ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Size

64KB
MD5

022c3d1c936302edb6985f46f82a91df
SHA1

2c8e145c3d91411aea078847378914ceff2ed9b4
SHA256

ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9
SHA512

0e4ee7982a34bd2a1f2e1888c7b5a101d4cbe8ad618f2d632c9f65a090957128f9121d7d2c042df76b1c3a876add91d57f2614a2073033d24bba6d49b327f530
SSDEEP

1536:GoBLlaUU/zFfkVzS9AGdCSfyDaVTZuYDPf:GoBMUU/hkVzSZczYTZuY7f

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe

Executes dropped EXE 32 IoCs

pid	Process
2744	Pmagdbci.exe
2168	Pbnoliap.exe
2648	Pihgic32.exe
1968	Qeohnd32.exe
536	Qbbhgi32.exe
2068	Qiladcdh.exe
2288	Aniimjbo.exe
2108	Aecaidjl.exe
2052	Ajpjakhc.exe
2440	Aajbne32.exe
2788	Ajbggjfq.exe
1028	Apoooa32.exe
2264	Agfgqo32.exe
2248	Amcpie32.exe
2480	Abphal32.exe
1052	Aijpnfif.exe
1856	Abbeflpf.exe
1100	Bilmcf32.exe
1036	Bnielm32.exe
752	Becnhgmg.exe
2100	Bnkbam32.exe
3068	Biafnecn.exe
2672	Blobjaba.exe
2304	Bonoflae.exe
1900	Behgcf32.exe
1588	Blaopqpo.exe
2756	Boplllob.exe
2616	Bejdiffp.exe
2596	Bhhpeafc.exe
2644	Bmeimhdj.exe
1632	Cilibi32.exe
824	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2900	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
2900	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
2744	Pmagdbci.exe
2744	Pmagdbci.exe
2168	Pbnoliap.exe
2168	Pbnoliap.exe
2648	Pihgic32.exe
2648	Pihgic32.exe
1968	Qeohnd32.exe
1968	Qeohnd32.exe
536	Qbbhgi32.exe
536	Qbbhgi32.exe
2068	Qiladcdh.exe
2068	Qiladcdh.exe
2288	Aniimjbo.exe
2288	Aniimjbo.exe
2108	Aecaidjl.exe
2108	Aecaidjl.exe
2052	Ajpjakhc.exe
2052	Ajpjakhc.exe
2440	Aajbne32.exe
2440	Aajbne32.exe
2788	Ajbggjfq.exe
2788	Ajbggjfq.exe
1028	Apoooa32.exe
1028	Apoooa32.exe
2264	Agfgqo32.exe
2264	Agfgqo32.exe
2248	Amcpie32.exe
2248	Amcpie32.exe
2480	Abphal32.exe
2480	Abphal32.exe
1052	Aijpnfif.exe
1052	Aijpnfif.exe
1856	Abbeflpf.exe
1856	Abbeflpf.exe
1100	Bilmcf32.exe
1100	Bilmcf32.exe
1036	Bnielm32.exe
1036	Bnielm32.exe
752	Becnhgmg.exe
752	Becnhgmg.exe
2100	Bnkbam32.exe
2100	Bnkbam32.exe
3068	Biafnecn.exe
3068	Biafnecn.exe
2672	Blobjaba.exe
2672	Blobjaba.exe
2304	Bonoflae.exe
2304	Bonoflae.exe
1900	Behgcf32.exe
1900	Behgcf32.exe
1588	Blaopqpo.exe
1588	Blaopqpo.exe
2756	Boplllob.exe
2756	Boplllob.exe
2616	Bejdiffp.exe
2616	Bejdiffp.exe
2596	Bhhpeafc.exe
2596	Bhhpeafc.exe
2644	Bmeimhdj.exe
2644	Bmeimhdj.exe
1632	Cilibi32.exe
1632	Cilibi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Lhnnjk32.dll	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qbbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	824	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2744	2900	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe	30
PID 2900 wrote to memory of 2744	2900	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe	30
PID 2900 wrote to memory of 2744	2900	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe	30
PID 2900 wrote to memory of 2744	2900	ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe	30
PID 2744 wrote to memory of 2168	2744	Pmagdbci.exe	31
PID 2744 wrote to memory of 2168	2744	Pmagdbci.exe	31
PID 2744 wrote to memory of 2168	2744	Pmagdbci.exe	31
PID 2744 wrote to memory of 2168	2744	Pmagdbci.exe	31
PID 2168 wrote to memory of 2648	2168	Pbnoliap.exe	32
PID 2168 wrote to memory of 2648	2168	Pbnoliap.exe	32
PID 2168 wrote to memory of 2648	2168	Pbnoliap.exe	32
PID 2168 wrote to memory of 2648	2168	Pbnoliap.exe	32
PID 2648 wrote to memory of 1968	2648	Pihgic32.exe	33
PID 2648 wrote to memory of 1968	2648	Pihgic32.exe	33
PID 2648 wrote to memory of 1968	2648	Pihgic32.exe	33
PID 2648 wrote to memory of 1968	2648	Pihgic32.exe	33
PID 1968 wrote to memory of 536	1968	Qeohnd32.exe	34
PID 1968 wrote to memory of 536	1968	Qeohnd32.exe	34
PID 1968 wrote to memory of 536	1968	Qeohnd32.exe	34
PID 1968 wrote to memory of 536	1968	Qeohnd32.exe	34
PID 536 wrote to memory of 2068	536	Qbbhgi32.exe	35
PID 536 wrote to memory of 2068	536	Qbbhgi32.exe	35
PID 536 wrote to memory of 2068	536	Qbbhgi32.exe	35
PID 536 wrote to memory of 2068	536	Qbbhgi32.exe	35
PID 2068 wrote to memory of 2288	2068	Qiladcdh.exe	36
PID 2068 wrote to memory of 2288	2068	Qiladcdh.exe	36
PID 2068 wrote to memory of 2288	2068	Qiladcdh.exe	36
PID 2068 wrote to memory of 2288	2068	Qiladcdh.exe	36
PID 2288 wrote to memory of 2108	2288	Aniimjbo.exe	37
PID 2288 wrote to memory of 2108	2288	Aniimjbo.exe	37
PID 2288 wrote to memory of 2108	2288	Aniimjbo.exe	37
PID 2288 wrote to memory of 2108	2288	Aniimjbo.exe	37
PID 2108 wrote to memory of 2052	2108	Aecaidjl.exe	38
PID 2108 wrote to memory of 2052	2108	Aecaidjl.exe	38
PID 2108 wrote to memory of 2052	2108	Aecaidjl.exe	38
PID 2108 wrote to memory of 2052	2108	Aecaidjl.exe	38
PID 2052 wrote to memory of 2440	2052	Ajpjakhc.exe	39
PID 2052 wrote to memory of 2440	2052	Ajpjakhc.exe	39
PID 2052 wrote to memory of 2440	2052	Ajpjakhc.exe	39
PID 2052 wrote to memory of 2440	2052	Ajpjakhc.exe	39
PID 2440 wrote to memory of 2788	2440	Aajbne32.exe	40
PID 2440 wrote to memory of 2788	2440	Aajbne32.exe	40
PID 2440 wrote to memory of 2788	2440	Aajbne32.exe	40
PID 2440 wrote to memory of 2788	2440	Aajbne32.exe	40
PID 2788 wrote to memory of 1028	2788	Ajbggjfq.exe	41
PID 2788 wrote to memory of 1028	2788	Ajbggjfq.exe	41
PID 2788 wrote to memory of 1028	2788	Ajbggjfq.exe	41
PID 2788 wrote to memory of 1028	2788	Ajbggjfq.exe	41
PID 1028 wrote to memory of 2264	1028	Apoooa32.exe	42
PID 1028 wrote to memory of 2264	1028	Apoooa32.exe	42
PID 1028 wrote to memory of 2264	1028	Apoooa32.exe	42
PID 1028 wrote to memory of 2264	1028	Apoooa32.exe	42
PID 2264 wrote to memory of 2248	2264	Agfgqo32.exe	43
PID 2264 wrote to memory of 2248	2264	Agfgqo32.exe	43
PID 2264 wrote to memory of 2248	2264	Agfgqo32.exe	43
PID 2264 wrote to memory of 2248	2264	Agfgqo32.exe	43
PID 2248 wrote to memory of 2480	2248	Amcpie32.exe	44
PID 2248 wrote to memory of 2480	2248	Amcpie32.exe	44
PID 2248 wrote to memory of 2480	2248	Amcpie32.exe	44
PID 2248 wrote to memory of 2480	2248	Amcpie32.exe	44
PID 2480 wrote to memory of 1052	2480	Abphal32.exe	45
PID 2480 wrote to memory of 1052	2480	Abphal32.exe	45
PID 2480 wrote to memory of 1052	2480	Abphal32.exe	45
PID 2480 wrote to memory of 1052	2480	Abphal32.exe	45

C:\Users\Admin\AppData\Local\Temp\ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe
"C:\Users\Admin\AppData\Local\Temp\ce17e7518848a4fb4c7a533cc00ae5aaf86a723b1074448c304bd4714b529eb9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\Pmagdbci.exe
  C:\Windows\system32\Pmagdbci.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\Pbnoliap.exe
    C:\Windows\system32\Pbnoliap.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\Pihgic32.exe
      C:\Windows\system32\Pihgic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 140
        34⤵
        Program crash
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
64KB

MD5
84b4daaed67297da7f093348aa49979e

SHA1
838cc838220f5de28121965aba90913ccbb6338c

SHA256
c97874b4daf07caf99b0f6ac3e17db1d1b2bfffc4411e6b87492c4edefae814d

SHA512
96781173380fafd6f4b4e44569fa6c439bc15234de04a11b73b374839b5b05b78c9bb4140eb3bce038eab171fb973bed99eaa7ee7fcb611eae46b35971eefeeb

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
64KB

MD5
397aac4c58c3bc1e698a45b44a09595f

SHA1
e3a4e0af66941bfad35add89eb9e75234909f19a

SHA256
1444404344ca37832f34c5ac0259e44e125e9f97eef5ec28c7ce970b5ff3e306

SHA512
671e2ce2ddea72fe62bb261ff3b808e1c440938107633e5f0bed3011c4096a6f42cb28fa74b33312dffb2e983244f6d4d9a9e8019fbe5a9ce6b40f515ee31b84

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
64KB

MD5
10fd8a6bfe0ca34cfdf96a544c35743a

SHA1
a10efc29aee8ae0d0230d7685515ea02fd2ad547

SHA256
ff7f2636034b8fc2b733dae754b70e9c2386becf0be0cb7c351e19d165d65378

SHA512
e8c934c72e99b53978018cb791dab6d0c84b238b3a1e526f61c3e194a523f3c3b4bf8641c8b2c082bc72696f2568d8a1c5511f58566f23ac0bf9b8f13a5c67e4

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
64KB

MD5
6e2942226e00a75a9712024e826e25ef

SHA1
375b53d2544a09c7417d68e43a2386681c39bf2d

SHA256
53274016ecb40528ec20d3a81dff15ca05cb5ff1aec3497be18230ebdc6ec6c1

SHA512
c78ceddbaeb16bbbac100959f55d7f3b125e3a2dd27faca6bcaf8e886523fc941e29a56bfc5aa5e90442f2cf421c2fe5329697b0c766f578acafaf56518f4374

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
64KB

MD5
47955b9b05573a92a9f85e089078ec57

SHA1
6f28952b754d4f0e9ea1f4e4bafd1060abf48191

SHA256
ea751e4e22edd32e3ba6e0efdaa5919d507f2b2a5804327a2e618d59fb03f255

SHA512
15b92ced0f8b9f90428a088a880dae74c6fdfa6198dd949442ac69b13ed5de79efb7073e43ee2ecbb70590e1d4bed9c141a2dc65db34640ef91939d0245359da

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
64KB

MD5
4d07d5fd41f0150e2835a935b45ddd60

SHA1
06ee104cb3538669a979b50ec9bdd14f3a9f4304

SHA256
d5610e72b1e54abf0c937ef1e7fed5938898b93913a631ef4e7ba2245a3781fa

SHA512
c61b4a122bdd5b33ae1c46f19d657e2a27befcebd698cf27c4085406582d2a588ffc1405934a17c912ea6fa1b7d19c993f3fa8da24ac1aee1070f25dd27852c4

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
64KB

MD5
305a0819ea8421e823c33ad4642d9e16

SHA1
a9359407ee8eb771e7c723e60bba2893fadee046

SHA256
1d46e503838a2f9ccbd92a16c3ac48af6721f37ed1ad7a86584a8cf7e6350092

SHA512
21a4ded8a07094f3cfe63d68a374ecfa2602683df3f883e34a5232126676702bacc3692d224e0e3be91de54bbe0313e9227501460b571df59c10bf4fc409ada7

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
64KB

MD5
f34795442bf62531483cdcac70d7b0cb

SHA1
b4b7ce7952450addeb621038fdccd014818121ff

SHA256
73c658499cf82958c3156153bf69d93d83d5f09841444d07b459f1944edaf971

SHA512
ed94ea56c01f93e2673112143a554fd56fbd45c23673169bac6973a1629267a9dbd9f4cf05fb5cd5ee6c8a0f9ca388b4ffc8a1c04b5fbabc22abf524047dcc95

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
64KB

MD5
3035bbd413732e1fa84b0cb391291a49

SHA1
2422e56eed3cdbf3e73288dc544300cac9f8ec0d

SHA256
8e849e17dfb690a01eca923547e4c59933df93aa7adb2fc6035627f14019278e

SHA512
05088e8cb2bb2927a600da2f61b4a1c2794aa728cb1c52a8f11d35b0c0617ccd202ecea3db0104dad4b046f71d2e5f61eef95de0477962c97c878f56ca95a6cb

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
64KB

MD5
26705237a7a8b90e0167b6b7960d91c1

SHA1
34f7739d2f6f6c32aacd7827ec1e1080fc0f579a

SHA256
58fc203e5bad51fefc57a955473f8e70c08e79304c9d8cd235c45a9ef6bf6b98

SHA512
a221e5a59810fda7c961281463fec98323523f6c20cf79f6167738fdd8881ad7190f2eb785b594aba4bd250e73394776d3c9d95bceff21caa416a16c63e6d9e1

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
64KB

MD5
6dd5a7022fec20e99a56c348e07b4eda

SHA1
43e5bf8bc148bd88d8a1bb973af51ba1aa10848a

SHA256
9f2a2b14cbc52a348561b1a0fabfa5950752fc854c861b026c990b4c9360255c

SHA512
9fb579b247cad46dcb05b363c03722400c82fba95fee81b8b6d1018a3c2f48cd298ad873411f39802576b3383d833f3899a02af84de88a79c9dbfa7ea307c6ad

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
64KB

MD5
54d81750942aa6881e800b5745037ae8

SHA1
e97979036f9e0195c44e8b203066bf67fcc0f247

SHA256
b7745e72679d5470c9bbe05dea07b9d27590a82e9b5ea75db9d8390161a28c36

SHA512
70ac4ff9e4e84e0a97900b5c89063f8233e283ff6786189a4c51e3533f21c7f172052cac4069eaf26e68355454d942cf71b54cf7e82c957df137b476ae4ddd24

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
64KB

MD5
3f920e9b2979c8ad5b84e42adfebce41

SHA1
2f2afca7362ad9ad20315a22d5408459118fa910

SHA256
64a390b80a66b210405c2d009994fcd08b094a343d60b3e09493ce73c3c0d27b

SHA512
e52933b8ce1c46aa730007b4629418834efa3b905bd2db3e090cbcf98e82c0919dd27ae176b7603f966126e027fc1d4ab5b43b4dba7a5a3dbe7d317598052c78

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
64KB

MD5
ca10ee20b80560cfcf959f2b8c9d4f96

SHA1
a2cb87b53f55c5fb268ba46ca021534dc36a1e0b

SHA256
4dc97efc2e48471258b5661570d473b7c4c660f1ed2ce0e5dbfeec1838452116

SHA512
c790eb9ef3f62823524649412b39cc5d4c80059fc5acfa5d666732451d910d5b43521593b2e20990b03a0c8076755898957ef91a8c7c05603058434dab7e32aa

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
64KB

MD5
4d70fd8d133afeb7986baf9be439af34

SHA1
3f47b1919766e6af37951f6d7d319cadb075b9ae

SHA256
949e95654126f9d942aefb752717ead6d76b1814095eda87091ad40e38ddbdd9

SHA512
76427c9ccac02a9f32b58fbee783562bf329e75b9b24bd18319f1592cc375b6e60099b722ec4f12ca5a7f607416693568c451fb4abcbf26f79c9614a49bf8c55

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
64KB

MD5
f72fa602793c80dff0b69fa0384f731c

SHA1
b81ebd41432d288c073e1c277eb5250ebe15e21b

SHA256
f1ead37fe4d5a3f6fc926c82312b19f46da27f87ca0bd4a0a273dba810eefd06

SHA512
6a63932fd1212563411a5f1ca01418fec34f188396f55ee0b7b8699f4cf5a30b2bd6dc74875617a0af32fd67f40c7fd0528610332eaeaf091ba98f6651abe9c1

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
64KB

MD5
9fb7e90aab00ca8528cb360d8d856dd8

SHA1
f0adec6d1c2c6e28ad1e08c6c139a9485374a813

SHA256
a030400dc6e283661c7b9cc1f502246bda5b7be519defc9fbc05e41d36ae4fde

SHA512
8f5284b05272410cd0eb84a817d5e49549cfeb1a970e6ca29d669a8f47f43c922badf941f651e92fce031ea5496dc860d6d15d1ae8e4ea476bd0714d81bcc452

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
d2abd2c551d9e2a9c9fc222708df47cc

SHA1
0e08ae46f1ffcc56e12d7eb9c1fa2c757378952d

SHA256
a04ca56736b3043cbd827b94d246456b35299cb5f8dd1a8e2122cf39f3921116

SHA512
3992445a6674420ce4d7ca2e83bd81e049974ea88eb9fa02fa5af1e4d02637dd2e428375af8215709a35fa09ffa28a8631bae5ffa80de40b25d991818d43d9b5

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
64KB

MD5
df834f17f894129edd9c4a0d9dc777c2

SHA1
6710b43e2937e5c57d525af96e91c19d3fa9ee1e

SHA256
29a6dee3033d308ea8a97edc03874638ec2f041e5714ba55214a47a5cd00c562

SHA512
63430937be7780d903fd97579f0815a99af3519eb5708b2be3ba700189d754be484ad85a0a69316d81566c251c197bfcb741a8185309c9422d0ae9068b40436b

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
64KB

MD5
261641bc052cd07133a616a46cb2b77a

SHA1
ae07b9aba3f8653198097947aacfd918a33db620

SHA256
12cfef303d80a5df355bd5d02767b336243e51b4f91148c453da71c242fca847

SHA512
3c21bdda11128b77f9f5194999a88540b61f8ef6046435fa515c3eafb73e1051d8dc46445248366df7482285d4dd6543fcf0627b3c56ab41247ae98e015e00ba

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
64KB

MD5
a47a4677eb2081795e7140d023991446

SHA1
f8b115b44bf5b785f741499bef849ca892195e03

SHA256
9919432282f97fbe23a27c8c1cf80af934dd2076b9bb9d95e86ca5bd96e85e51

SHA512
febd618f4d5f1106fc6cbef7cf9c0bddd693498eed985b326a902fa06eb6574b3cdf622a152bcc9ee63ae65e6fde30847aa4cdc8688d1993d966ad3ee97f7c58

Download Submit
\Windows\SysWOW64\Abphal32.exe

Filesize
64KB

MD5
b191945379e5e8bb9a2553a73f20b12b

SHA1
3ea9e05c5a8f41fc61a747f2083795def45e422f

SHA256
f25cbb3fd4f78484a64664f36d2738bbba87deda4ff2ffe629d4adf803b1b10a

SHA512
dccbde4ccf077527721633fcbb6c738310bb50ff31db79c3065e0acfb10ac6893336b820dd1dc9e7ab46108a06f7b40fecbf77d3485fbc30eb00940fa934da92

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
64KB

MD5
243f24b2c04c4ba4410dd79c0aee0330

SHA1
306275faa93fb89200a4f162f7d15ed666861ee9

SHA256
bee492258cec17fc353eef521639d6e7d5b529bb273a48b0111a8284f7f25777

SHA512
34d3db79730b5b382285423a5d05dc355b05725af1dff2298752f69f012ab52b898d33de11d8f0524ac94f12f237c53c801462f2dcbcc727a3060d7a0c263cee

Download Submit
\Windows\SysWOW64\Ajbggjfq.exe

Filesize
64KB

MD5
93f171f5bfef3d4a751ac3f0c309c264

SHA1
452a7a5aab619eb672c5e7b0b3a6610bf48879cc

SHA256
ae1280a438c18dcad50acc602aba8f00086ad2a4141b02a2757719c617c17207

SHA512
9c9955852c2add2f85abe399e134e8e2d5221a4f89970374a032626f04813c563809f3a872100e8dae970e0892e81ef285e9169ca4cc2b6aa6a968d741b1b9ad

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
64KB

MD5
16ac552e5495088fc007cae86ab1a473

SHA1
7482dda2b10c57d7cc3058a746b24eac50e48fc4

SHA256
fe6864048852634f714bd222fa5f3f4ffbd6499375405578bc607095f516010e

SHA512
b3c03af7cc7bfa247c9b2d10b9df9b0c1da0d1e9462bffa27599eba79b878dfa618b2f1450b6453ba5f2b30282c8f7e37127fecaca8378181d42c4a13499b144

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
64KB

MD5
3fed553071c3b37a63dc0c02be3b08e4

SHA1
7185b2f8f09fdbfdff9eb478365ae9ff622b910c

SHA256
f896a219be213993c147db4ef083f6e023b3eed5ee097fce98a0538561cc4657

SHA512
aeec72745d90ddcb00e659663ff387feea9858c6baff9431a5bbc52a64e0f00b11d0edad1a0e068bf34ef6aa4423439c2478b36cfae13bd2fbc463562efaa3c1

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
64KB

MD5
cff1c680f63499c6744deb5db87a736a

SHA1
47b06219069c1e2331e85839229a81534fcf99ef

SHA256
f2d6c93a7bd594fa220316a093143659fad28521ef6b70b051b1ab8f483c9f5e

SHA512
e3f5310008a79ca80b0ecb54f1f059d8830fc78ba13e624e443ecdd8fb3cd484126e616769083672a154f4dc33973ebe6b927d69492fdfc100971bac0ee9a77e

Download Submit
\Windows\SysWOW64\Apoooa32.exe

Filesize
64KB

MD5
a00e0d8024f0c3ce21dbfba313119c48

SHA1
35c818657a134655b6145270c02cd358494821d6

SHA256
9d784f1ad80a37009fe667e293f906dc378546af7e2610ddc132227a1e1f4eda

SHA512
9f5a35f1677836c2e8d719900c57ca8d29a670ae719247c45904250a932184686f333ab9e4666e9f36c2ef598f0a334e3140bd0cefb50ee5b4fb6ad1c87577ac

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
64KB

MD5
ceda911178b4eb468d5ad923e446bdcd

SHA1
2d2e1ad18fe9276879e6f4d0f7b727ede1516e58

SHA256
d7d92db967f43febeef570b57fd396ae3eb0951a3a7a6ee1a1bd1b1946b9d6f7

SHA512
2c8d4257f8334d54c0b7150a3c676a65df33b2bd3c62307018923cd85c4dbdf78ca467f2503b6e6c526ce69c44b6dedb8ebc47f28549e3dcbe63a165c34232bb

Download Submit
\Windows\SysWOW64\Qbbhgi32.exe

Filesize
64KB

MD5
556455fa336f81d541882c8033341c50

SHA1
f994eaadc621b74c066fdc1fffb4f0778396d5e0

SHA256
ec67ee6573eec6f96401d888d73287d72a310ecdbe3ed566097a2c0f0ed3e90c

SHA512
05d306b8aebb5a9a709752a5ef0e18b903cda2e20fa22d3100d00358c21f6a9bdd11c1d998e75029219398e8f0388c087e174cd7b1dc2c583f80bb53a3442458

Download Submit
\Windows\SysWOW64\Qeohnd32.exe

Filesize
64KB

MD5
151a57ca7b886962ca5d36d46da642fa

SHA1
8911c7e106a4309344e8f4ef654c30105eae9cba

SHA256
a6936dde615050fd0918a19ecdfe605c24718609b8d7c0414d581a887d8eb832

SHA512
05b6e692b3d6e9dd16299dc077ba1476169dc111b8019ecd7e873de2d223740025090663fdf3c152bdcd616a4dde134d28c0a6102d41bea7e1ef82d5353c2230

Download Submit
\Windows\SysWOW64\Qiladcdh.exe

Filesize
64KB

MD5
bf5cd2b98a8b3cc870dd4d3107b3d37d

SHA1
8979a9146484e6542d55bb86bb1b702199b0f9b6

SHA256
4943f303907535303e4e86578d195350a5a716209d003be74f899dcb24e0db71

SHA512
28bf85ff896ac3b868a1e98487ec2a9cb723e01ce918a65788b67dc96a1fc8ce3d9000ab023668176b79dd910279b10a17390e6ebaac51756b0809ea75b11b6a

Download Submit
memory/536-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-258-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/752-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-168-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/1036-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-220-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1052-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-242-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1100-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-318-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1588-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-322-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1632-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-232-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1900-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-311-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1900-310-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1968-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-61-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2052-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2100-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-114-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2168-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-33-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2248-194-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2248-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-300-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2304-296-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2440-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-145-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2480-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-354-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2596-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-343-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2616-344-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2644-367-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2644-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-48-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2648-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-289-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2672-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-332-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2756-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-336-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2788-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-357-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-280-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads