3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Size

115KB
MD5

e5adeed003b9521ffadd50aabd42e361
SHA1

dd264de1af46bde8b4194ca34c5f38e87361f612
SHA256

3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04
SHA512

d49f72ae94794d85770bf5ff655e72a3e2d95ccc5b4fdfac2be4e22056958de45737c7d6ce04382642510fd22e70fa35dfda74477f567d41d20ea3811e96f8d2
SSDEEP

3072:4C/R8bNl+AVzaAKdbrIR/SoQUP5u30KqTKr4:lR8bNQWKhrIooQUPoDqTKE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe

Executes dropped EXE 52 IoCs

pid	Process
3024	Pjnamh32.exe
1996	Pokieo32.exe
2648	Pjpnbg32.exe
2284	Pmojocel.exe
988	Pbkbgjcc.exe
2836	Piekcd32.exe
2004	Poocpnbm.exe
2600	Pdlkiepd.exe
1252	Pkfceo32.exe
1868	Qbplbi32.exe
2252	Qijdocfj.exe
2156	Qodlkm32.exe
1772	Qqeicede.exe
2508	Qiladcdh.exe
2204	Qjnmlk32.exe
1340	Aecaidjl.exe
1144	Acfaeq32.exe
1208	Aganeoip.exe
912	Anlfbi32.exe
1784	Aajbne32.exe
1308	Achojp32.exe
2568	Afgkfl32.exe
2552	Annbhi32.exe
2404	Amqccfed.exe
2932	Agfgqo32.exe
2908	Ajecmj32.exe
2752	Aigchgkh.exe
2636	Acmhepko.exe
2176	Ajgpbj32.exe
1268	Amelne32.exe
580	Afnagk32.exe
2152	Bilmcf32.exe
2464	Bnielm32.exe
1300	Bfpnmj32.exe
2812	Biojif32.exe
2516	Bnkbam32.exe
2452	Bbgnak32.exe
1916	Biafnecn.exe
2804	Bonoflae.exe
2248	Bbikgk32.exe
2300	Behgcf32.exe
2540	Blaopqpo.exe
2352	Bejdiffp.exe
1788	Bdmddc32.exe
916	Bfkpqn32.exe
1780	Bmeimhdj.exe
1748	Baadng32.exe
2032	Cdoajb32.exe
1700	Cfnmfn32.exe
2900	Cilibi32.exe
2172	Cmgechbh.exe
2084	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2852	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
2852	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
3024	Pjnamh32.exe
3024	Pjnamh32.exe
1996	Pokieo32.exe
1996	Pokieo32.exe
2648	Pjpnbg32.exe
2648	Pjpnbg32.exe
2284	Pmojocel.exe
2284	Pmojocel.exe
988	Pbkbgjcc.exe
988	Pbkbgjcc.exe
2836	Piekcd32.exe
2836	Piekcd32.exe
2004	Poocpnbm.exe
2004	Poocpnbm.exe
2600	Pdlkiepd.exe
2600	Pdlkiepd.exe
1252	Pkfceo32.exe
1252	Pkfceo32.exe
1868	Qbplbi32.exe
1868	Qbplbi32.exe
2252	Qijdocfj.exe
2252	Qijdocfj.exe
2156	Qodlkm32.exe
2156	Qodlkm32.exe
1772	Qqeicede.exe
1772	Qqeicede.exe
2508	Qiladcdh.exe
2508	Qiladcdh.exe
2204	Qjnmlk32.exe
2204	Qjnmlk32.exe
1340	Aecaidjl.exe
1340	Aecaidjl.exe
1144	Acfaeq32.exe
1144	Acfaeq32.exe
1208	Aganeoip.exe
1208	Aganeoip.exe
912	Anlfbi32.exe
912	Anlfbi32.exe
1784	Aajbne32.exe
1784	Aajbne32.exe
1308	Achojp32.exe
1308	Achojp32.exe
2568	Afgkfl32.exe
2568	Afgkfl32.exe
2552	Annbhi32.exe
2552	Annbhi32.exe
2404	Amqccfed.exe
2404	Amqccfed.exe
2932	Agfgqo32.exe
2932	Agfgqo32.exe
2908	Ajecmj32.exe
2908	Ajecmj32.exe
2752	Aigchgkh.exe
2752	Aigchgkh.exe
2636	Acmhepko.exe
2636	Acmhepko.exe
2176	Ajgpbj32.exe
2176	Ajgpbj32.exe
1268	Amelne32.exe
1268	Amelne32.exe
580	Afnagk32.exe
580	Afnagk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Poocpnbm.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Pjnamh32.exe	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Blaopqpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
476	2084	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll"	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3024	2852	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe	30
PID 2852 wrote to memory of 3024	2852	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe	30
PID 2852 wrote to memory of 3024	2852	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe	30
PID 2852 wrote to memory of 3024	2852	3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe	30
PID 3024 wrote to memory of 1996	3024	Pjnamh32.exe	31
PID 3024 wrote to memory of 1996	3024	Pjnamh32.exe	31
PID 3024 wrote to memory of 1996	3024	Pjnamh32.exe	31
PID 3024 wrote to memory of 1996	3024	Pjnamh32.exe	31
PID 1996 wrote to memory of 2648	1996	Pokieo32.exe	32
PID 1996 wrote to memory of 2648	1996	Pokieo32.exe	32
PID 1996 wrote to memory of 2648	1996	Pokieo32.exe	32
PID 1996 wrote to memory of 2648	1996	Pokieo32.exe	32
PID 2648 wrote to memory of 2284	2648	Pjpnbg32.exe	33
PID 2648 wrote to memory of 2284	2648	Pjpnbg32.exe	33
PID 2648 wrote to memory of 2284	2648	Pjpnbg32.exe	33
PID 2648 wrote to memory of 2284	2648	Pjpnbg32.exe	33
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 2284 wrote to memory of 988	2284	Pmojocel.exe	34
PID 988 wrote to memory of 2836	988	Pbkbgjcc.exe	35
PID 988 wrote to memory of 2836	988	Pbkbgjcc.exe	35
PID 988 wrote to memory of 2836	988	Pbkbgjcc.exe	35
PID 988 wrote to memory of 2836	988	Pbkbgjcc.exe	35
PID 2836 wrote to memory of 2004	2836	Piekcd32.exe	36
PID 2836 wrote to memory of 2004	2836	Piekcd32.exe	36
PID 2836 wrote to memory of 2004	2836	Piekcd32.exe	36
PID 2836 wrote to memory of 2004	2836	Piekcd32.exe	36
PID 2004 wrote to memory of 2600	2004	Poocpnbm.exe	37
PID 2004 wrote to memory of 2600	2004	Poocpnbm.exe	37
PID 2004 wrote to memory of 2600	2004	Poocpnbm.exe	37
PID 2004 wrote to memory of 2600	2004	Poocpnbm.exe	37
PID 2600 wrote to memory of 1252	2600	Pdlkiepd.exe	38
PID 2600 wrote to memory of 1252	2600	Pdlkiepd.exe	38
PID 2600 wrote to memory of 1252	2600	Pdlkiepd.exe	38
PID 2600 wrote to memory of 1252	2600	Pdlkiepd.exe	38
PID 1252 wrote to memory of 1868	1252	Pkfceo32.exe	39
PID 1252 wrote to memory of 1868	1252	Pkfceo32.exe	39
PID 1252 wrote to memory of 1868	1252	Pkfceo32.exe	39
PID 1252 wrote to memory of 1868	1252	Pkfceo32.exe	39
PID 1868 wrote to memory of 2252	1868	Qbplbi32.exe	40
PID 1868 wrote to memory of 2252	1868	Qbplbi32.exe	40
PID 1868 wrote to memory of 2252	1868	Qbplbi32.exe	40
PID 1868 wrote to memory of 2252	1868	Qbplbi32.exe	40
PID 2252 wrote to memory of 2156	2252	Qijdocfj.exe	41
PID 2252 wrote to memory of 2156	2252	Qijdocfj.exe	41
PID 2252 wrote to memory of 2156	2252	Qijdocfj.exe	41
PID 2252 wrote to memory of 2156	2252	Qijdocfj.exe	41
PID 2156 wrote to memory of 1772	2156	Qodlkm32.exe	42
PID 2156 wrote to memory of 1772	2156	Qodlkm32.exe	42
PID 2156 wrote to memory of 1772	2156	Qodlkm32.exe	42
PID 2156 wrote to memory of 1772	2156	Qodlkm32.exe	42
PID 1772 wrote to memory of 2508	1772	Qqeicede.exe	43
PID 1772 wrote to memory of 2508	1772	Qqeicede.exe	43
PID 1772 wrote to memory of 2508	1772	Qqeicede.exe	43
PID 1772 wrote to memory of 2508	1772	Qqeicede.exe	43
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2508 wrote to memory of 2204	2508	Qiladcdh.exe	44
PID 2204 wrote to memory of 1340	2204	Qjnmlk32.exe	45
PID 2204 wrote to memory of 1340	2204	Qjnmlk32.exe	45
PID 2204 wrote to memory of 1340	2204	Qjnmlk32.exe	45
PID 2204 wrote to memory of 1340	2204	Qjnmlk32.exe	45

C:\Users\Admin\AppData\Local\Temp\3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe
"C:\Users\Admin\AppData\Local\Temp\3a0da46e0b2a399f63edd2f2237553f21630f253ea353aa3965d7153ed3a0e04.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Pjnamh32.exe
  C:\Windows\system32\Pjnamh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\Pokieo32.exe
    C:\Windows\system32\Pokieo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\Pjpnbg32.exe
      C:\Windows\system32\Pjpnbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 140
        54⤵
        Program crash
        
        PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
115KB

MD5
51fa0eeefbaf59a265a6ebcf48858550

SHA1
ac32bb4c25671fa57a93bd9d97025b2ce365b473

SHA256
31fdba07dc5bff3a59f4ec20ac605d1e3848fcded27fcc794011ec0eee6736ff

SHA512
c908a0ab2611ee26f912eec623cf483196e86962255b84b35e6edd00812060dc63f76f5c6816d765af96631485310b7c131b8660cfbe62f9868831c0accfd73f

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
115KB

MD5
93d222ab75ad05421917ad82cf3d57b2

SHA1
9511884faa8cec5eba2698a4c9ca08376bea7cb2

SHA256
b44d5fc067cf23f7184fc7fe35e17722eacb0834f0a83587eb2a66ecd13087a7

SHA512
63656e7db025e073095d4788162f5fedb3eb4ce12b6eab86971c9023e3cb206824dd7d8bc39382e67ff52fc298ce47228e8480216c1f3f12c5211fa05c729b99

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
115KB

MD5
94eaf41ee6479abac721190e5f85801f

SHA1
b49db4c81ab3de22a1a21e0608ef63a3a62c11da

SHA256
533e7aaaab7ae68494f73679f5423623ab2476b5fc16e969bcce5125e2734cc9

SHA512
3a20baeb8331df36740cab9f0318b13add820eebd5420bdf13adc6baba0bf7b216fb5c0fe394e05e1bcfa337e4da126c89110944209baf4db757e9777eb0f98e

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
115KB

MD5
7a53f3d324f1df30cb401b75c4377dd9

SHA1
012c6e6123e2a80b68fc7fa7c09f451f5b8340fc

SHA256
b9e6d7f1503a105ccb82139a024529ed8b2352cb677c3357b8cb6318bf9a5414

SHA512
78394c332a5736db4ca8974490c68600373af7e472982a3ed936a4b2a098c54b41da6224466c055771b6b9f4b650e02336e4f9c8826b900e044077fa37e71b00

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
115KB

MD5
a5f2a2964f56429b35c2f621d42a1364

SHA1
a8deeeaaabe169403d6201bd4db7fea0a4a86d07

SHA256
dd396af1b4427abdcc9a64aa553d5998188d97346861bcbd7b91936a0e0935fa

SHA512
8428e5800ac1b5814c309463dba1ab6bef8fc6626e96ae5e284822acc586328ce98731553b51c97ba1b262e4797169c20783f32779d66b869fbaff29fe398a36

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
115KB

MD5
e4d1220454223f58bad7982867e04c3e

SHA1
a4f8e41a37ef722ecde015fed913eaf102d5e875

SHA256
709c7aea6112c16ab8bce7d617239c71ab76efff90ae38b44e17d399c568b2e2

SHA512
f7c0b0fd363af8624819c4283cbdec142fc1d60c095a95ef4722a8d6544fe9089901a9773111dc02fd49fe5e1b54b9f914be5cf45fd62679289e76abbd953226

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
115KB

MD5
4a01eef5b3021935d43dc829fdc79fe9

SHA1
4597c17833602805167196811427a2493780ad59

SHA256
db0d96f109f16e10d2fa6ef49290aeced01978c799b24a3fe329d50dbc152412

SHA512
33449571199b14e738c7369c54897a35387613e558a0683b9c0630b3f6620d1c1dc44c31fea3dbed51e436207ce3203ca023482eaf7b895b44181ef4b0015a20

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
115KB

MD5
88cdd3a4cb0dbcc0e7b5079b2f56051a

SHA1
d11fc3d6e71b4794a24ddc83a8bd2de553ba4054

SHA256
3a8ab61968e5570758da75072e5b32782528967a7dc098d4d868813960a6ee1f

SHA512
913d9760a0c174a44ce7a73092193125d2123df30e056cd2cad311b6ea95e5a1f327957d401b3f634be1d560246b5f123844ca629e7b65333b3066b9d96ffe11

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
115KB

MD5
5366f36a21465181ca9d94e158f89bee

SHA1
23f7242ccf3c534e598bf10f83ebaee782459a43

SHA256
0e303f77473fc15ad12042110c09345c4db253405cfea346150b13b51ad89189

SHA512
778c5463b7144a417d829df691981012c3814203f544c8cecf063d8b36ae640f8173ffac37ef2678a2001c3285165721cf27eaa3cf2b23187e005b3b2a3a025a

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
115KB

MD5
7762ef928ef6bede36fd42f4c08609ee

SHA1
3af007b2f521ad7a622f5537dfa8a00354bc78e4

SHA256
32d97dcd2029d0c0b60b265094e61c99fa4a6a2c43fad77972248bdfecceb468

SHA512
670eab91fbe04182837d4dc1bd1d1eb5364ce22fda0a8b6b3ca8d435309c4ac7b5ff2167af051ae579f3399cff6e1e1eb1b8993c89ff8cf82bf546839c5a9052

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
115KB

MD5
d1f0f7bd2477ed3fd291e66329476d63

SHA1
67c3cf6834932e524515b3f0ca763773d078011a

SHA256
2bee28d35254b2dcf6129e26bbfbee5976c66b7f9c162651ec53a695b084a75c

SHA512
769aa341879881f89a13f09fe023836946c4d63ab223ab1239ed67e1275902d76011a9e7e1d2c03d0c5e58766f8005fe6c1eea31280da39252c1e230d55ee634

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
115KB

MD5
336ccb73946cf923fe613ee438096d5f

SHA1
31f58ceb24717cf9e7ad7d5917ef89dc4393996f

SHA256
9c9f1095ffc6372448f05cac2bc692a34bf5fe4bedd0587bff849239a315e5b0

SHA512
9f5756807ba876736a5ae50a0c11b28a37ff1ba60ea58cbeaf3cdfde2e5c28cb4e13ee44f4ade7462584d4c4a4d5cbb5fda7f568d804555f5af192415acadf33

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
115KB

MD5
0cf9d72fe7aa23ac07950697cb0ffc38

SHA1
b7d468681c180b17b045a4367639635464cca4a2

SHA256
6ada7314576c8b39be37092a7dce38a3253091c743165d193d79a0e996090fd4

SHA512
0cf5259f55d3bfc2d49f99766a7477eb2b0f7046471b48fa11efaf430cfc0475c734e9077c421a1a45ec766b5cebb58a3e76b41fbd1cfd43ca6b584b0eee94e2

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
115KB

MD5
695e8efbe247a0b5897bc222813e8917

SHA1
b5962c6c1a9516527f9696536cd7a3197f337d22

SHA256
aadbd05c9f13fc858d3823f3d1fde34e72fbfbd48befa9f16fc74541ed4e097b

SHA512
3c7c9f096e07267dc18680ce829735f1195d19e7b520fbd4d710a4a8f6fd1787aeaccc088e772e29c1eeebb2cd49233558c012376e8b7d7efb365236097ca751

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
115KB

MD5
56d46419d596d42ec99ecf3c8843ca38

SHA1
96b9357353a64ca8ffc97012a309c5c9a39d306e

SHA256
5ffe0df5e65b2902b69c6490e02cbf7448a828fbc028c88fb5f28887bdca8418

SHA512
7e502973c167e3df5016ac39069e8b4a42a580ee84159797a337b92b432a18c70b076bae79413ae386af59ad9db74b720084e5f97c37d3649a5ed6f0d098c387

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
115KB

MD5
31599006aa05bfa9741c0f78c3e88edc

SHA1
44ea2101de51edd7dbd0006439a88ceb1f3eb7cf

SHA256
3b3f8abedf947be503e5dc934bd5fcb8b33520eb8adbd253c4833a3d49ebb4af

SHA512
698aa01b0dc565fe0efe33ef9e6c5442bd30fb28bf298df3bbed1889fb6bb92f935624ca33451fc903cf3127f03984c802548b11cd51816d2503b67e04629c56

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
115KB

MD5
536db02c302c10add9464edc2de59e9b

SHA1
819a9affcffd1e45ada1927ba4d5cc29d13ba499

SHA256
5522cc6d3989f8d48b9abcc5a7455fb0525ba2590d8b94ffc7ad35d6cc7a2123

SHA512
24e4af99a220e5fda109bed557706209dee5c53ab5b4e6559468a6fd09a78747d880c37ae41a480cbcb70244270b99dbe29ab7bed818c8b867814bcc00eb4a24

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
115KB

MD5
476cbb98071f1aac8b4fb6ac3c17da93

SHA1
803c4a4c1a62c8d07027b82ea7eedf1859ad02d1

SHA256
b4809b6dc04e14a58b2533dcdf0e10ccd955c831942e6ba1c33355e1daec26c7

SHA512
15d5e3684119e58eb3492f21456bafd9bbc685c47e53dd1ecb0c9cb265ad73657288d22c4ba570fdb1393978e2cbab196a0129a3ab308ffde7fb5652b25cf749

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
115KB

MD5
151f4228c581e78c819ef50fbb9520a2

SHA1
3abdf444d564935d14d40f274262fd99e55b097b

SHA256
06fbc29a3acc81ea6f52e408b81fd000496a4b9ed61cda609f2f779d6ec770a4

SHA512
45d6766c433cfe0c2d467f07e0c25e59102c73863ca782d573cf5351c2319cf3410205b8ccf02c886362e238b1c9a0677ad2016c99751c267f876048af958037

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
115KB

MD5
28c244b00aa9d589ebe8c20a04b2d2ae

SHA1
63d260ec9540909ea38063c0d9f191e03def8381

SHA256
8b2af2606651ceb7d05929abd5a312b26954e47ad8582f03420f0e227eb66fb6

SHA512
eddccc85aae882eb5619bed78c81cc460ab7621b1cb7f10e634f8cbcb2abd91a0c58b4307c643cad6d598b4d3e46dfa4d7e2e9ddcbadbdd1191f1174b0a5f47e

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
115KB

MD5
3ffc952ac8f22954c6bf28ceb7fa7a05

SHA1
c259654b3c5dcc82cdceafb96a2db1794b8329dc

SHA256
c521a98320d54e3b0750355224f24138273058db1c077cab084676bd3e26e9ec

SHA512
b76201717a6b1fa2bda4471bf08ef5a6e2cd95ad2d66c458824bba258485241e8440c7147ad2140f4fc452507cefb579b9db269421f9d062b99ce9e5e5780915

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
115KB

MD5
f01437bde0fe69cac3cd9d7edf99b43c

SHA1
cd60c59da1c9a1c05ad83f8e4c34eaaebe5d23b2

SHA256
bbbce04eec6acd0c3eb7205cdfbed265d15d0edefe9bcaec5372a4330c5112aa

SHA512
3fd7faf7689b0dcf629435dfbf020f6cf683d4dea356d2be43f42e95577ffc69fe12effae1c03b9f01894d22a1ebb402247093d573c9cc5797ffc1e8ed2eaa84

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
115KB

MD5
2d836f55d21576144eb5e94227c13731

SHA1
d8bcebca2e1d7e207613ac897c5c048c8fba007a

SHA256
5291e1fcf3cf7607f127c285abbc2ebab9e8bf6fcb210246ef54e18e5c31f826

SHA512
40c1f5452d4b8e8933b56517fae25338e040dd02203105c021a61b5a738f0a7ad0ddaf5798cc7a632804ab731af83d607b68ac88084f840eb9639a8944f711ad

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
115KB

MD5
1f6d8d12da9161e864efbf7fb5c4494b

SHA1
7040de1e431e96f8678e940c49b722a2b57983b7

SHA256
1606eb58d89eb567adf67bb76ff2c7bd2d2e6591e8065980edb820a90c2ce5a6

SHA512
f59a49c2105dbf2605cf534dafb44720ad79744851b06a1c0a93dbc3521867adab02d5ee79b74cc321ffdaa35a57c8a60375a4063c733adc2a4b3a3082b68397

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
115KB

MD5
a83b2f8795b624abe696b90263d67854

SHA1
f34f5739277c324ea54a0ce51c1151232bf0cf5d

SHA256
55922d93fbabdef0962d851936f1359abbaae97b0536e15bfa2a13d56f10fc04

SHA512
f5c73d29ba062413dedf2879388990a388d17b5a84c3b55117eb889481d8b13615f9bcbb6c57354a7fbadfa9a4645d4c49a3d45b1d17bd9e13d245848e0f916a

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
115KB

MD5
04a5184a8160f869e416e6ee32cd3318

SHA1
b3f9304354b01d2fd4d6201b4c5c87ca8499591e

SHA256
dcb25fdc4d2774e57abce97238d42c69f9bc07e2d6e982aed8a8c815b64cd946

SHA512
8150e92369c780ba7e758f7376410e56b32d4a8dd3935c36540b3addd724eb67e4c49da6ee98f188f8c4eab44e842b01cab339210e17f41e80f3a15ee6e9925c

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
115KB

MD5
300c760f789c79dc1533a6f6664ce8a5

SHA1
c9ed97c3c7396c82744b69ea0470612de2d13437

SHA256
bdbf4d4425b13a511980f1f7431d889b79e0e7cb1cf065ebe4268284f68552f2

SHA512
5356f13ea0f62867ba27d60af9b22707cb77ba63e8137ff9cfb0cb5dd50b682d3ca68f6ad4f09891be537ed49d8263e66c887e217dc9f1da4525d90baf4e95ce

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
115KB

MD5
81f110edd074e0dc76aa331517d85f49

SHA1
6c638889eb96a9a72db2b0e36dd8b1a1051417d2

SHA256
adaafd9b2a6b46389ec5755abb32c4f75762776bc030bda851d922bec52328a7

SHA512
f5db428a494fa6f46e4e5491a4b2008b63f0b2a12771456c4ab1e8aecda82bd2ca0c5facd5be0577cd38fddce806f6d443a351c2fcb406342e88ca9cc890bf1e

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
115KB

MD5
768119be8aeb2d6c9e340161f05dc7cd

SHA1
5b029e497b4eb1d765b7460a4edf3269c42bda06

SHA256
c45399d1f4a5ba6a22bdb54fba6110c01907652cf5a92a3063588cb343350041

SHA512
c5e841de1356e12e6a7ab563b4966bf4306e69a3ae8001609dd1556cfd92f600222ff2acec1a15656c2a5f05d3f1473366c107ac8e7d52970dd5ebde842b31ef

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
115KB

MD5
cae127c0c18067f9ec6417ae8b8ad63b

SHA1
2bce350316b29b283be8ef2889e990da97d73417

SHA256
cb4c9d28f256b9870baec8ac067fdc848552fe4a8a8af1cc9e950f9f8118dd02

SHA512
6ec5f3a49ee2c9dbd146dab062a23afe8f719f9a93f93869d5556493cd827293c8f5f43b8ec21883a7e246fb09a669b0daf6bc97e53d3d0d52e8bdaf0fedc042

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
115KB

MD5
14657152c9ee85cb48a3cf3e67e7c082

SHA1
1ae034f35479216e2e8f71831de0ae89616ac35a

SHA256
50771c2c60bb823a8e90bd89229fc4d5046a2ad061ae7ebb388016320dfe1a37

SHA512
1710eff7a782e797a301ace6fc11485c46e757dca9c61efb3b9dde1fc949b7de77f13d52bb9f869d124ba3a7e98e37430c38ddc4dea299ab6c57dd5b9a214488

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
115KB

MD5
3649da6c11258e9a25c9e7d8f9a211b3

SHA1
d9b6e56b7ab56554b43203b8c931fca1e5f04df6

SHA256
750b505da637b365618e918c5607de8d077e7d5f0a6e506af0dc3ba7223db798

SHA512
849c31863dceaa29837b959bf21a625c44ac783165377ac3ec345ed3bbb20930af0f9fd0ac1ccb4813f444e5c7e766e4b594d61e91978d1e6eda75592ebc4f8b

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
115KB

MD5
2c5230c283498072809bd90ac9176fc6

SHA1
d48f8005e8ebc46ffd62409cd7c179f86dc4dc1a

SHA256
bc4bb726f18ca4a4d50e941a1dffd2fea1e5b274309dbf95e1e9203c432afcc2

SHA512
0cbbd0a6d433335739c3656ff7babedad59fbff3f683704000d6e3047dce2e444293b52eb770179556493acd9b20341d8758d927f38b797fcc93636ad90e8b5a

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
115KB

MD5
ee77f3fcf569448cfa02a01aced485d5

SHA1
f1af94815c0f614c56a384684312ebc28894a6d1

SHA256
7a10861b85807bee28c2796630bcbe98548c37abe2ae9fe97004e4234c296122

SHA512
e3e8385c2f83e787fe59311011f4e0fd2e0dc84c579829e1cf04dffc35c2beb813f112d2dcf1d7c0dab6dfe1750b452db2c8ab3865ada253713498f49981f80b

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
115KB

MD5
865914eb3923ca81e5ebd31acab4c87c

SHA1
ce707b74ef084e45b3dd20ef775c0d5b97c3cb0e

SHA256
fcaf8296e36c24718b930f1ba79f7984b7029f8daeeeebece58718c03fad461e

SHA512
e4af522e8d16c25cba4316c92070b6b7c5c93cb3a13d3d1c964a61e724e3101f3d929f901a6a6194cabadbdbc66fdac907375e13a2ff56cd3cfae032e7b55a08

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
115KB

MD5
0d47494a487fadedc9810a4027eaf2d7

SHA1
a920abe3b49c9c464dbe75868de249eee3731da5

SHA256
92088ee54c3684f4b5c80f8c2576807b63a90a44ba5742e3793a2ff6adfaf152

SHA512
a468f0a20e8c6b0a0dc6da592484c0e1cc06fbb547a88773d0ac3b6fc3206d7176f8fa175710f2b8b6bec9c3b16ef2b3c59264cff41657c95724e430dca202f8

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
115KB

MD5
19bcf2879ff6b253b976c6193a2af1dd

SHA1
26e8139e9088c6e02dc267a589b9cb54c4ea0633

SHA256
49a12b253ebc4b1809b597c390c7f89f62ca2964063b7666149855012595ffdd

SHA512
c8c23075fc5a4b84f3bf4c3488c1f9f8d8baf4cb52bea577e322b9825f6a3f8697e70c561a9b1301349e2c10d804bb9367822f92566c0eea812c6ce1e29c1dc6

Download Submit
C:\Windows\SysWOW64\Pjnamh32.exe

Filesize
115KB

MD5
27636ba22b3f415956610e2ead42d253

SHA1
259a1f2c9e9e8f854ec6e11ab8981235e840dabb

SHA256
d4c2ed0d943aa0e4320e202f2fe6b783aa076d02334fa0a5b38b601b13a1df09

SHA512
26b33440d432f3cb5f651dac8242a4564722cb5dabbc946f91059516fdd233f8eb6232c889f6f04fc706f1180005dd72410a9c023bb83ef2e2402ce0f468d0f0

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
115KB

MD5
7b847aeea46b63b99724de0d9430a657

SHA1
94d62bd3de2a32727814ac5951fa7afbabdc9e31

SHA256
4c98b722ced4094cc1838881b67aa3a533fbeac745eb66e33a7b0c6448593fe2

SHA512
9627bea5e911a8b76d0572a2a0e6042255303dcf547d1f93d5136a1dd8af81976bad5636ffc679ed3c9a9c8bbfe16d2e14b18519a781195207ebb7c50e74feb7

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
115KB

MD5
0676f575887b3722804f5492b374be88

SHA1
3e6f864af9d5eba7203de37b90ec7b7654dd4735

SHA256
859dd16d0d149292a9ba15562a026c900839f6afaf8155150423568543befe04

SHA512
4551eb14c5a54e9fb15d3291f8ed1b96466ee054e0f5c066d951ef034691877901bac6711e0759c564461e34a996e6de9beca111c0fd79d18f84f3202ce8194b

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
115KB

MD5
73ca24688ef9206f2529fb9c3d524cc3

SHA1
e5d411986006563a151e67b4b8f06e42356c23f9

SHA256
197f8bedaa2650283034093fb7d56a62d55d2d68679f0c7b39f7ac4827697d58

SHA512
2919128cb8204041d466bd0017691cce937c5121df8a9e05e936eae5416d2867dfe8f09e2b313d384abf38dec8c5a4f348868cec1364e10e221b811d93f9e383

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
115KB

MD5
05b3befb0245bb09e43f835a3f38b5c5

SHA1
098606f6c5698b45acd8900375d278a126cde366

SHA256
0991c976c694e3e72bed52dbb3adf7df4705f220f32138ec41fbd49ae4088489

SHA512
db40182305377916768bdcddbb6bcc90a7df3798016b7c7f7c22001e19c36322a2f9e5242cbf373e5d211a013760b3e4951cb9d3a1e5c465c16ed1438cd25cba

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
115KB

MD5
9fa35d3879b5c215f6536768a28fbbe8

SHA1
a616b9b558fcb9ed7fcb06b85aa5f954e353a5f3

SHA256
99005a7f7f65a8fc320e61f2fe99c7758a334766eb264933c591fda6317ffc90

SHA512
a070ce8fa780e35c14d133d5f782218c85ad999e0745685cea8f9ee571922a3f5d7506705e33d730fdf76459f13a8df629381a65099f9e817c9964ae632a21a8

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
115KB

MD5
96685e3951fb1b28b0b6bce4ab83cbdb

SHA1
36161d1a9b34316f3eb3f050522b69525ec9f8ce

SHA256
b0f5a8f493c41b48cf6328c4a350721cb86405e5950f8af201a73f2437a634a9

SHA512
7b476bb8e721d606dcfe521676c2481d8909e608bcfc1d6cebc4a9167dfe1d5d6a8581a01bc6bb059208809db5b77f7c1ea77f87b3dc03cf227f305fdf9cdf4b

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
115KB

MD5
80d88178139a1a609276b141cec99c67

SHA1
534108618f83b524eef5a465a8b917863a75d4ee

SHA256
d49f02fd2ea144ae69d6cc1c5ef90c3287877496da0149b6b56c4617187bf459

SHA512
ab9d5bbdbb77570e5e82544b9eb29c596aa11e02385ce6257133957a67bf4d7cdc58383fa98a716c990f2138177ae794c839085509a72054627c559f9d652cfc

Download Submit
\Windows\SysWOW64\Pkfceo32.exe

Filesize
115KB

MD5
a9dc9c07155c4f49ec6b6e87c1b99921

SHA1
f53387bce36155eaf7712fcd6ea36e5253cc352a

SHA256
4b6b6966fa166788e105fce54f607d2007070ff7c3ba1725b89218436a3e99d9

SHA512
bd08b36bf49efa5c44b86bad4a1b48a9f6ce28f61451a8b60e97dda2eedab5f1724e4dff04a23aa4bb1dd80982c5e2b94e151bc5f1cfd74254aab0b43c50b5dd

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
115KB

MD5
2b69f5ace9521d435d595aa869751e00

SHA1
390fbfb572d19636c698719edd9d310802573214

SHA256
0ab2f2ba779a1f6bae46d0097a16e933157df3cee678c113c04293b89f8c450c

SHA512
dff0a171c6b94159ef9715d1dbeadd5ef9bc1f219d112c34d00032a07e62eac2f1310ef6a7b9ba798fae583ad7d0df3d828acf57e822eae51a3ba603eaa7dd24

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
115KB

MD5
4ebed500a3143817b4749dec37388c5e

SHA1
54baa5cdd3ef964f33d35559e72644d830402468

SHA256
15f4217e4c7eb8714c38915d947b8050dabda3e83c1b8f15edad6043ce2c9402

SHA512
1549909711a3795c6aa72f30028e1cd3668c857ff72081789f4f218e8cc4574d2d82567316a6c8dbba2dc74d23e2f801282c9691f644bb24baf74aa85c8beb9f

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
115KB

MD5
69f7389c79da3e80f04d7927b0274435

SHA1
8275336a94a305fa7da3e9fb0888d1528e1f2f6b

SHA256
fc2363279693987818d2fefc845ac8d93aa45e00f974fecf64a2435b23816eff

SHA512
a68c3ce76c0686a55a40f27cde0c6e65f82c1ff08bdddca2ac3edfa6714722fe2057d279a54c11d74572091ca32d9e22118b2148107c40c9ff7ab25da509e298

Download Submit
\Windows\SysWOW64\Qiladcdh.exe

Filesize
115KB

MD5
b2791859f94ba2600862105c5e1ba9b5

SHA1
1dc7dfc615649a5cf60920333b2d3380f1b6e1e1

SHA256
bfe1bdeb0928a365314c0771e49bc16afca576407541e3e3bcaf3c08b075f308

SHA512
aa4fd5a4023a79790996de75b0d74e09e15d5105e5a6980b66fc6ffd8d97091e9d14ae2042b9ae12afaf22c97fb7ccb79ad8512de07152d43ae172bad0cbc679

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
115KB

MD5
256fa88a8e775042f8760a8cbdea0c3c

SHA1
0cde67b6567886b7581bdec4ffc620657589d820

SHA256
c45d2ab0c2b51f53b59696c2701dbe07697b0a5420d1347f31e4c5c98eab1467

SHA512
2888995674f251107c5732cda72edc33f03e90275fea852d030a59fd8231a9aa8d9952dfc8e7b553fa2c5cf9b47e4db7190483152cddf42679ec2389df91da7a

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
115KB

MD5
b993d4b568688061ce042fbf388f0b80

SHA1
c3fc50dfe8ac2920f6a32bc6a936879e619d3f92

SHA256
524512ed67e9a6ab1a181678e013c443f72816a89afe31f61c03d11beffe695e

SHA512
93e33db4e47325c92852765a371c977fdd41e862e6302ef9e40654dac3f9413b37a2bc568de386a0f816333881709bca735d9291681e4921553f32268ecb34df

Download Submit
memory/580-379-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/580-380-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/580-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/912-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1144-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-239-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/1252-129-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1252-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1268-369-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1268-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1268-368-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1300-420-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1300-421-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1300-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1308-271-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1340-219-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-223-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1772-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-262-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/1784-261-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/1868-146-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1916-456-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1916-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-466-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1996-29-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2004-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-396-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2152-395-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2156-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-358-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2176-357-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2204-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-483-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2248-475-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2248-469-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2284-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2284-62-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2300-489-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2300-490-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2300-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2352-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2352-516-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2404-308-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2404-307-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2404-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2452-446-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2452-445-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2452-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2464-402-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2464-401-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2464-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-198-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2508-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-431-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/2516-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-439-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/2540-491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2540-505-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2540-504-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2552-292-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2552-293-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2552-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-289-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2568-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-290-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2600-115-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2600-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-337-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-347-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2636-346-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2648-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2752-333-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2752-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-467-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2804-468-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2804-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2812-424-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/2812-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2812-423-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/2836-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-93-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2852-12-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2852-11-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2852-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-331-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2908-321-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2932-315-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2932-314-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2932-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-22-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3024-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads