1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856e

Analysis

max time kernel
87s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
Size

88KB
MD5

3c67c4f8033e1b4eeb2e91b03dd6be30
SHA1

dee9ddf8d30eaadb22466106968bf00d7a7b9103
SHA256

1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856e
SHA512

2cd963bf949fd202bb0e5058da3d65f99a4aed82591b589cae1f926e9512f354ad257025951c8ec8cebb45a9f8daa71b0c17b90a89b88750c5ed92801cd17382
SSDEEP

1536:UxoDAOd5rGzs+OtKvs6k+4MHA9MDZZawFL8QOVXtE1ukVd71rFZO7+90vT:QAFjrqO0vs6T4MdZZhLi9EIIJ15ZO7Vr

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe

Executes dropped EXE 59 IoCs

pid	Process
2904	Pljlbf32.exe
1956	Pkmlmbcd.exe
2640	Phqmgg32.exe
2688	Pojecajj.exe
2336	Pplaki32.exe
2644	Pgfjhcge.exe
2608	Paknelgk.exe
1512	Pdjjag32.exe
1668	Pkcbnanl.exe
1268	Qcogbdkg.exe
1700	Qgjccb32.exe
1952	Qdncmgbj.exe
2772	Qcachc32.exe
3004	Aohdmdoh.exe
2356	Aebmjo32.exe
2928	Ahpifj32.exe
2892	Apgagg32.exe
1864	Ajpepm32.exe
1424	Ahbekjcf.exe
344	Achjibcl.exe
1804	Aakjdo32.exe
2380	Ahebaiac.exe
2472	Abmgjo32.exe
1948	Aficjnpm.exe
1844	Aoagccfn.exe
2440	Aqbdkk32.exe
3068	Bjkhdacm.exe
2756	Bnfddp32.exe
2820	Bccmmf32.exe
2552	Bmlael32.exe
2532	Bqgmfkhg.exe
2580	Bceibfgj.exe
1868	Bgaebe32.exe
1920	Bjpaop32.exe
1380	Bgcbhd32.exe
1984	Bffbdadk.exe
1768	Bjbndpmd.exe
1568	Bbmcibjp.exe
2368	Bfioia32.exe
2984	Coacbfii.exe
1628	Ccmpce32.exe
840	Cmedlk32.exe
468	Ckhdggom.exe
1752	Ckjamgmk.exe
1524	Cnimiblo.exe
540	Cebeem32.exe
2224	Cgaaah32.exe
1644	Cjonncab.exe
2392	Cnkjnb32.exe
2736	Caifjn32.exe
2444	Ceebklai.exe
2824	Cgcnghpl.exe
2596	Cjakccop.exe
1480	Cmpgpond.exe
2560	Cegoqlof.exe
2340	Cgfkmgnj.exe
1716	Djdgic32.exe
1912	Dnpciaef.exe
2628	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1128	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
1128	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
2904	Pljlbf32.exe
2904	Pljlbf32.exe
1956	Pkmlmbcd.exe
1956	Pkmlmbcd.exe
2640	Phqmgg32.exe
2640	Phqmgg32.exe
2688	Pojecajj.exe
2688	Pojecajj.exe
2336	Pplaki32.exe
2336	Pplaki32.exe
2644	Pgfjhcge.exe
2644	Pgfjhcge.exe
2608	Paknelgk.exe
2608	Paknelgk.exe
1512	Pdjjag32.exe
1512	Pdjjag32.exe
1668	Pkcbnanl.exe
1668	Pkcbnanl.exe
1268	Qcogbdkg.exe
1268	Qcogbdkg.exe
1700	Qgjccb32.exe
1700	Qgjccb32.exe
1952	Qdncmgbj.exe
1952	Qdncmgbj.exe
2772	Qcachc32.exe
2772	Qcachc32.exe
3004	Aohdmdoh.exe
3004	Aohdmdoh.exe
2356	Aebmjo32.exe
2356	Aebmjo32.exe
2928	Ahpifj32.exe
2928	Ahpifj32.exe
2892	Apgagg32.exe
2892	Apgagg32.exe
1864	Ajpepm32.exe
1864	Ajpepm32.exe
1424	Ahbekjcf.exe
1424	Ahbekjcf.exe
344	Achjibcl.exe
344	Achjibcl.exe
1804	Aakjdo32.exe
1804	Aakjdo32.exe
2380	Ahebaiac.exe
2380	Ahebaiac.exe
2472	Abmgjo32.exe
2472	Abmgjo32.exe
1948	Aficjnpm.exe
1948	Aficjnpm.exe
1844	Aoagccfn.exe
1844	Aoagccfn.exe
2440	Aqbdkk32.exe
2440	Aqbdkk32.exe
3068	Bjkhdacm.exe
3068	Bjkhdacm.exe
2756	Bnfddp32.exe
2756	Bnfddp32.exe
2820	Bccmmf32.exe
2820	Bccmmf32.exe
2552	Bmlael32.exe
2552	Bmlael32.exe
2532	Bqgmfkhg.exe
2532	Bqgmfkhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Aebmjo32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Iidobe32.dll	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Paknelgk.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	Pkmlmbcd.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Pkmlmbcd.exe	Pljlbf32.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Olpecfkn.dll	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pgfjhcge.exe	Pplaki32.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Qdncmgbj.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	2628	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdgghho.dll"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2904	1128	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe	31
PID 1128 wrote to memory of 2904	1128	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe	31
PID 1128 wrote to memory of 2904	1128	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe	31
PID 1128 wrote to memory of 2904	1128	1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe	31
PID 2904 wrote to memory of 1956	2904	Pljlbf32.exe	32
PID 2904 wrote to memory of 1956	2904	Pljlbf32.exe	32
PID 2904 wrote to memory of 1956	2904	Pljlbf32.exe	32
PID 2904 wrote to memory of 1956	2904	Pljlbf32.exe	32
PID 1956 wrote to memory of 2640	1956	Pkmlmbcd.exe	33
PID 1956 wrote to memory of 2640	1956	Pkmlmbcd.exe	33
PID 1956 wrote to memory of 2640	1956	Pkmlmbcd.exe	33
PID 1956 wrote to memory of 2640	1956	Pkmlmbcd.exe	33
PID 2640 wrote to memory of 2688	2640	Phqmgg32.exe	34
PID 2640 wrote to memory of 2688	2640	Phqmgg32.exe	34
PID 2640 wrote to memory of 2688	2640	Phqmgg32.exe	34
PID 2640 wrote to memory of 2688	2640	Phqmgg32.exe	34
PID 2688 wrote to memory of 2336	2688	Pojecajj.exe	35
PID 2688 wrote to memory of 2336	2688	Pojecajj.exe	35
PID 2688 wrote to memory of 2336	2688	Pojecajj.exe	35
PID 2688 wrote to memory of 2336	2688	Pojecajj.exe	35
PID 2336 wrote to memory of 2644	2336	Pplaki32.exe	36
PID 2336 wrote to memory of 2644	2336	Pplaki32.exe	36
PID 2336 wrote to memory of 2644	2336	Pplaki32.exe	36
PID 2336 wrote to memory of 2644	2336	Pplaki32.exe	36
PID 2644 wrote to memory of 2608	2644	Pgfjhcge.exe	37
PID 2644 wrote to memory of 2608	2644	Pgfjhcge.exe	37
PID 2644 wrote to memory of 2608	2644	Pgfjhcge.exe	37
PID 2644 wrote to memory of 2608	2644	Pgfjhcge.exe	37
PID 2608 wrote to memory of 1512	2608	Paknelgk.exe	38
PID 2608 wrote to memory of 1512	2608	Paknelgk.exe	38
PID 2608 wrote to memory of 1512	2608	Paknelgk.exe	38
PID 2608 wrote to memory of 1512	2608	Paknelgk.exe	38
PID 1512 wrote to memory of 1668	1512	Pdjjag32.exe	39
PID 1512 wrote to memory of 1668	1512	Pdjjag32.exe	39
PID 1512 wrote to memory of 1668	1512	Pdjjag32.exe	39
PID 1512 wrote to memory of 1668	1512	Pdjjag32.exe	39
PID 1668 wrote to memory of 1268	1668	Pkcbnanl.exe	40
PID 1668 wrote to memory of 1268	1668	Pkcbnanl.exe	40
PID 1668 wrote to memory of 1268	1668	Pkcbnanl.exe	40
PID 1668 wrote to memory of 1268	1668	Pkcbnanl.exe	40
PID 1268 wrote to memory of 1700	1268	Qcogbdkg.exe	41
PID 1268 wrote to memory of 1700	1268	Qcogbdkg.exe	41
PID 1268 wrote to memory of 1700	1268	Qcogbdkg.exe	41
PID 1268 wrote to memory of 1700	1268	Qcogbdkg.exe	41
PID 1700 wrote to memory of 1952	1700	Qgjccb32.exe	42
PID 1700 wrote to memory of 1952	1700	Qgjccb32.exe	42
PID 1700 wrote to memory of 1952	1700	Qgjccb32.exe	42
PID 1700 wrote to memory of 1952	1700	Qgjccb32.exe	42
PID 1952 wrote to memory of 2772	1952	Qdncmgbj.exe	43
PID 1952 wrote to memory of 2772	1952	Qdncmgbj.exe	43
PID 1952 wrote to memory of 2772	1952	Qdncmgbj.exe	43
PID 1952 wrote to memory of 2772	1952	Qdncmgbj.exe	43
PID 2772 wrote to memory of 3004	2772	Qcachc32.exe	44
PID 2772 wrote to memory of 3004	2772	Qcachc32.exe	44
PID 2772 wrote to memory of 3004	2772	Qcachc32.exe	44
PID 2772 wrote to memory of 3004	2772	Qcachc32.exe	44
PID 3004 wrote to memory of 2356	3004	Aohdmdoh.exe	45
PID 3004 wrote to memory of 2356	3004	Aohdmdoh.exe	45
PID 3004 wrote to memory of 2356	3004	Aohdmdoh.exe	45
PID 3004 wrote to memory of 2356	3004	Aohdmdoh.exe	45
PID 2356 wrote to memory of 2928	2356	Aebmjo32.exe	46
PID 2356 wrote to memory of 2928	2356	Aebmjo32.exe	46
PID 2356 wrote to memory of 2928	2356	Aebmjo32.exe	46
PID 2356 wrote to memory of 2928	2356	Aebmjo32.exe	46

C:\Users\Admin\AppData\Local\Temp\1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe
"C:\Users\Admin\AppData\Local\Temp\1784c755815175ac3995a98239f5d216a805a738aa30e5cf9743b15c2b9a856eN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\Pljlbf32.exe
  C:\Windows\system32\Pljlbf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\Pkmlmbcd.exe
    C:\Windows\system32\Pkmlmbcd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\Phqmgg32.exe
      C:\Windows\system32\Phqmgg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 144
        61⤵
        Program crash
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
88KB

MD5
471c1f7734ba380f44f77a24b4f449a2

SHA1
1d3ab9fe56094b74e7d67ef5657439f5d86d0713

SHA256
ddffc48a90f380bffbbc946f75195b3f34e845f4afc4eba7b4bde9766648418e

SHA512
58d760f75314301471cc8ad540c37fc9de316fd9cd1d5b2ed8ff30d1376bf4186ff6e30c2fb430e3d235a3904de64c280eda5b2c8cad2154dc1f19b3882d1494

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
88KB

MD5
0b5d9f158b1c37d89c74fdef88b7eeaa

SHA1
c4848da6c67ba76f7f5a1ade3728f625c886f67b

SHA256
551e7dfb394d36bdc3d8f1f9e7fa9c87292d0f84fa60e974ce3a2892c437db8b

SHA512
8c3b74f4448d332584f2450667232b21dd1f447ba51b6f62d47959b6a62204480c90a910f55cd63256ba955fdd6babb59de7daacf81f71a141b74d42807fd88c

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
88KB

MD5
8d869856decb95ea4725f07f2672b9c6

SHA1
42c93a076d6048c16c056a5bafc35c8f53c4b593

SHA256
777f8b8daab9c0730b2e24058f95151b49e6faae2ef8056b175200b55db24b43

SHA512
a25ebe70ebffacb0a3b2ad0c948c2c44b225d2ef26b46537d3b1aee0be50b7f59db53e79b072c5bb9d39d2226ff3a0b34f2039d476ff614faac33e56919a23eb

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
88KB

MD5
7e07da0a1120c74d820517291a3252a7

SHA1
636b6fe3144f377c129b898890e28412a1ce1d14

SHA256
abe81aa3c907a2fbd2d744d8b6acce7d3a6947d44caa0da67c97b68f0ef09ac8

SHA512
e54bb00c7825da3ebb2690674827939da5cc4f9a26b2a6957f12ffc0688b7382b8f9020a01a8f60174b83587591fc06e91def026b29fc6fbf621d6aadc2751f4

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
88KB

MD5
bb2c7453a00db15d79932c0e6b5af4b0

SHA1
72507e8b4adfed51f9103af7ebc0a4d4569e0249

SHA256
6d5e9810f00595814a6d07baf6c28af3b26e99af1870a8a4538268d70471999f

SHA512
7c083731d20725424fbe8d6c5ecad1e21b1a6cb7ad96dda01abb733765383f35bee768398eda1af7ecebd69f64d26ccf86c24b49c47b5949f0df69daaeb98a90

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
88KB

MD5
ea008b91f49cb2857ccc282d6620da59

SHA1
85876aeeeae7ae5f41499da144ec11ef5f5749d7

SHA256
a58b53fa38558d5c25268889b590491221239a9645837133ec15fcb8c47a5e59

SHA512
e6f6acefa5f1d30adfec7000fb6fbcd8f2ba34e031508015b13596c4f9416b6e883302a40917e7574d9e1e71cb29ffbfb55e7f3fceae8f22d81ca2cf94aa021b

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
88KB

MD5
0106197cd7363dcb05c11ebf6760a9d2

SHA1
36af0553896d17e3982dbe25aa5c1607f4c4b729

SHA256
0aa4b4fec2b46cda1d465dfca9a07267d8bc9d208038710c20db4a798c72e535

SHA512
2c185a0c8fa929316a0dd52841bd1d6e469d2e516124787fa01f3aa5914c25ec50d786efe434067ddad85584a8aa5004cd801814933b0a0ce9cee8c4db6949ba

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
88KB

MD5
1956060fb9bfa2028d3fe8a29f56d3bb

SHA1
82f3290633ccf93ffc0f5d76935d6097269244a0

SHA256
e19647031b22753daa11841c8edf152d0a4c9923ea8fa7c721c004998f2d081f

SHA512
b842e6555f75e4276931ca5bf5cdb0727c6bd22d73a205ef2dd8b66bbc6c46da28a77815c61f99e3d727db3a60de731af47421d5619aa056c1736e8d2635ad10

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
88KB

MD5
64fc5c5a6f46bded0b208c6b6a3ff478

SHA1
3a647e72b36e2d62e6c47204a090e6bb4144f5e7

SHA256
86f50b22d991a05822c512ddac4e6f7d1cbd48e4f979bac0647ba06e14ce971b

SHA512
f8bedf4a4ff01a06ed04865104114788d821e0b17f70da6036b8a65c97bd5e8990cb7705b97ea8965506ea55ac9aad63fb0b1d87d540c868737da9bc8a0486ff

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
88KB

MD5
a373b9667b304c9bbba01a3407138d8e

SHA1
52d27e5ed6432dd5a3a680d94f00a72f1cd88813

SHA256
dfd69c20f8f5b165ee478b5f950b3b46f64a4e44cce0126053d65053ec4cb862

SHA512
a5f82cc60d8edf72bd4c741e462cedf2e4395afb54d8aa19a7ce64c1d96646bcb89e551593924bb5307e7f66b1cf9ce982c9141763c4f616c521542fc37d3e88

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
88KB

MD5
1b0af750e8d668a8af5990d822395f08

SHA1
94ccf9fe3fba9acef2c789b4ea74e8e791f8273a

SHA256
97b564be9563cb934cdeea2be7aad882dbbac8f8d99a1bd9e6264d8e8c3a4391

SHA512
92f00dece5d65e25b710f1163475d892fa7563502afaaabfa7364cf7d26fd3fb8a657b54927e17ffc05048765cea6a26c1ea493911141ae254e2e02b3cda38bd

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
88KB

MD5
0791d476d1fd2ccc72bd68a31a4d73c2

SHA1
c67c30a5939752ec875f8f05c3335a711a79f665

SHA256
667e9704f6da4231e1bc1bd577c940f6672f51178e85589acdeaa41e64e2331b

SHA512
67ff242d36776177c22d05f51eaf5834cfa5544dad33a79a299b4c659d0533f51489cef4e187e861af7e4faf94be423e951b66915102a47c88253d595106c201

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
88KB

MD5
93b8b5d5cf9eb997e92f9951a7f648dc

SHA1
49b6684a2286f3ebb79a5e8c87d006cab064b590

SHA256
d1d8159bd80c5cbf3f8fa87475a09f88901f3f438899c611dc021a23ecad83bb

SHA512
3ff5417436c328cca4185b86af5a0ea488e8542864ddd9973be33ed7ff18b51fafdcc63966d312cfe580b529185554ecfb00d1b249a2166d38c2c18a4830ce16

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
88KB

MD5
f5805a1579490144f1d4224af9ef8dbd

SHA1
0e209ab77e2c13b1ff9f162bba7742e1b73d3aac

SHA256
99c0502b05cbf48e577d9ab38a4aa4b1497a577efd60e424e9cd1357e197869f

SHA512
7aa40b1e32f4ebae1323889b8843492338376fda1d8aeb856869892c6e84d268bd700275417432ada1462202434b954beedc704f05b68a87ed598fb99a59868c

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
88KB

MD5
95fd332105adab535f53b5951ed6c90a

SHA1
24d02d727754ac4610cc43c6fa98d7663be0f8f8

SHA256
c7571dc20c4c77c168eb34f4181b3ed119698e847a09da39aa8aa56c15444501

SHA512
80146fce13d610c334d0e76916b64be4a7f166e7f47f920aef61c7af378d16dde51bac590fbb555cf6f1a44e912a2f5d56403a18a90bf59e59a1277c19dbb0e0

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
88KB

MD5
952d2105241e7f03e146dece809807fc

SHA1
a8bc1e22b0535230706b20bdd2d84969c6cac0d8

SHA256
892bbff04af9ee280401377e109920a88bbdecbecae5151817a0985b1fad3e54

SHA512
e7a3a564ee81222663e90bc5f778b37e0ff1b927ab9023fd45539314b1844d45e5cd8aa57aaf46504c24262c56db36094f76014cd65a23d70a08f3c601bd2fa6

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
88KB

MD5
15c49ff4fc7c1104e9619c0dd198b937

SHA1
000e7dc9c2aa17af341d441c4150d331b18210cb

SHA256
d434aef79b7ca3c39908accef14b8bf41077431e293bfdbfbf5949f4d633abaf

SHA512
9cc4e7f1d7c13bdcc4c14f5d433bfa47908743ff672ecebe36cde31c4c5b0389b11b821845364012964f6661491d63ea3ffc8a7d925f534aaaf0d79dc5a77674

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
88KB

MD5
90fff9fa5c9cd3a39ff0dc4e0d881305

SHA1
29e5c191ff14652e1300432b7dff4a4a1439ea91

SHA256
c8109467abec3583b497a74c44a312b911517abc8ca212a177a6932816b21553

SHA512
98845790d7a617b994b25a9d0ec16297de7d73a90ff6026baede4f5d4532d3479ac8f0c60d1279625f050977eb89f394461f973d323c6e95b4e17834513051c0

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
88KB

MD5
b988ba05e60131136b4c7ac3761101b3

SHA1
bb5536b1ab4f87a04d758eef6905e8ed77866efd

SHA256
71e039b49197dae05cff3551cfaccffea1efa421c4e953104f9a70bb05e7ac07

SHA512
4ce8849b9ccf094eedd0554efea193ae9f3f671e9644e97fa9b30659d96a08fd82d695a7437396e701f2967df434c83d2be89390c86b5d8c1c1dc9a95f417b53

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
88KB

MD5
d23ab2d3d216552af3c5484a78bcc53f

SHA1
a6b7d73e0d032b5fdaa28f968f158d0c807c7146

SHA256
4a1986d13bccbeb2112a1232954f5d1c9c868eb1d36208c71cc165847dc82978

SHA512
e2eafdadb60a7d6a72eab17b8cfeea567c06e0cb17a1592bab99b19e09c9f864c0b9390d7d6ab239513e8d3e45b0326278a9a92ca99d8fd0d73e440a02c22a28

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
88KB

MD5
06c6dc6749cdc878055ba57c135f96bb

SHA1
c2c77c656ee41526f51276e291e318726592f5c6

SHA256
7e6bf0fec43e0f106cb17c45136b4dc9af760bcff26d1917f570ff04538669e0

SHA512
09ce5fb76e7ae5f5c05d7249fd342862796acedb391200ca3313888721b7e7d49e265660e9d187aa1d28f3d745caffebe3a0b1c526bdbf564ce6048570de319f

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
88KB

MD5
27d91a0605d023158993b4c2d448f338

SHA1
5cadf4aa2ddf0f830184a56b8795c6e7ac76ea63

SHA256
1f59d3498c46ad7a5ae0c4f831aa61ae33836ceda7f960de900e449e44f5c205

SHA512
61beb8500ba82dfe1358bb2900f627052fe1162124ca037edd2a8dc9de15a7888c3a562ed599deca658ddc2df95021e4647f64a081b1d3a27c1f1f5c3780b2b7

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
88KB

MD5
024a3afca60777f3c91683a2b64d7a96

SHA1
d61691385b87b345c0f87e051e533331c13b3bbc

SHA256
bab01e8dca33338a51cadc0fdc23db1071bd011e90bb79ea859a13a3c21dd3e4

SHA512
5346fa64d937604a8b4f5c3c923c744ee9f168a1ed5e5c17c022aa87c415238e2870c252134ec84afb4c924405269e2e6ea411c2b7832ef6ed2672a1eee5e293

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
88KB

MD5
be58af7c9655c247c5f11caa05b049f0

SHA1
2acd15a7c088948af9134bba731cc7e0cc89d39b

SHA256
7fe82d9aeb318b8cd0b2b947968fc8ee052f5537e256105b93095ca6e2d7d6b7

SHA512
358beef10a0422c7dff68ad2ca01fd8997fce3ce5af07f30b6f92bb6ad8771874e00c0dcf4306f3a0077d1595c37a680fa586d762932eea9311b48015d9581f2

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
88KB

MD5
c3d70ef05fc6d4eea77369fa8db24db5

SHA1
f68d43656042e1c5a138587a436149d0ce702cec

SHA256
183311d187f12a8b659c66056c7cc2d8dcc930ae59334b6eadb047be176871ef

SHA512
c2f45f1dfe86f94271de4cf5d20d72e0da85e063eaf93b6892e8e8ff10d71c0f2b6d837d884deafa129556394567d6a92395b2959997c6c0fcae18fc487de98e

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
88KB

MD5
649b118649d044ff09f0ec69fc971645

SHA1
6755f857d0ad51559927fbb43d19f2f8cdcb14e2

SHA256
f3be10cdd3a5cb284278ccd9055fc816c8e14b2193031673cc8bfc958d12162f

SHA512
7804763e0c2319d8533e26ddbe75d14e5fd9a7252d1c7079900a8086c6c8635c1b2f910c8520c8ad49ecd69547018f88706f53dc12e81d8fdbee1786f2b384b9

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
88KB

MD5
4fa23e6edec03195079dde6ffd3fd850

SHA1
86a6b48e78805dad5269302df02a0f19b3bd4c48

SHA256
71161c14886a822df2e8e282dac354999d57f5a9d28b10838086fa3d7da3c4f3

SHA512
919f5203da167fa53207dce93e4e67639b6862e6a2b12563a8ea5fc25e53b9428353a356e652dd7b88a207555f823d6da112556aa65965488165ea659f9de697

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
88KB

MD5
23862d7d5577ab6e6b91187d3f2c7d74

SHA1
0db0c379050c45bf5c2812f5f1122e21b1e0b898

SHA256
e798f1bc54b884877d953071015bff15f8f65bc7c07221088b09dae910382bd7

SHA512
bc058843906f4841d7bb0a7335a1c51e09cc1e4fb86f50c4c007e73320de9334041bb227ea63c9e530b8b865020298eb0f6f939dbdde11209ba571766534a302

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
88KB

MD5
cb8ab63b9c334bdf89ef3b9628991096

SHA1
d89b356fcce5305e810633abd053f87b34dc0427

SHA256
42b1dd15cce46e3ce1dc48c6785e9de596ec97cc604af84c6195e0d828a957d4

SHA512
20d6daa47c43340eb4bd83a6a0079aa92ee3fb23d556f5c571c22ae43cd7c628b0fa48d49050c4943ccb5a03910a01ed5c769a2130d36e79a32a61da9868dc7e

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
88KB

MD5
b48b70c9c4b81e4e68840d0caf283cf3

SHA1
a98177044f98eb11ca7e8f3eedfca7ffbc5f3097

SHA256
aa5a26290e122ea07884b3706f74dc4338352ebf953f2a03567e5314fb387ce0

SHA512
61114f50671e09ed786e1893456b194905817069e1f5ec0dd0daeb85a99343a757524bd8d290bbe9f19a65516710b4ac369d2535605fc95a5dc5b54422d0bb01

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
88KB

MD5
66b57dd3c696efd43fd72e240eaa4b9f

SHA1
64dafa4aa0a14e3cbe763bda3814318d7324b2c6

SHA256
6bd9edea3ba26d448d796eaa739ec80ba2b6ec74a4e677bb6cc14f3b5a2c8a25

SHA512
106c455cf9aecb0cfd79066fa46245e46c0baf580aa8baf4e513e75077d3395fa53ea029ee321080cac004c7655b3ea2ba06f7f88e2e5b138d9ea58d9ab2792d

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
88KB

MD5
27f8c916f9576a82509210469f28cc00

SHA1
14df495c3fd82ea6f4b56e5c7eaab04778405dd1

SHA256
c413fdf1562e2c05855275128bbbcf8ff218d52258f6a74b899fd104ec0c34c8

SHA512
58cf905019d08fc0d2e659593a273e20787d4415e8fb0eef490ad15f46def457283083430540d3120ac1ea14b2dac691f488d9092b73a67ca2252194629e2700

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
88KB

MD5
a3f0e1e4447ced675231527b7498c250

SHA1
dac273de8768b7203b8b675388fd11f285a98016

SHA256
d6ad09df822837dc212ff04b9eccf73b5ec1a6b7db6a33e9649ec070fefcb29c

SHA512
9a013159adc92d8bb5a800c05b02d3ebf6978f04bf90d3a2cc2adb00910d84e1bf37158580a734b7a22baffcf49e4d61cbd5a8a82e790734b8941ba4804e69b7

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
88KB

MD5
85f6bb3232b9957a2a2ceb89f36bf505

SHA1
567b0bf1d6a6482ccfd7943c170f78ad02aa41f0

SHA256
661d2a38a4fd0f2bc0aa88f457549e428cd1bab4695e03b2e04a55a6107aa8ca

SHA512
ac478caefeb0334b4ef9f2ac5b0f41fc2f396f445ba57aefb0cab3aef0779eeb2c52f111fe6dc1a0d42b81eeeb6380d7e97e621d525fd0a975d98fee7b624aca

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
88KB

MD5
413106b1bf26e50a7eaaac99f0618467

SHA1
424abe5aae952fad3b1ff9152db60c1fcc73a17e

SHA256
d54227c22a633a7427803eb25149fe31199fb4e2e7eb9dc761d5ce66e33aaba5

SHA512
0c4e01010823fd9d5c907708ae83d0f87a060960ff7ea1c6ce70f26be274f55781e8547773dd78f606a800f8a7643fecf7ac72aab3ed1678adeab457dc4dd8cd

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
88KB

MD5
66e5eadeb5f3b83421a997a1d0daef40

SHA1
c2fc2d5992d5e39a49baf9536c790cc42d8f1b47

SHA256
8cec5c01be8e8eefcb6a2bde91cdfff414988b06cac7d469448c986c980786ce

SHA512
5cb6acec583aa5f06e55549638e343020e96db6705cb9143193e60c61588ef7cb87f78a968752d06d2387f0b56ac9f8424ef658e9b5ed9484d7ad9f649cb562f

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
88KB

MD5
69c496d0022f2a15393cb55a7168a38f

SHA1
2a267bb9b0d180074903918f8b95e65bb9ca6e84

SHA256
155e4b054c4c4d4c45e50653011c310bdd9936c5aa94fd24a68ce2d8b3f1bf8a

SHA512
97291cf3a5ba1f8c7a3aa4518f8f095af41d4e520b896e325159e98baad6882dd72712ed987d3304617f38729e2dffc1d09d521f290fb3211f5278050eeda51a

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
88KB

MD5
7271aeef4f2390292c5e459119a667ba

SHA1
a334a07bb28ddbc768c99506ba9df70057e293d7

SHA256
02b0d9614657e1743a23eeda86681af09456ba67efddcf8f9519937645dfb15f

SHA512
7b6819ab89086698fe5227d9cae69530cc2e35f071b5264d0a70fa6cab7e8b47eadae82f6a6a5ef4b095bcfeaa5d03900c0086301477cbfc5fa7a93362a36a62

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
88KB

MD5
574068212ac56de2e00365a7ec632503

SHA1
9255d02aeebe0a32cc5e0ca1ed4479aa9ff3f07e

SHA256
ab26b0d78362059b783e98b9ee31c0e597ae2232774775f053f2ec8ab4e9a1ee

SHA512
b17fd502967884454ae8d30325e6bfcda625ed960b80453ce1cd8e26a6751a1319b15311afaf886cbee2043137225ad2999edb004368006b22afa25568cef052

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
88KB

MD5
faa41948b3444c61a78b7de03d4c73b9

SHA1
4aa986895df96753ae4d3e8035d8ee897bf9ea01

SHA256
28bac51006bfa70c8647d6b118ba25f276be065fdb05d3df7d8abab8e987368b

SHA512
b3b5a7fc33670de4952ddfb6e76468faa0456ee2eb93d55e2f970f97ae867c2a123f84aff26d22d7e75ae3fb93f9097248866b21d94615c82544d8c22c8f666b

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
88KB

MD5
96094a753f257b0e288d993245573830

SHA1
716dab07781f460a16e81065710e5dedaaa70640

SHA256
f9e01c16e5812f62be6cce81e71ecf6732b5e82cfdef2d8a14e268d3197a2db1

SHA512
ee14592b7fa924a1f921e9e0c65217bcd1d640964ae953e704c2e538d7d8cdcef903473c96010941d4595aa5e7ea74eeb948af0a32356c0d584c9f10538f0423

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
88KB

MD5
451763af3aa7b6a02e72a5c24fdd1353

SHA1
e7fe06002b838592ce6c22a801e0cc46bd498e31

SHA256
4145ffdaf18c52b9c11138c7eb8773066772d968fe6762d2bab81bb125780584

SHA512
429459a774e382588af5fb27a065e8606596f19a3f69bf5152ad389a9f7565c1313a3c76c177bbc529e3ea8d36fe22db7d85ab617c44ffcab700fa28d9031467

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
88KB

MD5
b935b118d1b5e5c1114c01eec6cf5806

SHA1
dc623cfc94e51e40004a66a52068b7841c567f83

SHA256
5fbb1213dbb7050d7a8c7853ad04274bb7de9bc7415c8546fcf88176f2773a2f

SHA512
48a7196256e142eb87010d9db3815da0051dcf176f8d87e03cb37a4199855ae432a029a9c737d6d858b22a619e8f8a2c9d0253fc0c07073ef039bc426b629188

Download Submit
C:\Windows\SysWOW64\Phqmgg32.exe

Filesize
88KB

MD5
87433ba934863bcd19a169454a2d79b6

SHA1
184d61a11e5dab4e7fdf7f0c89cbf29cd4af3469

SHA256
7338ef628200098b52cda32de852bc9e8c3a6e4fbf76679eeffef1dfaca7c656

SHA512
e76acb8407d5e12b7d6e3e66fb715db36507914fe3705af32ca05da28ace25a3623cde25831682a9f017aa8ab76d32323b79b179207d991834da0bf6d05a3c9a

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
88KB

MD5
2bbddc287f8964acf88d65b78bb14777

SHA1
aceb9ad5633ebfb7352f5e19afc631c99162bd48

SHA256
e0a988816eca199a0f1d49ea8acd6ca055588305434a4ac5c2778916b8c57a74

SHA512
d05f229c8693b094fbd3310403f265cbe70e219390b0c729376377c55524ed8a6a41b53e17e744a86d61f87bb8b0c0c36dc38e26bda6451a8f1290f423bee7b6

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
88KB

MD5
35251b4867110118571e1c2bb7dd4779

SHA1
9d3cc500c89cb2c6243018b4c2ea2c8f8074019e

SHA256
44557e05ea663086c3dac1aaf8e0fe58b61ccdf32275407d95ad60d418df340f

SHA512
961fc501a91590ecfc5c119bd7d696953969982bc1c79f26f218c454a166a853ba684f25b29ce4963c541b149ed962b179a80efe2dcaa09f2cb4632ecc48f77e

Download Submit
\Windows\SysWOW64\Aebmjo32.exe

Filesize
88KB

MD5
2423b58e9efe9d9c3afc4e85e1539270

SHA1
c4c39adc7bbb0011e275bb4c8d8edb3181f9e1f6

SHA256
e4239fb9f7d6996550aeb09345b14d07d68ee8669658eb2531cb074feef2d2b3

SHA512
486870be0b636f5c555a0cfc2e1a79ca9719cd3128e75936a730a1c52a8cec8b9f34e41466978c24a426d4a8fc74c754f6172e663e1fa3b845c4bce04495a097

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
88KB

MD5
883bc3ab4473fd8f356173a0de73e1a8

SHA1
18016d69c10390cc0d235975c06d46cb1d8253ad

SHA256
dcb8c517531a55b0e17674b172432bc46c8774cc4f898f1ff3c203ec8c2ea652

SHA512
ee7486b97225e9293f2904b81bf19f0daa62553184563efe954804831da6fdc5be3558149eed9dda381b306ba77f02a9c2b05cf515adafc8bd894b157209586a

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
88KB

MD5
d1a96326ed68d414971effe122f564c1

SHA1
6864f140fd8245d3aa2b45347b5ae271dbdd15f1

SHA256
47b38263869b2c6fb970b5ea3a2c190ff3d05fbc3c8ae0a3817c0e940f07ccc9

SHA512
e9422a52345abcabfa0dc7255d67d95d718a1f3d51034f449f47fd06bec9897878511351219948546db85d26bff0b2c7217d9d3054bad5e6d7fc6dad21c3013b

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
88KB

MD5
5b773e82dcfd6bb063063db1832566db

SHA1
83a777a2aee813acb59b3d442f973ca50160cf05

SHA256
3e5caa43934c4a66757f4667db9527b7a37677f13f8c4a25667028b9c6232d97

SHA512
5d47fd2733d80bd07d3106db2284cc93444e88a247a02835532b2d56b142d4674064fa840777a032ec9a56cd8132fbc640a8e4831d5d3f7a895b13e7b3e82f6a

Download Submit
\Windows\SysWOW64\Pdjjag32.exe

Filesize
88KB

MD5
953b03c7f2903f3240235a34d83eca9b

SHA1
b711edf84ceef3a1c574030714c48ea91b89592c

SHA256
cbb18c3673a59a5b7851a6ebca79c446ba08161befae004309dea4455d1666a9

SHA512
72824f3f60d771486ce4937778d89ee513177e968dba4930c946711ade4ed49770256c52d61234c9dc7488d7d088c4157a953725ff3b7a4e93044772cb3383fb

Download Submit
\Windows\SysWOW64\Pgfjhcge.exe

Filesize
88KB

MD5
a1e71db692c5c110bbad08b63908958c

SHA1
31847bb552008927f4965593b8bd92a4725f2680

SHA256
e4435d96133910f7428e0bf0a9d5ae02c79c9513491e399ebd207c1436905785

SHA512
fea1ddda4c269f02f40b250e090b8d7132ebe29bcecea6e78a6e812503ee56986c7eef4f2e6ac37a9b29229deb516a70aaa9fdf2530a282a1d1a534bec1be06d

Download Submit
\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
88KB

MD5
d2dd44de1e846f1f6e1ff3136e336a98

SHA1
6d264179982655e97b800b5a31bc50ea1af28f33

SHA256
49ffca6812092c2c466156baddec4cb28dab6f9fae9e831e80b68dd0aea61881

SHA512
b7f5b89f5bcdcfaadc9645f82f43fbde267f97fe085c33070591238dbc122457c44843ac7106f90cfdf07b743cd558e930b12ada5823c383d29781487312e51b

Download Submit
\Windows\SysWOW64\Pljlbf32.exe

Filesize
88KB

MD5
eba09ac1e09946db3abefd57f9759919

SHA1
7785871494301e386ed9633e5c80a61637055695

SHA256
c3565eed6562d81e703238e2b8c953e04640228a95d130a87979596e9598f655

SHA512
4c78933554399744d020fa90c568102021b3f6a39957f1d03786a7736bbbee8689866d57359d9fb34b388d3a0a3d7f0eb295d7e0824f3552161b1926214bf77d

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
88KB

MD5
c98b3fe9939d81854bf11bb0a8b5898f

SHA1
b123404ded3b7374f9851d8fb8677996fbcd7d0c

SHA256
cdc76a2f6aa2c7aa8f2d8f8f7bc27185eb7f6d0e8b0914f2eb33aa07adf529f9

SHA512
d24b0ee4d6835cc32e2f7ebe7f48559dfb747c883b9cb0cc594d60e707ec042f008aa217e3683cd4a1362ea4e5839ba16098a03abcaad5c2d33724aef3fd7da6

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
88KB

MD5
ccdd84f56b3ef5f5bd77ece551ca8d7c

SHA1
0979f27ede6d96a5ca4ec30943f203ec71879dbe

SHA256
d783160ff9af58e97ba70c8c87db8490c64341584035abd7f3783a2c7b0a0f7f

SHA512
33f528cb724b57dbfd246eb8d61da5a6aa6f842d55e9aca5629bcb4a6fb2d74380d827710f253734ca914ec2d1dae2368206179310a561c6254fca620bfe55df

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
88KB

MD5
b09a12e5b58e5f81c871645813ebfae9

SHA1
1465eb20188d088f7282345f9023c550d29ee509

SHA256
91f24cc608ed62083d4536dcdadadf8078cb1ec82986163dca3eaa7ef36379d6

SHA512
2835591d32925e4caf820bb050805f3173cd731971d813afc95ca693ccf17cfbb4b8ba655fe2d159bd48442b404f7d67d19490ebcc6675c7bad5758a893e70ce

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
88KB

MD5
1e5808d56ebbcbd3a2f7934fa8e8736a

SHA1
bfa680f7158fa3553eff770167cbe545c926230d

SHA256
96abf11c1c27be41ad950c5d8f7ecea316dce29114f48090b67bcd1e4cc79734

SHA512
254786a321ace425f79a8307b819256662fe6f18897b66defd212176eaa3459873441f1c9f2effde1a86fd96bebd1c6ad510f24381f23993fbc264a6abbdc642

Download Submit
\Windows\SysWOW64\Qgjccb32.exe

Filesize
88KB

MD5
cc2edf8da245cc9aea128a88c46d48e5

SHA1
bb8529f2d7a581fd8e1c47799af5275f14062ac6

SHA256
383efb97892c0320ae9df57708030dc42b53fcfea8f722bbc1c09f0010690981

SHA512
cc9c218209d45ce8c68ee7e34d273f37ce6c1f3b03d638a68622de0011ac4953067dd93f58cc638bffe8388ff688af96a3e73ecf1685ac8c1133c05750f042bb

Download Submit
memory/344-265-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/344-267-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/344-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-510-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/468-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-498-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/840-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-497-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1128-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-12-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1128-377-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1128-13-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1128-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-509-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1380-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-427-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1424-255-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1424-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-251-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1512-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-134-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1668-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-447-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1768-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-276-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1804-277-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1804-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-320-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1844-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-243-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1864-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-245-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1868-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-416-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1920-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-415-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1948-310-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1948-309-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1948-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-75-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2336-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-288-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2380-287-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2380-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-331-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2440-330-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2472-298-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2472-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-299-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2532-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-394-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2608-101-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2608-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-477-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2608-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-108-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2640-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-52-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2640-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-65-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2688-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-349-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2756-353-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2772-187-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2772-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-364-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2820-363-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2892-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-341-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3068-342-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads