4abd4ab87685fbc7111fe43dcdba21a2376e046904c08aa8f23084d517171b4f

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a686bbbf8e2e706f39f5979c932578f0N.exe
Size

74KB
MD5

a686bbbf8e2e706f39f5979c932578f0
SHA1

9ed56b46b6bab898c7bf7cf071fc84e20c0f816a
SHA256

4abd4ab87685fbc7111fe43dcdba21a2376e046904c08aa8f23084d517171b4f
SHA512

6df02629b55c2efe30c6987ebd88f7fc07d225f9498e14b73af1297ad0b90b991305ba89977f2a69a7123e8e562017b674b3099e13ad1ed845afdc3ee99967d1
SSDEEP

1536:vbjnmB6/uGV2bmpPDkZ4EBi+2lXN2pzpDF:fnmcp0bE7C4ZFAF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe

Executes dropped EXE 58 IoCs

pid	Process
3020	Pgpeal32.exe
2628	Pjnamh32.exe
2716	Pqhijbog.exe
2040	Pcfefmnk.exe
476	Picnndmb.exe
944	Pqjfoa32.exe
2068	Pfgngh32.exe
2420	Pmagdbci.exe
2672	Poocpnbm.exe
1248	Pbnoliap.exe
2704	Pihgic32.exe
608	Poapfn32.exe
2148	Qflhbhgg.exe
2492	Qijdocfj.exe
2164	Qodlkm32.exe
1044	Qngmgjeb.exe
448	Qeaedd32.exe
1464	Qgoapp32.exe
1620	Qjnmlk32.exe
1856	Aaheie32.exe
2384	Acfaeq32.exe
1048	Akmjfn32.exe
1040	Aajbne32.exe
2564	Aeenochi.exe
2304	Ajbggjfq.exe
2740	Amqccfed.exe
2768	Apoooa32.exe
2660	Aigchgkh.exe
2216	Amcpie32.exe
1496	Acmhepko.exe
988	Aijpnfif.exe
2296	Amelne32.exe
848	Abbeflpf.exe
2784	Aeqabgoj.exe
1972	Bilmcf32.exe
2132	Bbdallnd.exe
1300	Biojif32.exe
3032	Bphbeplm.exe
2472	Bbgnak32.exe
2276	Bhdgjb32.exe
2012	Blobjaba.exe
912	Bonoflae.exe
2292	Behgcf32.exe
684	Blaopqpo.exe
288	Bjdplm32.exe
1636	Bmclhi32.exe
2532	Baohhgnf.exe
1992	Bejdiffp.exe
2412	Bdmddc32.exe
2860	Bhhpeafc.exe
2632	Bkglameg.exe
816	Baadng32.exe
2812	Cpceidcn.exe
2108	Cdoajb32.exe
2588	Cfnmfn32.exe
2664	Ckiigmcd.exe
2640	Cilibi32.exe
2072	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	a686bbbf8e2e706f39f5979c932578f0N.exe
2884	a686bbbf8e2e706f39f5979c932578f0N.exe
3020	Pgpeal32.exe
3020	Pgpeal32.exe
2628	Pjnamh32.exe
2628	Pjnamh32.exe
2716	Pqhijbog.exe
2716	Pqhijbog.exe
2040	Pcfefmnk.exe
2040	Pcfefmnk.exe
476	Picnndmb.exe
476	Picnndmb.exe
944	Pqjfoa32.exe
944	Pqjfoa32.exe
2068	Pfgngh32.exe
2068	Pfgngh32.exe
2420	Pmagdbci.exe
2420	Pmagdbci.exe
2672	Poocpnbm.exe
2672	Poocpnbm.exe
1248	Pbnoliap.exe
1248	Pbnoliap.exe
2704	Pihgic32.exe
2704	Pihgic32.exe
608	Poapfn32.exe
608	Poapfn32.exe
2148	Qflhbhgg.exe
2148	Qflhbhgg.exe
2492	Qijdocfj.exe
2492	Qijdocfj.exe
2164	Qodlkm32.exe
2164	Qodlkm32.exe
1044	Qngmgjeb.exe
1044	Qngmgjeb.exe
448	Qeaedd32.exe
448	Qeaedd32.exe
1464	Qgoapp32.exe
1464	Qgoapp32.exe
1620	Qjnmlk32.exe
1620	Qjnmlk32.exe
1856	Aaheie32.exe
1856	Aaheie32.exe
2384	Acfaeq32.exe
2384	Acfaeq32.exe
1048	Akmjfn32.exe
1048	Akmjfn32.exe
1040	Aajbne32.exe
1040	Aajbne32.exe
2564	Aeenochi.exe
2564	Aeenochi.exe
2304	Ajbggjfq.exe
2304	Ajbggjfq.exe
2740	Amqccfed.exe
2740	Amqccfed.exe
2768	Apoooa32.exe
2768	Apoooa32.exe
2660	Aigchgkh.exe
2660	Aigchgkh.exe
2216	Amcpie32.exe
2216	Amcpie32.exe
1496	Acmhepko.exe
1496	Acmhepko.exe
988	Aijpnfif.exe
988	Aijpnfif.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pmagdbci.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Pmagdbci.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Pjnamh32.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	a686bbbf8e2e706f39f5979c932578f0N.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	a686bbbf8e2e706f39f5979c932578f0N.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3036	2072	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a686bbbf8e2e706f39f5979c932578f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a686bbbf8e2e706f39f5979c932578f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a686bbbf8e2e706f39f5979c932578f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll"	Pgpeal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3020	2884	a686bbbf8e2e706f39f5979c932578f0N.exe	30
PID 2884 wrote to memory of 3020	2884	a686bbbf8e2e706f39f5979c932578f0N.exe	30
PID 2884 wrote to memory of 3020	2884	a686bbbf8e2e706f39f5979c932578f0N.exe	30
PID 2884 wrote to memory of 3020	2884	a686bbbf8e2e706f39f5979c932578f0N.exe	30
PID 3020 wrote to memory of 2628	3020	Pgpeal32.exe	31
PID 3020 wrote to memory of 2628	3020	Pgpeal32.exe	31
PID 3020 wrote to memory of 2628	3020	Pgpeal32.exe	31
PID 3020 wrote to memory of 2628	3020	Pgpeal32.exe	31
PID 2628 wrote to memory of 2716	2628	Pjnamh32.exe	32
PID 2628 wrote to memory of 2716	2628	Pjnamh32.exe	32
PID 2628 wrote to memory of 2716	2628	Pjnamh32.exe	32
PID 2628 wrote to memory of 2716	2628	Pjnamh32.exe	32
PID 2716 wrote to memory of 2040	2716	Pqhijbog.exe	33
PID 2716 wrote to memory of 2040	2716	Pqhijbog.exe	33
PID 2716 wrote to memory of 2040	2716	Pqhijbog.exe	33
PID 2716 wrote to memory of 2040	2716	Pqhijbog.exe	33
PID 2040 wrote to memory of 476	2040	Pcfefmnk.exe	34
PID 2040 wrote to memory of 476	2040	Pcfefmnk.exe	34
PID 2040 wrote to memory of 476	2040	Pcfefmnk.exe	34
PID 2040 wrote to memory of 476	2040	Pcfefmnk.exe	34
PID 476 wrote to memory of 944	476	Picnndmb.exe	35
PID 476 wrote to memory of 944	476	Picnndmb.exe	35
PID 476 wrote to memory of 944	476	Picnndmb.exe	35
PID 476 wrote to memory of 944	476	Picnndmb.exe	35
PID 944 wrote to memory of 2068	944	Pqjfoa32.exe	36
PID 944 wrote to memory of 2068	944	Pqjfoa32.exe	36
PID 944 wrote to memory of 2068	944	Pqjfoa32.exe	36
PID 944 wrote to memory of 2068	944	Pqjfoa32.exe	36
PID 2068 wrote to memory of 2420	2068	Pfgngh32.exe	37
PID 2068 wrote to memory of 2420	2068	Pfgngh32.exe	37
PID 2068 wrote to memory of 2420	2068	Pfgngh32.exe	37
PID 2068 wrote to memory of 2420	2068	Pfgngh32.exe	37
PID 2420 wrote to memory of 2672	2420	Pmagdbci.exe	38
PID 2420 wrote to memory of 2672	2420	Pmagdbci.exe	38
PID 2420 wrote to memory of 2672	2420	Pmagdbci.exe	38
PID 2420 wrote to memory of 2672	2420	Pmagdbci.exe	38
PID 2672 wrote to memory of 1248	2672	Poocpnbm.exe	39
PID 2672 wrote to memory of 1248	2672	Poocpnbm.exe	39
PID 2672 wrote to memory of 1248	2672	Poocpnbm.exe	39
PID 2672 wrote to memory of 1248	2672	Poocpnbm.exe	39
PID 1248 wrote to memory of 2704	1248	Pbnoliap.exe	40
PID 1248 wrote to memory of 2704	1248	Pbnoliap.exe	40
PID 1248 wrote to memory of 2704	1248	Pbnoliap.exe	40
PID 1248 wrote to memory of 2704	1248	Pbnoliap.exe	40
PID 2704 wrote to memory of 608	2704	Pihgic32.exe	41
PID 2704 wrote to memory of 608	2704	Pihgic32.exe	41
PID 2704 wrote to memory of 608	2704	Pihgic32.exe	41
PID 2704 wrote to memory of 608	2704	Pihgic32.exe	41
PID 608 wrote to memory of 2148	608	Poapfn32.exe	42
PID 608 wrote to memory of 2148	608	Poapfn32.exe	42
PID 608 wrote to memory of 2148	608	Poapfn32.exe	42
PID 608 wrote to memory of 2148	608	Poapfn32.exe	42
PID 2148 wrote to memory of 2492	2148	Qflhbhgg.exe	43
PID 2148 wrote to memory of 2492	2148	Qflhbhgg.exe	43
PID 2148 wrote to memory of 2492	2148	Qflhbhgg.exe	43
PID 2148 wrote to memory of 2492	2148	Qflhbhgg.exe	43
PID 2492 wrote to memory of 2164	2492	Qijdocfj.exe	44
PID 2492 wrote to memory of 2164	2492	Qijdocfj.exe	44
PID 2492 wrote to memory of 2164	2492	Qijdocfj.exe	44
PID 2492 wrote to memory of 2164	2492	Qijdocfj.exe	44
PID 2164 wrote to memory of 1044	2164	Qodlkm32.exe	45
PID 2164 wrote to memory of 1044	2164	Qodlkm32.exe	45
PID 2164 wrote to memory of 1044	2164	Qodlkm32.exe	45
PID 2164 wrote to memory of 1044	2164	Qodlkm32.exe	45

C:\Users\Admin\AppData\Local\Temp\a686bbbf8e2e706f39f5979c932578f0N.exe
"C:\Users\Admin\AppData\Local\Temp\a686bbbf8e2e706f39f5979c932578f0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Pgpeal32.exe
  C:\Windows\system32\Pgpeal32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Pjnamh32.exe
    C:\Windows\system32\Pjnamh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Pqhijbog.exe
      C:\Windows\system32\Pqhijbog.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 140
        60⤵
        Program crash
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
74KB

MD5
7ec3e221b99219783b114e1915aa2129

SHA1
7e8896f7a351d0aa093fefb5052b297e90fb0762

SHA256
e7049a52d3747061dfae23e5cdf8ba42844d3e8520ccb641675060898fc68822

SHA512
49f532ce7ddc3509fac594774bc85b0e1db0dde694f7d638f284dbf8aa091d43dd9f17fb003299cb729c9479505cbdc7b82e443758e306912171550fecdcf4bc

Download Submit
C:\Windows\SysWOW64\Aajbne32.exe

Filesize
74KB

MD5
cd8dae4a863c7306ebd82c61e59601f7

SHA1
8402b33f19feade894dc31347bbfd005f1debde2

SHA256
f6317fbc615dc5983d18864c9e1100eb3d6ffe26981f5d5eef0f7e4e0073a7c9

SHA512
e4ff4113cbc045c6ddac31e60790a7a5d96238fc8e5e9cf8574a6851d18d10cb84ebf313d7f9920de10ae1afe15788b02af0a963e7979de782d98a3c634b362a

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
74KB

MD5
c8f50f2dd5766109d1e230967d241f40

SHA1
f854a9c17368d97d3fdb42161568a24c7fc3c886

SHA256
562c9ec2c0817d121bbaf74e39252b5b95e321ff0f89f8e719b1d16a756ffc1f

SHA512
b1bbd02c56f39f571cf01bd4064a813daed74f96c917bb45d79191b4ece9b31e7772ed0afc184b6c70614ff1ea353190bf3c0c7d8f82ba4e2c600a6581d1f215

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
74KB

MD5
03ca9b708b1bad3f31c63d40a0250542

SHA1
ca9ec2ee1034d4a881dec9148d544f0b975be8b9

SHA256
b531e1e13d54c274afb20f60f3d656057d20ca7ddf77bfb737626fd066a27816

SHA512
3ceff1ea3dabab3f2e9bbeeea14fd2bdaa72c3d0b014d9f38e700386c9728cd9096841d5cc900c18c95ea6382589782491c1b468590f531862cf62418e92e073

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
74KB

MD5
05c689b0897fc50c021c48a716eba68c

SHA1
01d4a619fcf0a0eb70cd95d352bcfe52bc0664e1

SHA256
cc54d1cde6649953f779b28483d25dfb44bef527dff3c4aad5d06537820f9619

SHA512
5434271d2db909d27846c1070d6d883c57c28cfa723e07cbdb90ea6bc89c80bfd66019faa0b8a1eca578346185d5aece869cef14c7011588110f685c6572a896

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
74KB

MD5
2e03d835e52c5234b3b2b19c60a65089

SHA1
19e5ef86c0ec179c519e9a7a2da59cdcda38e3a0

SHA256
a46a60936e2a06044ab3455bf0e71cdb3da8cab021f479b4cd2fd76963b01b6b

SHA512
8efd9e6c47e8a12e8ded386a90548caaf4e21451abefa686dd13457d93170880bc925fe4c6dda03b20523401939840fdb6a6735d076b8e0157969da8e2c132e9

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
74KB

MD5
ae63c39cf5d85996bae05ac8aa8d4d76

SHA1
8dbd2c986bb3f7ab14bfc55549a2ba425ba5b6b3

SHA256
3267e084df36820b1d0884aa68ffb99f40db2c92bb97668fe347d5a70cc4b52e

SHA512
460b449314665e2881b37c5644d1fb9290d62a1d0f91e25aaeb1712eff3abd43709ebe6e7f21c760172b17ee0b882b7291a169e0559f2497b3f9c6b70b2c73e9

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
74KB

MD5
acd98f46e79454ba022567dd1c54311b

SHA1
b5201687d101d23f5857e80fd25f769de2878c3a

SHA256
adab56de68538c327719c18216edbb9ff92d5dac556cd3a82bcf6aec75f415ea

SHA512
773dbfcdb6c646943b629945c2f22de7a6be637632a73b834a90ef39d6d360aee130e4727e61578393d69334eedea82ce382a9b57ad808463220b1212a76be20

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
74KB

MD5
e54bf3c1ac36abd855fb0b3be3fa81d9

SHA1
487f98c3e0dd1673f82fe19d15617696f6011be1

SHA256
c3d468be9a714486361978a6fffda8e9d4ff159a00ed061d78827305e897e757

SHA512
f06293884a21a989909de595566e7690f5f2e1598e9aae45c89b5fed604a7b7cd88dcae50c01f0631a904cf43c1a30cfa3b32044e0df8ca10171382e0d4d90bd

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
74KB

MD5
cd19c1bf07da08e3ff58f93c6ea1c2be

SHA1
55185ef7a73264b44c8ca9204606b2e1077bd70b

SHA256
81db33e0aa4f2806a01b9e0d1c25647ee051557189cfc72b72d318b9ad5ce18c

SHA512
c4fbdf8bb277fba8e86c5e8d3ee4f15bd6ee8e2815e223390d669f9367ab1b3d7e4c901feab952902e36a99af49d8927a5370f2128e680e27d9c5c2a63cfa273

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
74KB

MD5
8e844b5181ee7a1cdb3f81a25e1ac758

SHA1
c9d4436db94dde4220b4bf070c1d4a33ddb102b6

SHA256
76161918922fe2ff3e39e66a9a9df87f114dcb45a2aeb63040581168f64a2e44

SHA512
ce0ed6b384e31a794ce19ea79bf35c10814d0864dc9c8000a8f41b02cae1698bf21e41692d6cf9b7f7707e97ce6062b4ee623ec8247378deef0662be051e969d

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
74KB

MD5
328f8feb4fc18573dc0ff51f19551502

SHA1
4e59d40497f924048959a9fba6455021c5a74165

SHA256
5aa90bba7048797fb0c183fdf6eff2e77979ccad2c0fcc28db9ccd4948096889

SHA512
62279b01e512737eef4fc8a0a837fb457eb811ab43a25bef374f8cbb33c00767431ae812cf89afe30c772f1ec06a452d7d41dcab3204b8b6d0599f7849e765c7

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
74KB

MD5
f58b49dfb7c41475a5b3e8f6794f1751

SHA1
e150dbf49dd109a722f713a998316830c2f8bd48

SHA256
2ea83d9057772c9d7638292edc9af4cffc30aa7f290929d4f001cce2e313415b

SHA512
99ee7467279afa07eec661f580758c025ead779381a69e527386f26c67c81a7183e85a6765b7ff284ed7179278ebe2d97647481f374350deb161f38f7bac39d3

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
74KB

MD5
79e57c820f71b4f3ca90c0efa5f37a41

SHA1
a6347d8d9b6293f549946640add24e694eee4254

SHA256
6b5e69af9588b59ff5d111133dc8f9a1a9be0f5f4bd817d21e90fe73fca8096d

SHA512
127412f3ece7afba8d1fbda7caab6bddb41c491ca42ede897beb3f503f81ee233e98678106a37c4faadb402b6d55a14ab387f8be7e1299bbc123ddec0a3e5ee4

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
74KB

MD5
d5f744507471596aceb2e21d38644942

SHA1
63cb392c621a34a3818e9747a6ae0d9ef9e22be3

SHA256
55e6c287921ecba1af3f801dcc2bb2a3b21e45d104ccf7a8c390376945e39d1c

SHA512
d7474b27337c5486e3fc43a9baa679900bda3d73eaa93a0de0db1562392b71674ed0fb11fe7fd6b347339a36c3713dc280b3dafe67a75cb10ec2c2687904539d

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
74KB

MD5
00d7c08ccc6e21984755cd199a59e7d5

SHA1
d814c87db7aeb914e1cfc9080574ff120b2ba941

SHA256
2e33aa4326e2a7061bc6a43383778fa2166b92b570f74c49a1d455297375565a

SHA512
b837d20cc0a6e21f6c5e1c06ebb1e01d4845981700909f469848caced2612a587a38e30bff6554757cfc3347bc789345eeb55a8f1fc02bb4f5614c707ff2074b

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
74KB

MD5
5bed4f2ebf714b700a4bf55d5297008e

SHA1
79678cbb8c368ed2f597628800251a1b4d04eff1

SHA256
37deba5cb0821363de7cf1ceb4f7d64357d5ccf4df91fb871f27bfc4337ee57e

SHA512
3ead020400ca199435a7e684ac350f3d8cc6d98277a1d68e3075d29ed8eccef98ef6225a2528f5b1ef31c841e2713e972947c47f1a2245f53c89052091615966

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
74KB

MD5
36c22ac8e16666e6185a50e05badc0c1

SHA1
56de0cdf5bdef5c3dd11639773a471e24c60ee62

SHA256
dea29561d4e0309ea6d28dc85fa78459320e15122f35699406a7fb8df9574b1e

SHA512
f9fa651d26b65016197d2de4f8bb0add8ead27cf568c6b3e80c72f8633ba607d458624f3ec3b9b5295e2027660a0fd8f37c9b09e4f47910fa92be13be05c908e

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
74KB

MD5
60b4691f6e07470d920d4f2b37156fd6

SHA1
3ddaf2cb715da379cff1a134c6d971ab21a8068e

SHA256
5a8b5c1b54aa5a802bff396939fcc56db83c6bd44612968a39f60e67c503dd9f

SHA512
918f004b3f489dffa50247414e37270ad4485ebd4e202b39a97921311e21655858af9d86ede6773ff72701f2e64d04a91fa23f4df61d8f05682bdf02aa1fe79f

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
74KB

MD5
5789d6a1fae3fc2573eeeb303743f75f

SHA1
b4791382b2b53d7717eb33b8faf3d9e8df04d663

SHA256
c6a81f987a94efaf77a8c2a40f3698d39fb9fa5dba6702f8ad1bad44180f235b

SHA512
393ecf44c3787be7a61d8257139cfcbe03aff500d22acdfbeadfaa9fc8d11d9a3470d4104c589b98faa0ff25db158d8d6279e77b55cfcbf5a3450a18aeadc13e

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
74KB

MD5
c66073a30b360ff38b13c3d37f0ad4b0

SHA1
ddcf4667d4b615fa930e6d4ea6dbfab8bf4ee0a0

SHA256
cd403302f29c9d1352d0da8b2ddaa5d0debe28ca65312f70c6f87b8e52a93225

SHA512
589fa1d64e6f22afdd84b48cd70355124ce04acc68e3ff78e48e9f0aa8753518fed2c8e4d6c961d533471f9b6604ceb22a5186908925db398c2575f5cd3787d3

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
74KB

MD5
fcb083d1937c65f7f28352394f1d7256

SHA1
b66176f963cfb61434f484392d6d800c08617e9b

SHA256
b8a21377e1178e78282897eacd5307ac36270f9eaf91495c3e58dff1fdc6e486

SHA512
12a2be384f40b823c1a3fa669c554bb311922c512cc6f24cc3e0bcb84dd3b932a399d25e501c95dfc1c457696da45ca8d0e5dc73ad83a2a9114df9378fe3687f

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
74KB

MD5
1ae8f8426d5388003e27a2d703ee74f3

SHA1
8ab33722dcb7bf312273ceef42245af2071d0428

SHA256
8c9cb9f7e8495e6136d4b1e0a5e3841fa7ca0600a2441b4de5a2bce2c0172384

SHA512
73ecbdebdd3d91463378b3cd898f36c8ac031353d2ee6dab619b1bdf2e7c1e43643b29c797b43be92582a7ac0aabf3a84a1f1a1bfe0bc27b2b7d7bfc4fb445d2

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
74KB

MD5
79b630a74ac92379bff11a5485dfa836

SHA1
f1e06c6a2a38b659ac617564cac86e88693e2549

SHA256
afe49df3dec264db888a47ff654cc2d1034dba9eb988c8e94db87a5b1c7438ed

SHA512
d23421d40e92891b3072475dc3a06141c72dd69d72ddc7171c806ced0e27d7a168b85476c7f28183cf137783e993260acd78ebea8fa2476649bae517d63ea49f

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
74KB

MD5
e251d740f387bc5d44f6474b5e053fff

SHA1
4093f7714255c622c681e99a9fd01cee26f6e4d3

SHA256
7c16066ab3de697b0bf02b537f8f4a09a27a012714d926118f8ba48f1a01469f

SHA512
a3925d04aa07dc874361d2392361c128a03a603d730aa7851ae3e680353a74a8f0e3e0d1e2dbb18538c5e92feac89ed4d8ba970106bed4153d057e7ddbea412d

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
74KB

MD5
12e0d7a192e3d5d9e92a9a03a89e9d82

SHA1
6e5e52c0fcfa8f6cb922f1da218ae7d2126ec6e8

SHA256
0028d41b5ef4ce9ac2e0f47e5caf6263d47346c9b5b78861366c79687da54606

SHA512
3cac1b0ee01d2b19d19f3f755bc794e0730305223db2d20d3aecf984802c3431c9cbf4901e25752b0ae7d99045ab48f3b4b1390415e9aacd55cf73c5e8401240

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
74KB

MD5
906ed963d36c9baecde7c0fa4ca42763

SHA1
d91a22f8823909ef2c554716fc5df01bb94b0c5f

SHA256
5e9a8854a207d63a21b1f8471ad82a7c56e4e101b861e93a1bdcc7d43c6594e4

SHA512
4349629b3d1ac127cc45cca2917a5c3d5322d4a2e3f1082509ab6140fd657b4ff230cc940f130b39ef8817bdeeadff2be637d56a654eff09c0d74220c7926c3a

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
74KB

MD5
a0c8da08c0d9cd3b6e2ec3ae8fe9065f

SHA1
48bbfbf8f8d8009792e7a6ef9fed716b8e3ce1e8

SHA256
06e97e7e52da8b853abdbdc112044c676b43d9e8337190109b0ada4527742b8e

SHA512
cd48830b61f4908cb5712eefcb27dd5095bbb901b1fe71e4396b0e75f878aaeb587285efe90191925ad8d122b547f9620549aeed01847d2422cef29c0208f4fc

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
74KB

MD5
9ba072062cbced706336c7981318c673

SHA1
ccb3e12ab92f10ffa19d96a25b42d99354dc25d2

SHA256
5e0277223e09a57664b90c28a27ef4704dc425603e9064359a8af4fb704115da

SHA512
88e115f950bf703e4439740121eb1976962405b1d0c094de31410a9819b9a34db5df31e0474bd3f94c60e3ab258bce4a6dc483b52f5146188b32f60d73f4d5a9

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
74KB

MD5
859ec8cfc4b05a0cbd441c89fcb17a68

SHA1
5a00fff151f1b14da8ce63a2b2d0b98957fd3b69

SHA256
82472c34d5c04d7d49a620c17f784200766674cb80bad57665d6fda3f76b3961

SHA512
2577d371ab9b6b24893a6f9df6f54c6aafe72dc2ccc9194baafaffeaeb69da3a25ff6b7e7930c6e8165c989ad94371b3a7f6bd581f6f3b05e7d922ed1758bd78

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
74KB

MD5
2cedefa4a36ecae41f1c8fcee81647b9

SHA1
9a5e200726c291d2d151603e152d8f4e1721aafe

SHA256
6e28503ffa6df9ae6f6899b422f41d974cadbebd86605ee96cfa3098ee4001f6

SHA512
8962d048832e0808d203b68e7be2d1e31782d5f6f1b2bfea9e42fc316e81a2878a0f71576615922f42e88473fa731f71f0cbc03c9504c4ae5e7e9453d25302de

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
74KB

MD5
319fbf4516f505663d67b6583dc30546

SHA1
c680f82f8c657dc4a609eca43d19284fb866473b

SHA256
9ade37464e26f091242f20d65f5743813a21da0b943e16a44d886068030483d7

SHA512
40b7a6f658770b59f61e3d21150625312d74de2bf1109e02340e0c7bc19bcf3d1f3a19adb60a6b225be4cc50fdddfe76f493fdc6e1436d4e395adac783ed7a0d

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
74KB

MD5
2062323e096b8eccc67fe56a11996fbe

SHA1
bacb8307e74e0bf0adadb36f380930e0f932c8a1

SHA256
0aa171f79b80cd3166b67e6851e97b52e0e1e29c74561a7e02d2226d5badf65c

SHA512
d0386a8aa71f8175598b29719f9779707fedd6b10c94d5b0cfe5893b7b9710a201b34b4afe6243d7cf073f948d2ef1a7e309473f05e3b2aa88f1777b87806f06

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
74KB

MD5
05a7e50ea39ce99f511704d4a0682e88

SHA1
fbc370c60a08259bc11d56425c55d805f41c2e44

SHA256
9c021d6e31e4cfc4afc5b05f9633f19a068152e3924934c6543ba2aef9e042c3

SHA512
b31bf9b367eb22f0a27c9c9a7592d198dffa591abc32cd220c770222bf8e6502618e6772b7b3cdf29142d24d4a635f413d26653f7c186bf867a8c8572c418e3d

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
74KB

MD5
526d53b5e5f648694d2dae17cbcfeb3c

SHA1
c8c870bc96e72da5802270d19e397284ea19ce68

SHA256
94774ee25d66344483b18763d88027df1cee64e35256b657eb641c46cb8f3091

SHA512
e7ce04fdf454204d5522161855542821c1d0b54a3a68b0b405bbc43aabd97219999001bb4a9aa88b059a2e809d323ffe535886a683c8690de8450fe0410534f7

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
74KB

MD5
71f6ebff02b62cf45d9177f5ff9ea2e1

SHA1
bc795278c002e40dea0d30c2bfede61bc78e2db7

SHA256
db0c71b4566fb64b26633b853b2c1825a615a8a1b2a016894081170319913d15

SHA512
05b72c87b96b5e969ba39a01d9240a2f328a114e28fa3ce6092fad52f5b3e088749191094abd70e1df60b25055ce3fbfe0fad19e665d4a9229c73e35ce86a9d2

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
74KB

MD5
e121eed9154478382697b69e0b7f1899

SHA1
d849c617522b08de3cd841bada2c5e2857c67089

SHA256
b59f209f83f83bb17c1bdc95153c0e93c355fd69413c700f9e1a121b7b05c81b

SHA512
67f2c7d2ff6ea2d8405ff4bfeb9fd01a9ce1c9ec811aedec18ac488fb66e7834bdb772fa01eb9a1ce3f5a5320b18a9a963a5c0bf5046bc7a2a8491fc4c8c078f

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
74KB

MD5
263ca8d8d7a44e978cd6cfe9f0e56c3d

SHA1
4f77346faacfa673ac855964931b4bfb1f68954e

SHA256
4b3dad1e20e346bdb241d7872c70c9608d2aa1998358325e033878fea6dd0c6a

SHA512
2adb2f2bf16c18be89c032902c54d4432f19844bfc7cff16379846502403d32f25b56443b12efe63ee1c8d1b42213b593fc84a90c44d19a42274bebe11f47fae

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
74KB

MD5
6661e828ec54dc2c2ffb74656c60159c

SHA1
03641384f3ad88d58fa25eb740fa0426eef6db7d

SHA256
f7324dbea7e8910865fc9bf07e84f1a13c305b64d507d6be56d83a35ef667b7a

SHA512
3e7f893924d80185304a51d707b08335ce0aada6f29efd892b572f587bae859b7ed4e008705839c2a660bb1c4f299fa2fd3ac80487ffdcd5bcc4a4c4db1aefad

Download Submit
C:\Windows\SysWOW64\Jjmoilnn.dll

Filesize
7KB

MD5
083d738fd0daa50495274f2e4b80d3e8

SHA1
f4828270e8498aadcc2c8673e51dd5f95bc3903a

SHA256
401eb6ce777dc4f24011deb8ecab5327bd79ee1f6bba362d98b641da219657d3

SHA512
ba1fbe4891da833730e3b20ad6670e5c4e6d9e0d4beb6d5c73c21586be3bfaf5c4c4d8f942eb966a06d77cfc0aa55a6fb19c1c9ae79d62d45cf2632c8a2cfe6d

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
74KB

MD5
56b40993bdcd080500b2da03a6256ffc

SHA1
7a39a30a3cd5497af8a8c2d2333d5aafb6f4bd52

SHA256
712ea33415e12650620d6b3e43118a4cb9764c104d30791b243dc5eafed31216

SHA512
920246601268ce165fc79fdd6425364c3ca2fd1351dd363a42810d555651bd75e2fa5a65b4087ec2e213c6476eebc8906f43c4adf58bfd82cd00b7fe493043b7

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
74KB

MD5
070eaed96759150ad012658f17f592d8

SHA1
99e277d9dac6bfc9c1c749a0a981cc5eff06be93

SHA256
b68d07a7ac7d8cc46e6cc34099fc714770e811ca282588ad860f850b98ed51e0

SHA512
ed39bcba75ce8283697e868f1332d89bd70f825f43cb8c9b6f3e6c27c020812c32aaea8a27c387172466e6b04dc16e4d547ab36a98eae00f63dc4ffb311fa54b

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
74KB

MD5
22d202e75887695d2995b76d370e17c9

SHA1
3a1379f22f515434794cddf005f44bb45ac6dcac

SHA256
6841878febb9f97df209fb5c1c96bd8d2f944489fbfa1dcd80e47bbee534a38a

SHA512
363f7dedcbcf81f5ed43377e49366dec877aca612e9dbcf9d7e59ffa97e48475340caaacc0721ef8b3f44ce4167855bae334dca06a479d1dc096d1fcf88facaa

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
74KB

MD5
7a240ee1bbf8048637d37a33096cd0e4

SHA1
6774846da59ecc27f050094d72be711f9faf3b49

SHA256
33e4221760ccd5fced2fd3c1cc2a904b2b943b0de9e745da659451ba3cfe667d

SHA512
adface5efe879ab198fc21e9277c04965bfdb28d819fc01da98b85284bfeb356095b809184c96a1ec8b4bf1af2090091a9e21a44b05d4a054b4a333aceaceb57

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
74KB

MD5
21bb70a21928a3abc2b499f968794cde

SHA1
bac045170a8c33992efa94f922fcf8e3bd57d418

SHA256
d37db1147db79ab76947a53178fa09887c39678918a1b62d25c1429dbcf64d85

SHA512
6e813a6ed0a7cc4b489245cf757487eebd8e3067b98183d226cecd24fb09d083045cd19368a0bb89ccf26bfc99466fe109830d4e2e90a16a069089f2c2cbe0d2

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
74KB

MD5
ed7237c7cb05c238a94a3c8989798a9a

SHA1
38bd75449947fd8efd050a615b0eef2139efc168

SHA256
91cd09b97dceec994162f910db3cad5409724430d57eb63837b2d74eb549478a

SHA512
25e6456773c20fe94121565ce4e4a745aa9bd6c0a19ce9ae7f0683fa58388ff6cb10d1a9421eae58cb6b29b10ed1e67f4910fbb2a26053bb5cfecfa8122a01ea

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
74KB

MD5
d59c73c3385f971881b636bcbaa8b9ef

SHA1
d2854cf2f08fba9d922bfb79cb30be8611437b1b

SHA256
ba3728e9d75c846539c23124ff82a738326092e2e5c06616086716d2b5e5f5b3

SHA512
92bf64a76cd9272d2bc2bce6dab1757f00dced457d3b9ce83038b76f279fd4cde80ba429fe654575f6c0820bab21c334b9555c67c22d27edf6439bf0fcb19338

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
74KB

MD5
76a586bf084b99fba6866ff59c70353b

SHA1
92a3051251dfb6e025b78ecc2523a05c0117d6ea

SHA256
32bf94fed34e42450d5d763ecf43bbd26aacfc10369918c9623b530298dccda7

SHA512
4e88aae1e6f85b97f0e53ad633df7f8463ae2813853762a258f6f41a620e26c2da7a2fd20531e43b7fb4b9f4837ee0bcd12069b862d2d26d460945e000e096e1

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
74KB

MD5
049aad94b042561bd961040608631c8c

SHA1
bd0b1b17d8e6d3ef7263e6e037970cbf374d86ea

SHA256
8db39016198fa6a888bd69f8c7a3c34a8cc64d0b96f69a15edd54b560befab9c

SHA512
018e8af11dc599ba0cf8b7d0f92be897641e9204407656fc543ba8c947ac7abb62080f408bed21335cb7c73fa510f7445c5d36f2006e7d6c0fabd593c8c40a0a

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
74KB

MD5
0635d2d01a221530f5037e08f19185a8

SHA1
f532c585af5a78f2ac8ddc6c91c0e7f7f15bca62

SHA256
a464c681bee77a5fa1d7453019a3e4489fe07780ca874dd3c67bb95467038314

SHA512
2fbf6f55dcb97639f96574753d6f67f95406c4ff00db9c6e89272bb61c63562a67da941140878aa93741642dcecb80ffa68e24a6a2822e441c39aa0930b7a5f8

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
74KB

MD5
5c64742bda162aa0fcfed428e852793f

SHA1
54b813132bb8dc93df7ff1760a08708f2489333d

SHA256
533c10129ab218431da94326d9ebae304816062eb2fba9193e6441f9c7d18c9f

SHA512
9736a41539edf484f76b05940209321ebd04d86776690b45f23672f4f152cc11a731f0fa1425a1d4039b88184b60c3385cd92e9c8f0f08f227f54142bb81350b

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
74KB

MD5
ec4813ece641f2cdea393cfa80e3bbaf

SHA1
d228085c114f491950080e666b4d3f143a7c3745

SHA256
82f879cbdc9e2306376f42420897a24dd082caf01f5e8bd792bdf17db090bc23

SHA512
b355cfb4667b231007483fd702de19327101204f435db48371bb422f028b901e7f2a4348602216d9f51fae1070c7dc47788722493951d0ba31e4314272ca6c9c

Download Submit
\Windows\SysWOW64\Poapfn32.exe

Filesize
74KB

MD5
d5a87eb76603ca630b23b39f4c63c97d

SHA1
0dbab2e0323aaac5f2cc6d37ed57c3ad274cde45

SHA256
df0dfd46795ddf53b58988839a0dcc635146e723999b062eef896fb12194ef14

SHA512
a4a80f59975b5d7db6e55168a29eff56187118a5e9c60dcf81623dd2e48d4468b50af1d512cff1dd7abf3e5e49fb62b4459391cfe044443f244f42133d096f6e

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
74KB

MD5
4ce9b440bb7aeb7746bb4567d1409755

SHA1
c9b57cea5204dbbd8527c760150dabc60f8f2903

SHA256
4fa57ca01669f1fdc100c171578bda30716aa9761e60c2e44c00acae1b364e1e

SHA512
23c83b6c5ba59261b9b2f0739b6552b60556966143dc171856b6824224fad188a952e893ccb3cfb4dc9eda4ef5838d485d2a2ae3e332c12ecbf2aec5db4a2f2c

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
74KB

MD5
82f13d52d2257f506fcc865394d456c8

SHA1
4f6555fa83ce7d8150bb48240e0ea0e5630b767f

SHA256
78061223cecb550fa5c4096bfc043868605ffb4284170200196c9606f80e2ea5

SHA512
28545c4d08b3a8ae2070ecfcc3e49d4939e7cac5feb34fa157b99870db810635ce014f7ff65d700969f1e7e663c9c5949675351182ad52b135edfdf358453161

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
74KB

MD5
8d774a38f9af042c2c1fcea10b753e3e

SHA1
43462a349ddbcfadf030a8fe34311ccc9c4d3942

SHA256
18048286d5debbdf5d1f4bf5c893b1874766669f3a402fd67b3033e096dc52e0

SHA512
62720b3d6dfb3c3c0597039abc7df70dac9e0fb583ecd1783cf5a10b95f11ec91927d1ce9f594bdcc3087916d5ec03dcc6a73391096fc5467a078fe3efd4d865

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
74KB

MD5
2006b1eb437c6368bc4d48a94a32ce11

SHA1
6faea099a61ff0cbfe438eb8a8ccca59a4e94362

SHA256
6f5665e4d037398ea26940cfcc277115530428bdcaba6d926cee2a09e6918909

SHA512
f046ad202f3c7853c57e2a3547e06fe705d008e6885ecd1f5b73c5f45a518f19a551b74fdab2fb0dec9414ea64144169f0b966ffcf8f38fdd1a5d0b9861c152e

Download Submit
\Windows\SysWOW64\Qngmgjeb.exe

Filesize
74KB

MD5
f5ec3a5383abeebf1281a3fa51782629

SHA1
5051b52025a08d8a532637758d23cfa8b67bf4a8

SHA256
7c1cbd28026ddd7011a65caf3be5d38d5c496c2b0d5cde8944061aac3e092b4a

SHA512
ba779fb0651430dccb892fa67874723743ab7c6997170bafa951bcabc84ed9d77e8388d8c3e2940bc585b7e6ac1e1cd856346876d093fb9bebf0e3cdd9bc23d2

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
74KB

MD5
7c21ddd4f0fc53833364e70a2794ff60

SHA1
8bf611dab080cbfd82edc369984897d35779b344

SHA256
9f39bda1b6199e5cc7ea6b7b0809f268238b35edaddf2528d432babf9770e7b0

SHA512
7d4c757a07be1fb1889497ceb63eaea34ba47118e0aab624e255e2112108ae26b2024ab4efd801beb3ec8eebdfb334daf33015312719c8742d0a5bec20044266

Download Submit
memory/448-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/476-416-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/476-79-0x0000000000360000-0x0000000000397000-memory.dmp

Filesize
220KB

Download
memory/608-170-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/848-408-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/944-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/944-89-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/944-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/944-94-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/988-384-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-298-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1040-297-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1044-223-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1044-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1048-287-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1048-277-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1048-283-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1248-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1248-143-0x00000000004A0000-0x00000000004D7000-memory.dmp

Filesize
220KB

Download
memory/1248-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1300-444-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1300-454-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1464-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1464-242-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1496-378-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1496-377-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1496-366-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1620-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1620-255-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/1856-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1856-262-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1972-421-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1972-431-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2012-491-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2012-485-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2012-495-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2040-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2040-62-0x0000000001F50000-0x0000000001F87000-memory.dmp

Filesize
220KB

Download
memory/2040-409-0x0000000001F50000-0x0000000001F87000-memory.dmp

Filesize
220KB

Download
memory/2040-399-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2068-443-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2068-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-437-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2132-432-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2148-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-365-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2216-364-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2216-355-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-475-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-395-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2304-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2304-319-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2304-320-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2384-275-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2384-276-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2384-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2420-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2420-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2420-115-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2472-474-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2472-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2492-189-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2492-197-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2564-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-305-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/2564-309-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/2628-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2628-373-0x00000000005D0000-0x0000000000607000-memory.dmp

Filesize
220KB

Download
memory/2628-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-344-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-353-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2672-473-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2672-122-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2704-159-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2704-155-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2716-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2716-52-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/2716-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-331-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2740-330-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2740-321-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2768-341-0x0000000000360000-0x0000000000397000-memory.dmp

Filesize
220KB

Download
memory/2768-343-0x0000000000360000-0x0000000000397000-memory.dmp

Filesize
220KB

Download
memory/2768-332-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2784-420-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2784-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-342-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-12-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2884-13-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/3020-354-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3032-453-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads