cc6c28e58065ebaf3fefedc36c5f2203966d68860cea7e4b1721f7f33fb830a5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e01bf9a0250d198ec354d0a2c33bc240N.exe
Size

96KB
MD5

e01bf9a0250d198ec354d0a2c33bc240
SHA1

ef209fb65b44baa7f5571a3208d5755b21775221
SHA256

cc6c28e58065ebaf3fefedc36c5f2203966d68860cea7e4b1721f7f33fb830a5
SHA512

54ef13724f036d27ffc2ea71366c2649d932d105a8ce43f709865b12ffe9c1c04a0539e81bf4701a9b017cc5a9de3a8391980c844831387c5dcb5e10894cbc5b
SSDEEP

1536:1nxIi3+ZOVoq1a2IIeMJdrn3Q42Lrj7RZObZUUWaegPYA:BxIioq1sM7n3QJrjClUUWae

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e01bf9a0250d198ec354d0a2c33bc240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e01bf9a0250d198ec354d0a2c33bc240N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe

Executes dropped EXE 29 IoCs

pid	Process
2692	Pfgngh32.exe
2840	Pmagdbci.exe
2588	Pdlkiepd.exe
3032	Pkfceo32.exe
780	Qbplbi32.exe
1036	Qijdocfj.exe
2104	Qodlkm32.exe
2152	Qbbhgi32.exe
1972	Qeaedd32.exe
1648	Acfaeq32.exe
1864	Anlfbi32.exe
2932	Agdjkogm.exe
2368	Aaloddnn.exe
2296	Aigchgkh.exe
2440	Ajgpbj32.exe
1288	Afnagk32.exe
1144	Bilmcf32.exe
1528	Bpfeppop.exe
2136	Becnhgmg.exe
636	Bhajdblk.exe
2552	Bajomhbl.exe
400	Biafnecn.exe
1996	Bbikgk32.exe
1748	Bjdplm32.exe
2792	Bejdiffp.exe
2724	Bmeimhdj.exe
2596	Cdoajb32.exe
2908	Cmgechbh.exe
2608	Cacacg32.exe

Loads dropped DLL 62 IoCs

pid	Process
2824	e01bf9a0250d198ec354d0a2c33bc240N.exe
2824	e01bf9a0250d198ec354d0a2c33bc240N.exe
2692	Pfgngh32.exe
2692	Pfgngh32.exe
2840	Pmagdbci.exe
2840	Pmagdbci.exe
2588	Pdlkiepd.exe
2588	Pdlkiepd.exe
3032	Pkfceo32.exe
3032	Pkfceo32.exe
780	Qbplbi32.exe
780	Qbplbi32.exe
1036	Qijdocfj.exe
1036	Qijdocfj.exe
2104	Qodlkm32.exe
2104	Qodlkm32.exe
2152	Qbbhgi32.exe
2152	Qbbhgi32.exe
1972	Qeaedd32.exe
1972	Qeaedd32.exe
1648	Acfaeq32.exe
1648	Acfaeq32.exe
1864	Anlfbi32.exe
1864	Anlfbi32.exe
2932	Agdjkogm.exe
2932	Agdjkogm.exe
2368	Aaloddnn.exe
2368	Aaloddnn.exe
2296	Aigchgkh.exe
2296	Aigchgkh.exe
2440	Ajgpbj32.exe
2440	Ajgpbj32.exe
1288	Afnagk32.exe
1288	Afnagk32.exe
1144	Bilmcf32.exe
1144	Bilmcf32.exe
1528	Bpfeppop.exe
1528	Bpfeppop.exe
2136	Becnhgmg.exe
2136	Becnhgmg.exe
636	Bhajdblk.exe
636	Bhajdblk.exe
2552	Bajomhbl.exe
2552	Bajomhbl.exe
400	Biafnecn.exe
400	Biafnecn.exe
1996	Bbikgk32.exe
1996	Bbikgk32.exe
1748	Bjdplm32.exe
1748	Bjdplm32.exe
2792	Bejdiffp.exe
2792	Bejdiffp.exe
2724	Bmeimhdj.exe
2724	Bmeimhdj.exe
2596	Cdoajb32.exe
2596	Cdoajb32.exe
2908	Cmgechbh.exe
2908	Cmgechbh.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Pmagdbci.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Pkfceo32.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	e01bf9a0250d198ec354d0a2c33bc240N.exe
File created	C:\Windows\SysWOW64\Pmagdbci.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qbbhgi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2608	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e01bf9a0250d198ec354d0a2c33bc240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	e01bf9a0250d198ec354d0a2c33bc240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e01bf9a0250d198ec354d0a2c33bc240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e01bf9a0250d198ec354d0a2c33bc240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e01bf9a0250d198ec354d0a2c33bc240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qbbhgi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2692	2824	e01bf9a0250d198ec354d0a2c33bc240N.exe	30
PID 2824 wrote to memory of 2692	2824	e01bf9a0250d198ec354d0a2c33bc240N.exe	30
PID 2824 wrote to memory of 2692	2824	e01bf9a0250d198ec354d0a2c33bc240N.exe	30
PID 2824 wrote to memory of 2692	2824	e01bf9a0250d198ec354d0a2c33bc240N.exe	30
PID 2692 wrote to memory of 2840	2692	Pfgngh32.exe	31
PID 2692 wrote to memory of 2840	2692	Pfgngh32.exe	31
PID 2692 wrote to memory of 2840	2692	Pfgngh32.exe	31
PID 2692 wrote to memory of 2840	2692	Pfgngh32.exe	31
PID 2840 wrote to memory of 2588	2840	Pmagdbci.exe	32
PID 2840 wrote to memory of 2588	2840	Pmagdbci.exe	32
PID 2840 wrote to memory of 2588	2840	Pmagdbci.exe	32
PID 2840 wrote to memory of 2588	2840	Pmagdbci.exe	32
PID 2588 wrote to memory of 3032	2588	Pdlkiepd.exe	33
PID 2588 wrote to memory of 3032	2588	Pdlkiepd.exe	33
PID 2588 wrote to memory of 3032	2588	Pdlkiepd.exe	33
PID 2588 wrote to memory of 3032	2588	Pdlkiepd.exe	33
PID 3032 wrote to memory of 780	3032	Pkfceo32.exe	34
PID 3032 wrote to memory of 780	3032	Pkfceo32.exe	34
PID 3032 wrote to memory of 780	3032	Pkfceo32.exe	34
PID 3032 wrote to memory of 780	3032	Pkfceo32.exe	34
PID 780 wrote to memory of 1036	780	Qbplbi32.exe	35
PID 780 wrote to memory of 1036	780	Qbplbi32.exe	35
PID 780 wrote to memory of 1036	780	Qbplbi32.exe	35
PID 780 wrote to memory of 1036	780	Qbplbi32.exe	35
PID 1036 wrote to memory of 2104	1036	Qijdocfj.exe	36
PID 1036 wrote to memory of 2104	1036	Qijdocfj.exe	36
PID 1036 wrote to memory of 2104	1036	Qijdocfj.exe	36
PID 1036 wrote to memory of 2104	1036	Qijdocfj.exe	36
PID 2104 wrote to memory of 2152	2104	Qodlkm32.exe	37
PID 2104 wrote to memory of 2152	2104	Qodlkm32.exe	37
PID 2104 wrote to memory of 2152	2104	Qodlkm32.exe	37
PID 2104 wrote to memory of 2152	2104	Qodlkm32.exe	37
PID 2152 wrote to memory of 1972	2152	Qbbhgi32.exe	38
PID 2152 wrote to memory of 1972	2152	Qbbhgi32.exe	38
PID 2152 wrote to memory of 1972	2152	Qbbhgi32.exe	38
PID 2152 wrote to memory of 1972	2152	Qbbhgi32.exe	38
PID 1972 wrote to memory of 1648	1972	Qeaedd32.exe	39
PID 1972 wrote to memory of 1648	1972	Qeaedd32.exe	39
PID 1972 wrote to memory of 1648	1972	Qeaedd32.exe	39
PID 1972 wrote to memory of 1648	1972	Qeaedd32.exe	39
PID 1648 wrote to memory of 1864	1648	Acfaeq32.exe	40
PID 1648 wrote to memory of 1864	1648	Acfaeq32.exe	40
PID 1648 wrote to memory of 1864	1648	Acfaeq32.exe	40
PID 1648 wrote to memory of 1864	1648	Acfaeq32.exe	40
PID 1864 wrote to memory of 2932	1864	Anlfbi32.exe	41
PID 1864 wrote to memory of 2932	1864	Anlfbi32.exe	41
PID 1864 wrote to memory of 2932	1864	Anlfbi32.exe	41
PID 1864 wrote to memory of 2932	1864	Anlfbi32.exe	41
PID 2932 wrote to memory of 2368	2932	Agdjkogm.exe	42
PID 2932 wrote to memory of 2368	2932	Agdjkogm.exe	42
PID 2932 wrote to memory of 2368	2932	Agdjkogm.exe	42
PID 2932 wrote to memory of 2368	2932	Agdjkogm.exe	42
PID 2368 wrote to memory of 2296	2368	Aaloddnn.exe	43
PID 2368 wrote to memory of 2296	2368	Aaloddnn.exe	43
PID 2368 wrote to memory of 2296	2368	Aaloddnn.exe	43
PID 2368 wrote to memory of 2296	2368	Aaloddnn.exe	43
PID 2296 wrote to memory of 2440	2296	Aigchgkh.exe	44
PID 2296 wrote to memory of 2440	2296	Aigchgkh.exe	44
PID 2296 wrote to memory of 2440	2296	Aigchgkh.exe	44
PID 2296 wrote to memory of 2440	2296	Aigchgkh.exe	44
PID 2440 wrote to memory of 1288	2440	Ajgpbj32.exe	45
PID 2440 wrote to memory of 1288	2440	Ajgpbj32.exe	45
PID 2440 wrote to memory of 1288	2440	Ajgpbj32.exe	45
PID 2440 wrote to memory of 1288	2440	Ajgpbj32.exe	45

C:\Users\Admin\AppData\Local\Temp\e01bf9a0250d198ec354d0a2c33bc240N.exe
"C:\Users\Admin\AppData\Local\Temp\e01bf9a0250d198ec354d0a2c33bc240N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Pfgngh32.exe
  C:\Windows\system32\Pfgngh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\Pmagdbci.exe
    C:\Windows\system32\Pmagdbci.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Pdlkiepd.exe
      C:\Windows\system32\Pdlkiepd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
96KB

MD5
d52b44a0c54ce1a90acc99d53feb5457

SHA1
f39fbadd0bd7b821f44dc5b28c0995b949087ef5

SHA256
42120b95597f770a0ad3775b7491a5a923d36d72a0b15bb9cfbab17a9605f5d3

SHA512
7e038df700c2496802681867a46d7c3f6e0e4395bea87f96709034bef9382a3f66d82371c28e63caafebcf9c2280106fdb49a7f723d2bbc82629b0fc67ec2b95

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
96KB

MD5
7d7f8e9dbfe6e475772886e7c2d15ff6

SHA1
9f03f824b3e3d07896c8d2dbe78e0181b5758600

SHA256
7feba3e10aba29f6945b7a39e7b6a0a736373a3d81f43e1486fe41f06bb73066

SHA512
7a316d75eb0af35456bde0b8bfaab3ad128109a9c687ba63562c12d6ffd087fc8fdc53ccb32eedb3f55427bdb6f518a574b74ce35634e462abd967d271c94cbf

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
96KB

MD5
706d3aba3576550f48176c829113c585

SHA1
d4fa9e1f09a9d1592e90d7053dd7572157966aaa

SHA256
afb82139b1f768089ac851f0f52c920fece4975505605e8e2fecc13801be4356

SHA512
9bf6cc408b5d7c640d2a9ea3315ab28aab9e9a105e5cf022f7c20243ac1511c65fe1940d08d5590c338707896434d06d2d9d4efdc3ac41747365e106ef1628b8

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
96KB

MD5
ee2a944fdb27743871d5cdad447e7fae

SHA1
b6b6d8200c0446350861750d8593498bf43e0a6d

SHA256
e4a6eec274d25692f2877300686f0a299eb63ee0d7740f4798b924faf5a4ff9f

SHA512
80e9b3cf75b0b6c7030ca81438dff6a308aeff7780627d474da3eea5f60ffb4dbfc1b4342f1616a9dca01933cd510ed41388a9bb9c3e52c6de403cf8430049a4

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
96KB

MD5
9231adf16429c48beb790538d97c77f1

SHA1
c255e9e480ff46a1ff9fd79fc951e86b4138804c

SHA256
2842daa2ce14cde4978e0fa72aa0fbbd7a940a37e98d0a9a92debab70860479c

SHA512
5faa7673f8ea44e9dd25ee6f6d97db324040ecc2a9db604973f380711bbb4eae6cdad298b6059565e2d33e4c4543bc355cb5fe5f29aa9b83cb9f3de2000cbdb8

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
96KB

MD5
889edfcffe2dc3856790b56ec2a2970c

SHA1
4852f33b984c83d35ba54b09675ff73bbb19edbe

SHA256
77613f0d3897f0dcd5f81cf787fb702df6f605d072e07116a09a06f2dbfba34f

SHA512
76dfcbacb1d252cd25510532a9b14a7c6b69d42678ed357003b17df1eeb821d341df05c5c678691674b02b65b586748a1817662c4113e0593898b88704a5a5dc

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
96KB

MD5
b06c0ab586f663f37c48a676734d1e2e

SHA1
2aafa8e4300d853580a20c49805747a0c331f314

SHA256
6dda42c5d2bbdd732d93efb9bf2c9d04513e0e7441b55c622e446c0d26c570e2

SHA512
6a7b2c4edcb3aec136f4cbfb2d391573dc7e21d57d2fdded5e502c986fee63a2824f8719c99379ce56e6da7e622f5b4eada2838bb766ed597e99f14eb6e83cd5

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
96KB

MD5
c3cb2e596aed726216745f3e16959a06

SHA1
b4e51bc7b952ed9feb9e3f5eac7cad84c7f4f700

SHA256
ccd6300be4186dc67d9910489721ea00f54e53ee4560badf8d4b32e64a9c8f87

SHA512
4e979c67121d8b8cbc5446d39ef7de142683ed51ebd34b70e6e7bc522096358b4ba76e113904ec5405cecd0478f546dbc6274a3d0a0102a7bb491b27fce46690

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
96KB

MD5
01bcd2e7b6423010be12560148940b50

SHA1
622e9be3fa8fbabebe5094513540b1a20fc049d9

SHA256
338c4d6274695fbea52854b8cd7c7d6c6b04b4ba48baf44aa0ee2fb0ca6ae625

SHA512
729996099c73c7d84f09260ef9de670a7d038677bdc6282d12e3d9b1843bc0fce717e6121237911bf9af8359732d9109cc1fd601216a5ef3b562faa3715f80ce

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
96KB

MD5
60daa23223db328b4da639859462bff0

SHA1
dc51a116d94ff063ad5c6cc4cc62deb722b46257

SHA256
fa914ddd7008e4d8b05ac2a77ccb02d9b0268d559ac477c5875161a3ffdbb5a1

SHA512
fa48df7224fe7d19c2697a5cbc535a9d426fe6553721150bc0e0988c10f1dbf7d46366f848aceee90bcbf7b9897c2e9adf5ee3463d0d3be469f542bb88429caa

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
96KB

MD5
975fca25afd7c94388c870e809458faf

SHA1
7edf7f2817ef328a5cc98e7c0f4f85e0fa12231d

SHA256
4aeebe45bc88e8414cc4f3beb78fca21292b1b67060d397147a706f90b2416d3

SHA512
8475783d527a157cef69a8dc1c3f5236a64544f09610c2b016ec0493b065e1838e867349d744caac8e42668db3c79f7545b6c1471c7dcf66f546358ea16a3949

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
96KB

MD5
964c0d3d08ec05de5df045e1fd3c2b15

SHA1
86b91bee3c10b4e674934fdf670388f6f44b2fda

SHA256
2e98f4e5bc6b41d31ed06cfa96fb8f2415e5ee823d1a892ca76583ceb8709d89

SHA512
68e98711b2b732aa81eb9b5f7c5bafef826360ef3ef5e77ea141aa6f2d993a1c8e1f6f16ec4d1cfe7d90726382243cd3db3f2509b01d9b371baf427e1b9d061c

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
96KB

MD5
bcd58fde6468c517684cf4b194df4678

SHA1
dbc1beec0341c203c67409ec8690dd6b7add4e02

SHA256
4241ad8c5110a889cfcd98c52685790f091ed5f2911b86ac89bc2981c8abc18f

SHA512
0eef294e72a04fc7651509d261587d8182328263e64f2908836ca8dc2ee7a8148472a08905684640bd469607a9a7ac23bebc16b892435a3115c2196d18a6e0ef

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
96KB

MD5
d6a3a5ad2e673fafce201d44f924909c

SHA1
cd071da90f1e2c8f822ae4fef0ac4825f0d71829

SHA256
88a1a8049df33dca39a56bf2fa61d770389ebb91818b816f88341145a01ee2b9

SHA512
860510ca00caae7b2f7224b542990ed4c427af88d153550c246f03f3e9df01a30456226c20f9c913afacff64a0fa2dd953217435bfec2da509aff2fbf4f076d6

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
96KB

MD5
32586b5554203fff7d4c6f002651c679

SHA1
a2beea8b16f12f277a5f7162c43253be85a97cf1

SHA256
bea66f31401ab7501bdd29495a34e2debcf7cb94813836e1c32b23fdd3703ce7

SHA512
22b8f1e4f98d822016a0c82a1cf42161eb6090c173b668800a4c76dcb30f0a426bcd147b0daeec5d4f3574e5e186a326718c48078c59b3176e27ae5386f1c987

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
96KB

MD5
97c7ffec5b6198105f08e432ebbd6ca9

SHA1
7d117766188dcb1a0494af8dcf440f764c658e81

SHA256
479515ba99e64799fccdad6df20401c8cee899d0a0408418d2a275efcefaf574

SHA512
d8212d8640ebca0fbba6944a2f877f44e172d48af2044455a1ba11e2136c6e01e88315b622976dab1ac0478c01813fa352b0543765b2e1306b294357de501e2d

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
96KB

MD5
c464fb65076df4a23a50e6ed601924a8

SHA1
b5eb06b06cd5bf2dec3dd6932de45a8b9f950227

SHA256
213ec7973b6d79ab9335603e8a08e8a57858451af808831a537bf88832d21627

SHA512
f09dc94a994fcf701c77dce8c58218ebdf71bfb62e8a3ede4946c23cff15900d7fa5174330d2dafc82befebdb53d2fe3a9426bc8176c93b1257a6aa8c8479055

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
96KB

MD5
15eb159c0b30d1fa4cd6f89bfaa4992b

SHA1
1c2d1089644b23d7139f608dfb84db8f3f9455d0

SHA256
020877f50c47b0c0056749d56d1de91681fe846d2c556f6ff5aa4b6f535ac741

SHA512
bf17300ef7f943cb630b9f214cc4e9b0545c549066e02b129106963216fcbd91fde652677c6d2cbdb454d826c1da60e7ea8bad8cd79e931629763544865ae6f5

Download Submit
\Windows\SysWOW64\Acfaeq32.exe

Filesize
96KB

MD5
35768607bacce2a3ce33962be2beca11

SHA1
be45d5a08074aeecac3bc1b49b03da545af032f0

SHA256
615c21e67b7c25dfd13913a7edb020b9b481ce64c49c1ba0bd18afba79951b3f

SHA512
f27872376270628f36baaf44cd5d576ac3ed6b477a833ff6f42cf1519f8a8b5fd94c363adaa39c025b1ded97d7b14a7add3680487e87bbbea319b7c90ba50b56

Download Submit
\Windows\SysWOW64\Afnagk32.exe

Filesize
96KB

MD5
ec5bf124ab7428575c0514893add5b2b

SHA1
6dbc2144a58518f5b6b9b39bbba2c4220aa34461

SHA256
8a03de39ea48207705fcc8f47db21d62ac015e9d0c1d342dc23cc46ce0a76e3d

SHA512
8a11529c407467e831fec7fd8c773db444ee5b0b327b1cfc2dd33c0e31676a84c31e508427cc8864f7988e6df76e2bf355b6316e0ff3846cca0598f91c97fea9

Download Submit
\Windows\SysWOW64\Agdjkogm.exe

Filesize
96KB

MD5
570a613cdba565da8d2e86f7032c53cb

SHA1
9ceb3d5eb8c8bb569e621542faa590b7d0138b09

SHA256
22c1cfa6bc7c2847dc77266bb03c0182c2b6f20e9b4df9379fbe547954021fe5

SHA512
1f45c5c0ae10fdbe7bcb7946618f2bfcad2a521c7ec2f98e417e29a1311c069ae1eb950dbe265429cf15911fe5afc82912ea93b4b4a616051284e827589a5720

Download Submit
\Windows\SysWOW64\Aigchgkh.exe

Filesize
96KB

MD5
79203c9b9afa3af699ebbfddc92bdc6f

SHA1
179c125fdc23a598f8eda0e354e9ef532ad08f0a

SHA256
06f28326ce06ed1efb7f204b3524ddf97c9f131be0477402d131bbe44b4fcde1

SHA512
740e8f55ac5362eee14d1176dfb4d36c42a7a8b84896db7efa5fe0e1060b5f65ccf02d5dd6e101a4a6ec1c8ee73b7aaa15025df56a4f3929ed84f55ef2b4206c

Download Submit
\Windows\SysWOW64\Ajgpbj32.exe

Filesize
96KB

MD5
1acad2757ebb084d6cef985fb691010d

SHA1
2377d3b312ae932a399a0772561a17b91e9aaaf3

SHA256
f203b246aebd6732e1c48fa7becbe418211d048ee325805a713e943d3e41eb8a

SHA512
e7bee1f7962b3ab535eacd9b7dcfba06f1fdd74b244f398fe5cdf656504073eeb485fb26cb047edcf5508f5060afc69d312137f77f4c0bbf88d9119a30898e1a

Download Submit
\Windows\SysWOW64\Anlfbi32.exe

Filesize
96KB

MD5
bd7639d5b51bac26c7b7d36b7b53b3b1

SHA1
ebfed103c62a579dc8bdf89bd5ce0419e8e15fa7

SHA256
a2659a2b1734500ad182d91491f29d65082c9aa6253179c49e8b390c846c2747

SHA512
2dece28b8b6dbca4769d539e349e4ac62eef44f0d1f646ea09e1fb1ac55642ff647aba9602ecce489d85ea88c676732633b5993882f476c8f18375579486d9e6

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
96KB

MD5
4d9a833b731a0a6c082d1f471fbd7adf

SHA1
f17774c447bf1209e83518d7c69f74d85d895eda

SHA256
d17fd98b8c27708be9dc8f2fb37fcf645d241c3a60d4d1e9c6dbfbf5ecc9665a

SHA512
09a97ac37386fce8d01e96e56e00e497a5fd06cbadadd97ab715bacf7e96efc59bd3b50f066879c4af4658931ab6d6705581de26c003910a655db2f5951c2c04

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
96KB

MD5
66605a5394790cd3b941126a72a1fd68

SHA1
e2a7dba3a382fcbf803ed7c8da41b1e5f0131313

SHA256
68165c1ab7d338138830b01b68ae40f6f9be6175e978330b240187db7d677796

SHA512
a4115b4b1d2f701771ea1e635bebe38a725aa31332974b68f3e8ed8554be60ef1e85b6f26f6f6a3b7ce7365249b06f5032abe40bf31259518ec4d24af5b4e018

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
96KB

MD5
aca878a3a3768f1b5303254a9955be29

SHA1
fbf8e04ae61bba10a1e287fb351a8aa1156fe164

SHA256
793ed19df12e06f72283af1a4248d6c6700d3b3cc6594438b83825c58c96e361

SHA512
f78bdbd3a33e475d45d14a12c49f4ded7b5ffcd4ada6e453ae8d62f7fcd0a11f2ae7e99f2d8b14044415ca918c99f1da0bb81c111c38af8cc165fd1bc8254185

Download Submit
\Windows\SysWOW64\Qeaedd32.exe

Filesize
96KB

MD5
fb56a665fc0852c0631017d62b690b51

SHA1
41aa6c0c7c253dcad29271a395b36eaf96ffc27f

SHA256
82fca8ebad1d1e7b4b521c1d56218fbfa2703649a94b1c9d54290e7d54275222

SHA512
1b53f3df4ccc670285870c1445bb45b5c5f3d047ab211fdf707c46e5be72f5ccaefe8f959c4d291192f18507acd72a457c65f4f5b4c6387f7b98e2c6391d81e2

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
96KB

MD5
5858220dd39f4e036bed044fcbf11af2

SHA1
735fe9fd7e6add279669fb9e01e012088d484d0b

SHA256
82f554d8d5aea0548f89da190fb384ff3e4f76ed8ba181ec8d055f77f24f74cd

SHA512
1d239f1f0a357412015a2e551fd23a413dee742150a253c819bc909e0de3f61aefab5f3c98656f6e2fdc9b61bbbfe0d958d7348617f720a4ecc48af73dadbbaa

Download Submit
memory/400-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-281-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/400-280-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/636-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-76-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/780-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-232-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1288-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-243-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1528-242-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1528-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-303-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1748-302-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1748-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-130-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1996-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-297-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1996-288-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1996-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-120-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2152-412-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2152-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-271-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2552-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-54-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-333-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2596-334-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2608-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-27-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2692-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-322-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2724-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-324-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2792-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-310-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2792-314-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2792-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-12-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2824-350-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2824-348-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2824-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-11-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2840-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-380-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2840-381-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2840-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-346-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2908-344-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2908-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-66-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads