65c49cba9e9e4d1a7314d66069b09844498

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
96KB

MD5
8b5ca4004c3ad0fdfad07e7873556341

SHA1
69550dd01d3b634a2a334e0339088a1c48712dbf

SHA256
2e3d2aaa7a48e747963d43e43d2d3a1bc98ffe6c9aebbae7143edab5a217dd4b

SHA512
e867a2434e99e7f5d6a20a0cdf62edea8d870900ce2dfe22260c3ddc1602c10c3491b7d0486757025f9c1c955ed710158343ba8fd20350e91ca7cf4cdc6affec

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
96KB

MD5
a203493beff1313266ff2acfdb330c9b

SHA1
3c0b1c74b58a6886f96c9362967fcf2e1ff6bdc3

SHA256
61f3b162bd062dc52cf3b0196cda8f9cd8d8cb891f5ead6faad106f9a5dba1a0

SHA512
6a7afea59212893013bac56480a50a66753bca5ce880d33b57654d33f99a91f956641dc79432c021e77d1aeaf136a1f7899d8b2a449a4284d510a429d41c8d7c

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
96KB

MD5
4803fa22b98a72060682ebc9289c5668

SHA1
f409904598397eef79445bb518578d3f0292e3fd

SHA256
bc3ce226522147996b3701e2f32e43e9ba88aca50de530fff34c8bbc5856bd3a

SHA512
ba2542d9feb491b0aa951f205260976525e46c1746527df3ce9d834e78419bd0eea320861fe4e677e9fabaa57f37412f4a2ff4b19851b40d50bf56a1fc43f955

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
96KB

MD5
dfe60763fb3c00d7c049b58343984ebc

SHA1
87c67f11feb5e012ea8a1f59331e0f14b9b7fca4

SHA256
0caa21c1d61c14a2fb681286db4b3794188cb1382286db4891585d34b8feb3b8

SHA512
be9920f8cee7064f49326088669c546e9f12e5a6deec9634d6f573d70731cdc5afd8341d5a59cef7c33a94796464bf5c00dd0b593d3f47a47e32602bfb6eafe9

Download Submit
memory/292-192-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/292-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/292-181-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/336-321-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/336-316-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/336-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-485-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/1052-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-25-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1200-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1200-443-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1200-442-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1312-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-234-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1400-430-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1400-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-278-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1524-274-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1524-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-132-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1780-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-495-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-486-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1808-385-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1808-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-245-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1812-244-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1812-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-38-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1976-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-256-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2136-252-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2136-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-213-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2156-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-299-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2224-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-298-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2336-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-354-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2336-353-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2340-398-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2340-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-399-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2364-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-465-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-474-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2424-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-332-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2464-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-331-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2492-419-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2492-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-375-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2564-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-104-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2604-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-105-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2616-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-388-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2616-12-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2616-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-47-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2644-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-267-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2720-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-266-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2860-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-453-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2888-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-342-0x0000000000380000-0x00000000003C1000-memory.dmp

Filesize
260KB

Download
memory/2912-343-0x0000000000380000-0x00000000003C1000-memory.dmp

Filesize
260KB

Download
memory/2928-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-287-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3024-288-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3040-365-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3040-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-364-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3048-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-310-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3048-309-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads