8fe3397144572db55bb1f28a14880c142805d7fe094e1e697cb9f463a64098c9

Analysis

max time kernel
82s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8c8d98c2767c753509b05c1f0c39440N.exe
Size

352KB
MD5

a8c8d98c2767c753509b05c1f0c39440
SHA1

f4a5c687fd04607cba18765b1afb446103ce2e8f
SHA256

8fe3397144572db55bb1f28a14880c142805d7fe094e1e697cb9f463a64098c9
SHA512

6a0fba04a400368ea591e885a8633f2a061fb21de14e3847af7a99468c00e5cb08282b7a103752c0094ea304b4c19231d29c57207551a06036a43ba6285af7ab
SSDEEP

6144:qm8j3xuygNZWpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFfX:qxjhuyCirCZYE6YYBHpd0uD319ZvSntr

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qoaaqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ankhmncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeepjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeepjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a8c8d98c2767c753509b05c1f0c39440N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anndbnao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a8c8d98c2767c753509b05c1f0c39440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ankhmncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheppe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phhmeehg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plffkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oheppe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plffkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqanke32.exe

Executes dropped EXE 16 IoCs

pid	Process
2372	Oheppe32.exe
1908	Oophlpag.exe
2912	Phhmeehg.exe
2940	Plffkc32.exe
1852	Phmfpddb.exe
2672	Phocfd32.exe
2232	Pqjhjf32.exe
2748	Qgfmlp32.exe
1452	Qoaaqb32.exe
3068	Aqanke32.exe
2852	Ailboh32.exe
2264	Aeccdila.exe
3064	Ankhmncb.exe
2376	Aeepjh32.exe
2116	Anndbnao.exe
884	Bmenijcd.exe

Loads dropped DLL 36 IoCs

pid	Process
2308	a8c8d98c2767c753509b05c1f0c39440N.exe
2308	a8c8d98c2767c753509b05c1f0c39440N.exe
2372	Oheppe32.exe
2372	Oheppe32.exe
1908	Oophlpag.exe
1908	Oophlpag.exe
2912	Phhmeehg.exe
2912	Phhmeehg.exe
2940	Plffkc32.exe
2940	Plffkc32.exe
1852	Phmfpddb.exe
1852	Phmfpddb.exe
2672	Phocfd32.exe
2672	Phocfd32.exe
2232	Pqjhjf32.exe
2232	Pqjhjf32.exe
2748	Qgfmlp32.exe
2748	Qgfmlp32.exe
1452	Qoaaqb32.exe
1452	Qoaaqb32.exe
3068	Aqanke32.exe
3068	Aqanke32.exe
2852	Ailboh32.exe
2852	Ailboh32.exe
2264	Aeccdila.exe
2264	Aeccdila.exe
3064	Ankhmncb.exe
3064	Ankhmncb.exe
2376	Aeepjh32.exe
2376	Aeepjh32.exe
2116	Anndbnao.exe
2116	Anndbnao.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjehbgng.dll	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Jegphc32.dll	Aeepjh32.exe
File opened for modification	C:\Windows\SysWOW64\Oheppe32.exe	a8c8d98c2767c753509b05c1f0c39440N.exe
File created	C:\Windows\SysWOW64\Fapapi32.dll	a8c8d98c2767c753509b05c1f0c39440N.exe
File created	C:\Windows\SysWOW64\Oophlpag.exe	Oheppe32.exe
File created	C:\Windows\SysWOW64\Phhmeehg.exe	Oophlpag.exe
File opened for modification	C:\Windows\SysWOW64\Phocfd32.exe	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Gjjhgphb.dll	Ankhmncb.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Anndbnao.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Anndbnao.exe
File created	C:\Windows\SysWOW64\Phocfd32.exe	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Agefobee.dll	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Kjcbpigl.dll	Qgfmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Qoaaqb32.exe
File created	C:\Windows\SysWOW64\Ailboh32.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Ankhmncb.exe	Aeccdila.exe
File created	C:\Windows\SysWOW64\Phmfpddb.exe	Plffkc32.exe
File opened for modification	C:\Windows\SysWOW64\Phmfpddb.exe	Plffkc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqjhjf32.exe	Phocfd32.exe
File created	C:\Windows\SysWOW64\Pkmnfogl.dll	Phocfd32.exe
File created	C:\Windows\SysWOW64\Aeccdila.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Aeepjh32.exe	Ankhmncb.exe
File created	C:\Windows\SysWOW64\Anndbnao.exe	Aeepjh32.exe
File created	C:\Windows\SysWOW64\Oheppe32.exe	a8c8d98c2767c753509b05c1f0c39440N.exe
File opened for modification	C:\Windows\SysWOW64\Phhmeehg.exe	Oophlpag.exe
File opened for modification	C:\Windows\SysWOW64\Qgfmlp32.exe	Pqjhjf32.exe
File opened for modification	C:\Windows\SysWOW64\Qoaaqb32.exe	Qgfmlp32.exe
File created	C:\Windows\SysWOW64\Khilfg32.dll	Ailboh32.exe
File created	C:\Windows\SysWOW64\Ajdnie32.dll	Oophlpag.exe
File created	C:\Windows\SysWOW64\Plffkc32.exe	Phhmeehg.exe
File created	C:\Windows\SysWOW64\Jfgdqipf.dll	Phhmeehg.exe
File created	C:\Windows\SysWOW64\Qgfmlp32.exe	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Ankhmncb.exe	Aeccdila.exe
File opened for modification	C:\Windows\SysWOW64\Oophlpag.exe	Oheppe32.exe
File created	C:\Windows\SysWOW64\Einkkn32.dll	Plffkc32.exe
File created	C:\Windows\SysWOW64\Qoaaqb32.exe	Qgfmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Ailboh32.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Aeccdila.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Eodinj32.dll	Oheppe32.exe
File opened for modification	C:\Windows\SysWOW64\Plffkc32.exe	Phhmeehg.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Qoaaqb32.exe
File created	C:\Windows\SysWOW64\Ppqolemj.dll	Aqanke32.exe
File created	C:\Windows\SysWOW64\Pqjhjf32.exe	Phocfd32.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Qoaaqb32.exe
File created	C:\Windows\SysWOW64\Jgcfpd32.dll	Aeccdila.exe
File opened for modification	C:\Windows\SysWOW64\Aeepjh32.exe	Ankhmncb.exe
File opened for modification	C:\Windows\SysWOW64\Anndbnao.exe	Aeepjh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2072	884	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phmfpddb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailboh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeccdila.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeepjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anndbnao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phhmeehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plffkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phocfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfmlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qoaaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankhmncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheppe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8c8d98c2767c753509b05c1f0c39440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjhjf32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a8c8d98c2767c753509b05c1f0c39440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oheppe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a8c8d98c2767c753509b05c1f0c39440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmnfogl.dll"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehbgng.dll"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einkkn32.dll"	Plffkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plffkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a8c8d98c2767c753509b05c1f0c39440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	Qoaaqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegphc32.dll"	Aeepjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodinj32.dll"	Oheppe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeepjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeepjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Anndbnao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phocfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qoaaqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjhgphb.dll"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfgdqipf.dll"	Phhmeehg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a8c8d98c2767c753509b05c1f0c39440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdnie32.dll"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Plffkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcbpigl.dll"	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgfmlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phocfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khilfg32.dll"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a8c8d98c2767c753509b05c1f0c39440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcfpd32.dll"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll"	a8c8d98c2767c753509b05c1f0c39440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agefobee.dll"	Phmfpddb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2372	2308	a8c8d98c2767c753509b05c1f0c39440N.exe	30
PID 2308 wrote to memory of 2372	2308	a8c8d98c2767c753509b05c1f0c39440N.exe	30
PID 2308 wrote to memory of 2372	2308	a8c8d98c2767c753509b05c1f0c39440N.exe	30
PID 2308 wrote to memory of 2372	2308	a8c8d98c2767c753509b05c1f0c39440N.exe	30
PID 2372 wrote to memory of 1908	2372	Oheppe32.exe	31
PID 2372 wrote to memory of 1908	2372	Oheppe32.exe	31
PID 2372 wrote to memory of 1908	2372	Oheppe32.exe	31
PID 2372 wrote to memory of 1908	2372	Oheppe32.exe	31
PID 1908 wrote to memory of 2912	1908	Oophlpag.exe	32
PID 1908 wrote to memory of 2912	1908	Oophlpag.exe	32
PID 1908 wrote to memory of 2912	1908	Oophlpag.exe	32
PID 1908 wrote to memory of 2912	1908	Oophlpag.exe	32
PID 2912 wrote to memory of 2940	2912	Phhmeehg.exe	33
PID 2912 wrote to memory of 2940	2912	Phhmeehg.exe	33
PID 2912 wrote to memory of 2940	2912	Phhmeehg.exe	33
PID 2912 wrote to memory of 2940	2912	Phhmeehg.exe	33
PID 2940 wrote to memory of 1852	2940	Plffkc32.exe	34
PID 2940 wrote to memory of 1852	2940	Plffkc32.exe	34
PID 2940 wrote to memory of 1852	2940	Plffkc32.exe	34
PID 2940 wrote to memory of 1852	2940	Plffkc32.exe	34
PID 1852 wrote to memory of 2672	1852	Phmfpddb.exe	35
PID 1852 wrote to memory of 2672	1852	Phmfpddb.exe	35
PID 1852 wrote to memory of 2672	1852	Phmfpddb.exe	35
PID 1852 wrote to memory of 2672	1852	Phmfpddb.exe	35
PID 2672 wrote to memory of 2232	2672	Phocfd32.exe	36
PID 2672 wrote to memory of 2232	2672	Phocfd32.exe	36
PID 2672 wrote to memory of 2232	2672	Phocfd32.exe	36
PID 2672 wrote to memory of 2232	2672	Phocfd32.exe	36
PID 2232 wrote to memory of 2748	2232	Pqjhjf32.exe	37
PID 2232 wrote to memory of 2748	2232	Pqjhjf32.exe	37
PID 2232 wrote to memory of 2748	2232	Pqjhjf32.exe	37
PID 2232 wrote to memory of 2748	2232	Pqjhjf32.exe	37
PID 2748 wrote to memory of 1452	2748	Qgfmlp32.exe	38
PID 2748 wrote to memory of 1452	2748	Qgfmlp32.exe	38
PID 2748 wrote to memory of 1452	2748	Qgfmlp32.exe	38
PID 2748 wrote to memory of 1452	2748	Qgfmlp32.exe	38
PID 1452 wrote to memory of 3068	1452	Qoaaqb32.exe	39
PID 1452 wrote to memory of 3068	1452	Qoaaqb32.exe	39
PID 1452 wrote to memory of 3068	1452	Qoaaqb32.exe	39
PID 1452 wrote to memory of 3068	1452	Qoaaqb32.exe	39
PID 3068 wrote to memory of 2852	3068	Aqanke32.exe	40
PID 3068 wrote to memory of 2852	3068	Aqanke32.exe	40
PID 3068 wrote to memory of 2852	3068	Aqanke32.exe	40
PID 3068 wrote to memory of 2852	3068	Aqanke32.exe	40
PID 2852 wrote to memory of 2264	2852	Ailboh32.exe	41
PID 2852 wrote to memory of 2264	2852	Ailboh32.exe	41
PID 2852 wrote to memory of 2264	2852	Ailboh32.exe	41
PID 2852 wrote to memory of 2264	2852	Ailboh32.exe	41
PID 2264 wrote to memory of 3064	2264	Aeccdila.exe	42
PID 2264 wrote to memory of 3064	2264	Aeccdila.exe	42
PID 2264 wrote to memory of 3064	2264	Aeccdila.exe	42
PID 2264 wrote to memory of 3064	2264	Aeccdila.exe	42
PID 3064 wrote to memory of 2376	3064	Ankhmncb.exe	43
PID 3064 wrote to memory of 2376	3064	Ankhmncb.exe	43
PID 3064 wrote to memory of 2376	3064	Ankhmncb.exe	43
PID 3064 wrote to memory of 2376	3064	Ankhmncb.exe	43
PID 2376 wrote to memory of 2116	2376	Aeepjh32.exe	44
PID 2376 wrote to memory of 2116	2376	Aeepjh32.exe	44
PID 2376 wrote to memory of 2116	2376	Aeepjh32.exe	44
PID 2376 wrote to memory of 2116	2376	Aeepjh32.exe	44
PID 2116 wrote to memory of 884	2116	Anndbnao.exe	45
PID 2116 wrote to memory of 884	2116	Anndbnao.exe	45
PID 2116 wrote to memory of 884	2116	Anndbnao.exe	45
PID 2116 wrote to memory of 884	2116	Anndbnao.exe	45

C:\Users\Admin\AppData\Local\Temp\a8c8d98c2767c753509b05c1f0c39440N.exe
"C:\Users\Admin\AppData\Local\Temp\a8c8d98c2767c753509b05c1f0c39440N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\Oheppe32.exe
  C:\Windows\system32\Oheppe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Oophlpag.exe
    C:\Windows\system32\Oophlpag.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\Phhmeehg.exe
      C:\Windows\system32\Phhmeehg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Plffkc32.exe
        
        C:\Windows\system32\Plffkc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Phmfpddb.exe
        
        C:\Windows\system32\Phmfpddb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Phocfd32.exe
        
        C:\Windows\system32\Phocfd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pqjhjf32.exe
        
        C:\Windows\system32\Pqjhjf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Qgfmlp32.exe
        
        C:\Windows\system32\Qgfmlp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Qoaaqb32.exe
        
        C:\Windows\system32\Qoaaqb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Ailboh32.exe
        
        C:\Windows\system32\Ailboh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Aeccdila.exe
        
        C:\Windows\system32\Aeccdila.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ankhmncb.exe
        
        C:\Windows\system32\Ankhmncb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Aeepjh32.exe
        
        C:\Windows\system32\Aeepjh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Anndbnao.exe
        
        C:\Windows\system32\Anndbnao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeepjh32.exe

Filesize
352KB

MD5
e802b9901243a8fe341d55b0d5e8e498

SHA1
5ceaea164053567c9d07a34e8b6c155698331fa7

SHA256
e3aa96b097565373033b813e013a483c844e59c38276ef115bbc7f494f0d4b67

SHA512
2a4e83ab6a9ae8d958e09f69862c5887c8a4657a0cf11e38200b643d24966b47e0ab85dd22c0dc677157a2e5fb3b54753c4d120265474e0f254e1287b633fdd7

Download Submit
C:\Windows\SysWOW64\Ankhmncb.exe

Filesize
352KB

MD5
2af067005d91cba46fb10e351a4c01a2

SHA1
150e6eabafb441f526c87c318c999019d57b23ad

SHA256
0ad6868e5c7bd8a5765a7b49b8acf0a4504aff19db93c90398ed1ff42bbfa473

SHA512
2791229b22ff63da1a16dab53bb0d12d9aec855ad962643675a80587468069f514008316f6f6ed7e70fe08eb5439b4f08399558d73724448624791a1420816a2

Download Submit
C:\Windows\SysWOW64\Einkkn32.dll

Filesize
7KB

MD5
3bd2c7e786c22085bb323db24fe69673

SHA1
b0ae8d2e9e8f43492ab17e761db223f9bce622ad

SHA256
75efdafbefa4d3b9e8c8519fd42b5022a18e10e998f19980a726ab8eae4204f1

SHA512
72267ecb986289e3acbf19e2bf20561bcb486b16c12a5800b22d5070fb087dc2b7e41296e59efbdf6937cbdcea29ff83fb3b94c802ff6c2b08aa911cfdc2b15f

Download Submit
C:\Windows\SysWOW64\Oheppe32.exe

Filesize
352KB

MD5
23c894d45f3983b8ed823321cc7d0216

SHA1
df897823630bd2b197affc3f5bd957ac57c142c0

SHA256
50dba300f0551381181e594f9a6a2523c3ebd6e3d28b5c51090634564307c6c9

SHA512
353ab2aeca8b4bd6d34e6d2466e2997902d4fe189a89926cd60f470d7bf1098d90f9fe0f9d5afc115f7ca8d3468753dabe02cf1add9cb0fea4981f23f518f2b2

Download Submit
C:\Windows\SysWOW64\Oophlpag.exe

Filesize
352KB

MD5
21c84d540f9dcc3fa222fb82c49afa19

SHA1
7c9a38ab93b3377a82937f7ee87fbe1b3b725873

SHA256
4cf8b93c422502d686d409f8f08d3a78b369daec0617907fb167768ea4f69194

SHA512
b6d2e1d9ecbc58279874c7e2b76692cd3a15c65fc13f3c4e4dde432faf32156637895bf7b903db80e5dd787d9c77dc5a7dde17386f92c07212c549857097a212

Download Submit
C:\Windows\SysWOW64\Phhmeehg.exe

Filesize
352KB

MD5
ad1bb59d2f75b463eb2c8c27b1357bb5

SHA1
24502a4e603c9d2979adbb31f3ee496dc91788ef

SHA256
b2450d72f760f40a2015381161a802662b198be14fb6cc4243717751f313a2fd

SHA512
ffa51d544492cdf961ad1be3d23afab8e583085d73d042381f467e91f7ee6fceb41e25b852cf477d0cfcff9b34155d6336d68c0b45e0f26e9514fabfe6a021df

Download Submit
\Windows\SysWOW64\Aeccdila.exe

Filesize
352KB

MD5
2d599bcdc3b24548c6e940536700a30d

SHA1
800c5eda4f7d34609aaaf169c2e7254a8150fc06

SHA256
91b07965ca9daa05b9c6c6a2698569ea9240882f6a8ff859483f9250407b514d

SHA512
6b9653ddde61a9401a2b127cfd7badd93041777e16516e3b3f08a0b78b603c3545fcac293568d6e8628545f60e2e43780fb4460055586ebfc96f840895742930

Download Submit
\Windows\SysWOW64\Ailboh32.exe

Filesize
352KB

MD5
2193d746355522e38bf1c61e27993ee4

SHA1
ff06112d8497bbe37c146dbd9a6f372d73d1bafc

SHA256
529b6a76a7769f8c9435d3f18e05fb3c389ecd4d3a050adb60ec7d4b67a377bb

SHA512
5c832c1efecad6a1f2ba1cbbc85356beb4cbebb18b5247fb3abf47e16678fd54a45184ef099fdb4ad7e109faba17877a9a9d53de730710e11eaf24972b6fd550

Download Submit
\Windows\SysWOW64\Anndbnao.exe

Filesize
352KB

MD5
4fb3eed0f5bfa5f7dab3eeff3d778f87

SHA1
655117be60fb045d4023a69963aa6b3e7a482717

SHA256
8b5e8f1ee3ba7ce223498f9008c607cd1acbc5d6c6d6c903cff782638e2dd95a

SHA512
81a75e26391c1ec3b51657e92deaa09b7b8d0edaa3a9874a556468ffe94083ded1a0c068d80ed18c8c3ff85f14bd1b305a5824a232f5c25a2ad0d0609e856e9d

Download Submit
\Windows\SysWOW64\Aqanke32.exe

Filesize
352KB

MD5
701cf88eb801d06ef3716f3627446388

SHA1
2dd958159595f7cdd9a6d86428db8503d2d55a32

SHA256
017e8d4c140bd16acfd1d2aefe2daf326af0bd19e9348abb459a4d5bfa97fb15

SHA512
a71cd431755c9b6b58de1c48936af85c4f256656988ca9e4a15b2739d6b6a20df48800c224263e8933ff4e78e3947def63519901efe749ab5bc8469746dab0c8

Download Submit
\Windows\SysWOW64\Bmenijcd.exe

Filesize
352KB

MD5
7fbb0366fd0b09c1ccb66aa4a6fe5048

SHA1
1c09142186c1b58baa02c47fb8972df8a37fb705

SHA256
00868061b8f68df04bf000a1906e7a8ed1baaa6dbd321747da7a48b44e6c40f6

SHA512
0f3c79f02794a9e3dbe57357df42667c520bc11f24be78eaeaa0d6e5bc678549a6ece3e8dcf7db8a94a5a6bdb3d18c6efadaf0882b3cdb01fad80c7db30dc580

Download Submit
\Windows\SysWOW64\Phmfpddb.exe

Filesize
352KB

MD5
5f2f68e641aec60e96f959a5a8c16ef2

SHA1
92f24cd97c5042324419b065dd095a8222e72067

SHA256
52f09a071bc1c5bf73ff72bfef9d78fc727a3886d1adf39922818b137cfc75ed

SHA512
317592614ce0bdd1ee0d83f8fe023603d9bb41c94d96198492683dcf473dea26f36fd68dc2abd331f8aee2ebdc263b039595a7c97751d0c47899703403563ca8

Download Submit
\Windows\SysWOW64\Phocfd32.exe

Filesize
352KB

MD5
4d747195290b835f8e33efc16e6bfd9a

SHA1
8247f1d8425251f6470e4836de511c1cb0426ad6

SHA256
e3a24e56231c34d2292f6b3d2635137ef605eaf70f537d4c7e53913483007cde

SHA512
237d853179c4f7935e995b51790163bd1bb4f11fdd24ac8e96cde6adf4ba7b822920632befdeb2f29e1022ccdd8169a037922c072822d4339cca3e18d38eea18

Download Submit
\Windows\SysWOW64\Plffkc32.exe

Filesize
352KB

MD5
77b449fdcd260614f934a733da1e3f19

SHA1
62c81de58583cd7aadcd2dd1bc24e6bfc9ce4da8

SHA256
ef57395b275f0a463f8d441a293ef47e106e14a23602c4b062d7e7ebbb49614f

SHA512
a2b1c20fb088c0fbd4187457652f62a403a1d6548d43029511018bd1f46647b599244d6ff7a51e4fccb315623251918ea7b682671dcbd75145f8f2020d39ad40

Download Submit
\Windows\SysWOW64\Pqjhjf32.exe

Filesize
352KB

MD5
637a8c8363c808347e3b13fdc2bf3716

SHA1
0bd6c4782f970233e8ec4afc87ecb3f6d5da0740

SHA256
9b8567890ed79e9372dc52c2beb5daa2b2ea6483f79a035e3b5fa6f7b40b055c

SHA512
2022412ff7e9cafdb37b7e5e07a9a0f082208c86620855afe59767436698f2ee76a1480fe1e56e066d076947f6370d29041840772dfaa2d08e6b00f86e3f586b

Download Submit
\Windows\SysWOW64\Qgfmlp32.exe

Filesize
352KB

MD5
79c38a0acec44909078b0b69b643427c

SHA1
ee1e07bab3e7f3292dd8fa628bd3e8d8dbdcac5e

SHA256
b3d8cee86b0d2ebbcc913b03f595b9d3302ae81dfd21de52460743bfe8bb734a

SHA512
acd3f4fc41bb8b76225353cf07f160709845475eca01afb9c251372a5b37bb4cc601e6f16c68287b6323a54fdd75a498be19f0e041c6ef44e97de19117dcd6c8

Download Submit
\Windows\SysWOW64\Qoaaqb32.exe

Filesize
352KB

MD5
8878954756d0382b68cf9dc56358f716

SHA1
a17ed8c8c6ae7e60fff44452ec86be27865d81a7

SHA256
7a12ded227f5348ad6d5a8d51d5ace98e7f099acbe67e7e71f12f1486dbe7b5c

SHA512
a232c1e3e52480b991bd676ba17814aff13795a6c8a30343e1bef511378f18401f20abc7d4bf9d940bf7960f65cdd4a3910af81fe70a705988dbf01fa95740a7

Download Submit
memory/884-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1452-134-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1452-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1452-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-78-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1852-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-40-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2116-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2116-216-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2116-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-106-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2264-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-179-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2308-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-11-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2308-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-12-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2372-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-235-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-92-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2672-97-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2672-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-125-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2852-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-160-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2912-52-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2912-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-51-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2940-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-68-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3064-195-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3064-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-193-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3064-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-147-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads