bbdbcd9f4b9ae6859b8a70a7315f087ed0b9a5a0ef7ccfd6025fc418515de72f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55cc2f8a2f0d31b35edf12ff85513750N.exe
Size

91KB
MD5

55cc2f8a2f0d31b35edf12ff85513750
SHA1

f4c9d0dce5b709d966a4e116771ea9afda0bce41
SHA256

bbdbcd9f4b9ae6859b8a70a7315f087ed0b9a5a0ef7ccfd6025fc418515de72f
SHA512

0ff295b99ccd1a6a8f632c10805f9b5bc9d3dabade190d84281a2e394c1b0832f5fe4b38c8e9c27334a443c42bb80d43a0fdfb3f9c09a0e543fc7de61a8b6a86
SSDEEP

1536:jnqGHCuhpEI7w7js5PHJJ0fAyfC30kADpVXpYr/viVMi:GGic7ushHJODC30kADDZo/vOMi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	55cc2f8a2f0d31b35edf12ff85513750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	55cc2f8a2f0d31b35edf12ff85513750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqeicede.exe

Executes dropped EXE 31 IoCs

pid	Process
2716	Pfgngh32.exe
2612	Poocpnbm.exe
2832	Pmccjbaf.exe
3032	Qbplbi32.exe
596	Qgmdjp32.exe
1320	Qngmgjeb.exe
2092	Qqeicede.exe
1764	Aniimjbo.exe
1312	Aecaidjl.exe
2648	Aajbne32.exe
3040	Achojp32.exe
1260	Amqccfed.exe
2120	Apoooa32.exe
2328	Afiglkle.exe
2460	Apalea32.exe
1668	Aijpnfif.exe
2236	Alhmjbhj.exe
948	Aeqabgoj.exe
908	Bmhideol.exe
2512	Bbdallnd.exe
1976	Becnhgmg.exe
1748	Blmfea32.exe
1800	Bhdgjb32.exe
2364	Bhfcpb32.exe
1608	Blaopqpo.exe
2908	Cpceidcn.exe
2844	Cdoajb32.exe
2664	Cdanpb32.exe
528	Cklfll32.exe
1652	Cmjbhh32.exe
1508	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2820	55cc2f8a2f0d31b35edf12ff85513750N.exe
2820	55cc2f8a2f0d31b35edf12ff85513750N.exe
2716	Pfgngh32.exe
2716	Pfgngh32.exe
2612	Poocpnbm.exe
2612	Poocpnbm.exe
2832	Pmccjbaf.exe
2832	Pmccjbaf.exe
3032	Qbplbi32.exe
3032	Qbplbi32.exe
596	Qgmdjp32.exe
596	Qgmdjp32.exe
1320	Qngmgjeb.exe
1320	Qngmgjeb.exe
2092	Qqeicede.exe
2092	Qqeicede.exe
1764	Aniimjbo.exe
1764	Aniimjbo.exe
1312	Aecaidjl.exe
1312	Aecaidjl.exe
2648	Aajbne32.exe
2648	Aajbne32.exe
3040	Achojp32.exe
3040	Achojp32.exe
1260	Amqccfed.exe
1260	Amqccfed.exe
2120	Apoooa32.exe
2120	Apoooa32.exe
2328	Afiglkle.exe
2328	Afiglkle.exe
2460	Apalea32.exe
2460	Apalea32.exe
1668	Aijpnfif.exe
1668	Aijpnfif.exe
2236	Alhmjbhj.exe
2236	Alhmjbhj.exe
948	Aeqabgoj.exe
948	Aeqabgoj.exe
908	Bmhideol.exe
908	Bmhideol.exe
2512	Bbdallnd.exe
2512	Bbdallnd.exe
1976	Becnhgmg.exe
1976	Becnhgmg.exe
1748	Blmfea32.exe
1748	Blmfea32.exe
1800	Bhdgjb32.exe
1800	Bhdgjb32.exe
2364	Bhfcpb32.exe
2364	Bhfcpb32.exe
1608	Blaopqpo.exe
1608	Blaopqpo.exe
2908	Cpceidcn.exe
2908	Cpceidcn.exe
2844	Cdoajb32.exe
2844	Cdoajb32.exe
2664	Cdanpb32.exe
2664	Cdanpb32.exe
528	Cklfll32.exe
528	Cklfll32.exe
1652	Cmjbhh32.exe
1652	Cmjbhh32.exe
2292	WerFault.exe
2292	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	55cc2f8a2f0d31b35edf12ff85513750N.exe
File created	C:\Windows\SysWOW64\Pmccjbaf.exe	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	55cc2f8a2f0d31b35edf12ff85513750N.exe
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Aniimjbo.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Poocpnbm.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	55cc2f8a2f0d31b35edf12ff85513750N.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qqeicede.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	1508	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55cc2f8a2f0d31b35edf12ff85513750N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	55cc2f8a2f0d31b35edf12ff85513750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	55cc2f8a2f0d31b35edf12ff85513750N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	55cc2f8a2f0d31b35edf12ff85513750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	55cc2f8a2f0d31b35edf12ff85513750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	55cc2f8a2f0d31b35edf12ff85513750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2716	2820	55cc2f8a2f0d31b35edf12ff85513750N.exe	30
PID 2820 wrote to memory of 2716	2820	55cc2f8a2f0d31b35edf12ff85513750N.exe	30
PID 2820 wrote to memory of 2716	2820	55cc2f8a2f0d31b35edf12ff85513750N.exe	30
PID 2820 wrote to memory of 2716	2820	55cc2f8a2f0d31b35edf12ff85513750N.exe	30
PID 2716 wrote to memory of 2612	2716	Pfgngh32.exe	31
PID 2716 wrote to memory of 2612	2716	Pfgngh32.exe	31
PID 2716 wrote to memory of 2612	2716	Pfgngh32.exe	31
PID 2716 wrote to memory of 2612	2716	Pfgngh32.exe	31
PID 2612 wrote to memory of 2832	2612	Poocpnbm.exe	32
PID 2612 wrote to memory of 2832	2612	Poocpnbm.exe	32
PID 2612 wrote to memory of 2832	2612	Poocpnbm.exe	32
PID 2612 wrote to memory of 2832	2612	Poocpnbm.exe	32
PID 2832 wrote to memory of 3032	2832	Pmccjbaf.exe	33
PID 2832 wrote to memory of 3032	2832	Pmccjbaf.exe	33
PID 2832 wrote to memory of 3032	2832	Pmccjbaf.exe	33
PID 2832 wrote to memory of 3032	2832	Pmccjbaf.exe	33
PID 3032 wrote to memory of 596	3032	Qbplbi32.exe	34
PID 3032 wrote to memory of 596	3032	Qbplbi32.exe	34
PID 3032 wrote to memory of 596	3032	Qbplbi32.exe	34
PID 3032 wrote to memory of 596	3032	Qbplbi32.exe	34
PID 596 wrote to memory of 1320	596	Qgmdjp32.exe	35
PID 596 wrote to memory of 1320	596	Qgmdjp32.exe	35
PID 596 wrote to memory of 1320	596	Qgmdjp32.exe	35
PID 596 wrote to memory of 1320	596	Qgmdjp32.exe	35
PID 1320 wrote to memory of 2092	1320	Qngmgjeb.exe	36
PID 1320 wrote to memory of 2092	1320	Qngmgjeb.exe	36
PID 1320 wrote to memory of 2092	1320	Qngmgjeb.exe	36
PID 1320 wrote to memory of 2092	1320	Qngmgjeb.exe	36
PID 2092 wrote to memory of 1764	2092	Qqeicede.exe	37
PID 2092 wrote to memory of 1764	2092	Qqeicede.exe	37
PID 2092 wrote to memory of 1764	2092	Qqeicede.exe	37
PID 2092 wrote to memory of 1764	2092	Qqeicede.exe	37
PID 1764 wrote to memory of 1312	1764	Aniimjbo.exe	38
PID 1764 wrote to memory of 1312	1764	Aniimjbo.exe	38
PID 1764 wrote to memory of 1312	1764	Aniimjbo.exe	38
PID 1764 wrote to memory of 1312	1764	Aniimjbo.exe	38
PID 1312 wrote to memory of 2648	1312	Aecaidjl.exe	39
PID 1312 wrote to memory of 2648	1312	Aecaidjl.exe	39
PID 1312 wrote to memory of 2648	1312	Aecaidjl.exe	39
PID 1312 wrote to memory of 2648	1312	Aecaidjl.exe	39
PID 2648 wrote to memory of 3040	2648	Aajbne32.exe	40
PID 2648 wrote to memory of 3040	2648	Aajbne32.exe	40
PID 2648 wrote to memory of 3040	2648	Aajbne32.exe	40
PID 2648 wrote to memory of 3040	2648	Aajbne32.exe	40
PID 3040 wrote to memory of 1260	3040	Achojp32.exe	41
PID 3040 wrote to memory of 1260	3040	Achojp32.exe	41
PID 3040 wrote to memory of 1260	3040	Achojp32.exe	41
PID 3040 wrote to memory of 1260	3040	Achojp32.exe	41
PID 1260 wrote to memory of 2120	1260	Amqccfed.exe	42
PID 1260 wrote to memory of 2120	1260	Amqccfed.exe	42
PID 1260 wrote to memory of 2120	1260	Amqccfed.exe	42
PID 1260 wrote to memory of 2120	1260	Amqccfed.exe	42
PID 2120 wrote to memory of 2328	2120	Apoooa32.exe	43
PID 2120 wrote to memory of 2328	2120	Apoooa32.exe	43
PID 2120 wrote to memory of 2328	2120	Apoooa32.exe	43
PID 2120 wrote to memory of 2328	2120	Apoooa32.exe	43
PID 2328 wrote to memory of 2460	2328	Afiglkle.exe	44
PID 2328 wrote to memory of 2460	2328	Afiglkle.exe	44
PID 2328 wrote to memory of 2460	2328	Afiglkle.exe	44
PID 2328 wrote to memory of 2460	2328	Afiglkle.exe	44
PID 2460 wrote to memory of 1668	2460	Apalea32.exe	45
PID 2460 wrote to memory of 1668	2460	Apalea32.exe	45
PID 2460 wrote to memory of 1668	2460	Apalea32.exe	45
PID 2460 wrote to memory of 1668	2460	Apalea32.exe	45

C:\Users\Admin\AppData\Local\Temp\55cc2f8a2f0d31b35edf12ff85513750N.exe
"C:\Users\Admin\AppData\Local\Temp\55cc2f8a2f0d31b35edf12ff85513750N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\Pfgngh32.exe
  C:\Windows\system32\Pfgngh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\Poocpnbm.exe
    C:\Windows\system32\Poocpnbm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Pmccjbaf.exe
      C:\Windows\system32\Pmccjbaf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achojp32.exe

Filesize
91KB

MD5
f3b54db488f3e9c1f6b76167c8966919

SHA1
8942a3f9e68f34c88a43e48b2e4b52eb95d2edf5

SHA256
09b20d32047d947373cf6e8141c1f72984cf590bcb1df2fd0c0896fd1d4eb679

SHA512
0d0ac4947fcc14a114fb765dc7a96728e301f05f649779b4fd02cea073211db86d2146282359c04ddf139cab280da875ab29502706743d8fcaf2611c9905afac

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
91KB

MD5
a49d3f020aaf81df17f5778cc062eec6

SHA1
f8f6ab93a62af336f284f75e123d12453ce209f0

SHA256
cedb362d662b505177388f9f38c048e60c833886819b0042423734c8afde62ed

SHA512
8fefe2e4b6836f43bc849031464e09fa9563f88ff4d8c212f4185746e03ac1ba4fdceed288b3fccafb9268ad4bbdb3f28f4ecdef1c144c3afb6bc680d6fdf15e

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
91KB

MD5
280143a7595fd8233c6e2c815c1c234f

SHA1
cf0bd53e295908a5b04e5118390baeeba0b7fc21

SHA256
1ea326a38548711b853a15737eb068975e28bec2cdd61a485dbf1ec7038b55ec

SHA512
12ec5965b9821c4dc0b0c72d8f5783a0fb1af4c3eb576bec44e54b9638ab6c3f3806096ae98c08f78ae92cb249acbb2702f18a190c4a69501fbe86d97c7c1cb5

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
91KB

MD5
87720dbb0400602cc07af4aee03aaeb6

SHA1
2abd121f71a37b5202c1b88ee9e12883d84b94a0

SHA256
996fedf7a2b5c20d5407450fdd263e16b4e15ce94de0f8c0cccd3b53d47b422f

SHA512
0870c44981b63e238a120fac0218a317d33f34a721a3b8a7268e13195fc9c5fe1fdf85b703d5f5c64ed213c16eb5d5b82218d2d92db904a5b1fb8c18cf796bd9

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
91KB

MD5
db6a696f648e1ab3718fd899ebcb924e

SHA1
83feeac41980bd59ec831a8a25048d3f069d17d5

SHA256
41b8f277874a7a8a17f22ca10cb03e0c3d53fb8db5ef76f54948976643277dc2

SHA512
f4dea473eac626bb4f41b2a2698bb98c36cb8414ed3b4d2ef888024a9db8da6eede575a100353c8ef08211ffc72cbd84bd8fc220b3b5c9eba16c9142a6900f3e

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
91KB

MD5
66e30d504de5fce1a2dbf5b6c2e435b6

SHA1
a35a9e906ccec89a7330ac8b540ee6dcd41b1bc0

SHA256
e514ea191193c1123c98b181789f93d737855ed7c847dc57a333db245671619d

SHA512
ffeffae4bbda408ca274e5513e0243195498e1c9d3143387618cab7d52cdc8f8037a3cc2ccce1a484c0cf581e773400c3fe1f7f4eab01d4086025cbec4ab4998

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
91KB

MD5
9407d23ec5345f8744d4bc762682883a

SHA1
a48d93c1637330f021c968c98e29eddafce19ba3

SHA256
3ec4c9e0c4f987faf206e9fd3fd9b0958c3069aad4ffe3ecf0230e3fc421317b

SHA512
ba2d8bc8def6e0866c59135f1bdf12207082832883439fa93aaeddd152cb9b26329f277dd025ab0dc1730adf0da7a9076d1d40ff9988981d32b841c4db5b3fb6

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
91KB

MD5
599ba41a5cbaee33b0a06f9f1e229138

SHA1
e75bb1f671a850d45c69c1767069f3882651182c

SHA256
3068a3f9cb7da3452843fc98fd1a9b4343bae5662e259dd2eb0b748ebfb7a264

SHA512
cef6682b0bd7cb9ebaf24ccf7f6d9d5e5761eaf95117830f76ca1751a76ac040aa18826d258b674986a93e1c53bed9010c44a894322aa9059218a79adae7919c

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
91KB

MD5
99eec258206697fa9ca85dc9d4cbfcca

SHA1
33b1ff0aa688dd7e25d1567ad23911d16c078997

SHA256
a61d5e5aae19141ebaef1b879f737c1029c074381c9eff0b2b19f7d446477b0c

SHA512
248d9434c55414ab9fa039727846eb5ee5a929cd06f6f3e7cbd40be3b167427b90bb9a601cc732820dab797b4fcafc74316b43326ad6275b0d2f991e25d4e774

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
91KB

MD5
8c4cc3fd86fde36f468890f5085a6bd6

SHA1
a82185986f6b3adac2e7bdd4f62948723d61ce9a

SHA256
d38117b13fb7e42d69899bd16278b3301a0404a08d69b54936607f9762b8e6de

SHA512
0b387ed130b2742c336d6bd1d64356ea0a6f377a64d56492a3b338ce516697429a514cbc780bb6acd466a9fb4d96abc9546c9e212cbfed8000f2dd0da5e17220

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
91KB

MD5
bcd0cf38879056737d518cbb0b6d21aa

SHA1
d0fcdb8903e8a7b343c38308a6fd1bf86b2bb5b9

SHA256
82bbd7382eaeb37d06c64b50dd5847f8dd934c623e100e6a2f99790d1b0c00f1

SHA512
6e13d457b500fc30b220fe59474de84ff5910e8a2929252c53ef381b9b1532792d7282158ac5f0efedfcb81090b97d318ed35f6722afed38067244beeb8468c0

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
91KB

MD5
bb105109bd4d74252388f94ade27319e

SHA1
e050de19a589f3359adde360b8ed4642e1c012d0

SHA256
2834b653f67783de24293d8068d1d4878c7958bfc4589f17373aa2982219ec10

SHA512
7a5df3cc730755070e07ee8aa1539ca1eae7b87f6ce2e20e8e518f79d9bda203b9c983f038681e24ba6171dd4dab4da029a5972bdc9816eb6479c947d4b944b6

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
91KB

MD5
5b5a176a303c2121cb5086b310eb9f41

SHA1
1bb194a6f38745e958b909f2bcaa9679240f15d8

SHA256
59af4ece41091a6b45c818abc91c2d324e6c49225362bab44cc7186acf0e1bb3

SHA512
cead4124a7c3124426585bc2981ec490a7bc17e05c62afa42bf2735c1ef1650cb24ab422fd6c5e19ed888947c0137c636ccdf30e526a4d8b0444bdaa7df9c21f

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
91KB

MD5
312ffd955abe247e145bc53d402a79a8

SHA1
0702d2f808ff50f462455dd33504644351786369

SHA256
adfc266cac177e554661ea36bcde7da0271d8d4c457516751f9aa13b92acba6d

SHA512
afa3dbf873bbb867ebd3af054bd6b51accf94ccb2f0b7fbe1f3dbee4910119125466f25caf774374dc289bb2c2e2c36289b928470b64846961908a62f46b6a59

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
91KB

MD5
a7dd7cbd8b8209188a7305e38438eb86

SHA1
ce172af3dd06036ec2afd1ac14db4b7c5fd78fb3

SHA256
7d9129b7cd03dfe014d20b26d14bb9ee257848454695d77b48ea59b775f63748

SHA512
f43a8ebc5b6e45ebeee5c9acb14a11d393627882e140f9782f5498d4d7f1e2ccbe5f6a5788dfccc50020638f46dfd0c66a37f9a750045d61c7d267aa95c0586d

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
91KB

MD5
8d268862edf687f20beb93cde2a97be9

SHA1
c8cdd92c9ad616b3f4ac43fd85906361f31499cb

SHA256
6557d7212ed595cba2ba83deef38e893f7fc4892385cd1df48b3bfff2c50e388

SHA512
eea5789511250e489acf94d2a4254b665ab4f3bbe3e742c020dd24fe938d408065089bba60afc5c6cb75ce5a01ddd014df0b9b7fc2ae45b27f61b11baecbc994

Download Submit
C:\Windows\SysWOW64\Doojhgfa.dll

Filesize
7KB

MD5
bdf43ddde95c792e466730fac6051daa

SHA1
f36103a34dbc1be1bf147cb2dd30bee78e16dca9

SHA256
05da358406827cf514a03a497001e3e32fe0ffd36a88b62163cb970237f7b450

SHA512
eadc68b62dcbcda865839b4151435618be70f93fe1f0d366935485822a1013a8fa2254cf55d5e1d1d7edef696ff5d4cd9cc2ef5a0071cfa4c20984a20f7c0907

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
91KB

MD5
1d0e8bd187b560fc5841dc165df4d0f2

SHA1
c5e023f72511ea8b9a2558aac95cfe57c6098586

SHA256
056dea892159f8a826ab3d5202e8fb6735317870ce7e4cde1ee94094c400220d

SHA512
4320b8d43fd306fafe9052462cabea195e707c693c9d183befba489d48c37fcb5cecb019823a28bb83b7eb76b6e2e312bb8e2b1960f2ef0143ffd2fd28df737c

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
91KB

MD5
f57c76d12a7b8da26bf1d7d17bfee1cb

SHA1
e529f60db8e44ae75c2ac76288768c612a9ca6c7

SHA256
08a70c7a6f5dd35928d4e82f7a52b49c8ce5913e5aa2483e16d7d86518d26d62

SHA512
823241248e84485f176ad927b228e7b19a5d94c615c1e72943c821cde4dc91114cc8aa87b6f2541c9affd8056de9baafb1c23f8f4aeefe18d6c6dd86a23322f1

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
91KB

MD5
10dadd2a01e867055854f9e5d8a79879

SHA1
7c73d2d793301ee675767218d3ab2734c06e643b

SHA256
f1deac19dfd0947f42968b342c114b88f84d64daa236d9029bea39f5133340e5

SHA512
639cbabea11a3ba5730ae890ba9f75402d78ff70540a66213a924ddee260982a13f74dfd3c99743e1c74eaaf1f5a260d099690708dd80c6b6b870a54d8c3a109

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
91KB

MD5
28d9330ac29e1530188e1b744e483c39

SHA1
558b4fd954e1faf208c44d0afc3ca466fa770537

SHA256
1e39e4f7b9cd8703eeaa2e1feb701e6963dda75f054379754ae3b80eeb60dad6

SHA512
ec35090cf7f99f7a1a229b0c2518dc93df9d37fb25e05d2450da4e4e7ff760f20afaad6bf3a5e6f5ab8382d9a5d53878aa6669e1991000fb516e56b8ed5e665d

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
91KB

MD5
165c1bf07c4b1429a2f54d44874ad7e0

SHA1
d2767f41fc3134024fb49b382be2446cee0d7fb0

SHA256
336d40f81d4dbb3cee91478bffa345b448bdc0107ac62a237d21111a25ad9dc3

SHA512
e9290459e7cfd50d1095e6a89ee0c1c7ff638d55c8e22471f391d61770b2bf53748cd790fbd98b5db6d3ddeb6926d73c2a5830843db13e7493fd8f46bcd9f305

Download Submit
\Windows\SysWOW64\Afiglkle.exe

Filesize
91KB

MD5
ce88135f769aafbcc114ec9ad807cc62

SHA1
46f6b3b40b36bb5af94b3ef2b99bc4460beb1ff7

SHA256
cb0dc1e22462b66c33cd549c3153e8093c10598f3e860c7e7896a9286547e023

SHA512
514ef084a6d4e93c0ce3a72dca95f679a6f1fa3612e9710ac5b56b087e7e445c95c3173a2f8609c7253fea8368cad8eb8ca878e17d99cf04757e05c17c1f9729

Download Submit
\Windows\SysWOW64\Aijpnfif.exe

Filesize
91KB

MD5
a49d7583fe5347f8998a56857621aa09

SHA1
b426c7336fd838f1110cb80d635d07e01cf1d0e1

SHA256
7ab593d5c3173a09bbfcfa69c5999e4ff31538efed3cf2c6d4fabce3c284dd82

SHA512
b689ad9299f31e44714c05291bfb1cc02f2a37cbad1c1d1235546bc43c265a88003059411e28ba98827bab85257398f44eeed36df74be149bb662ff8a4cd1463

Download Submit
\Windows\SysWOW64\Amqccfed.exe

Filesize
91KB

MD5
7abc7128fc05fa671a942f61d491defc

SHA1
3a52d3e868972bc6578d53fbcc6e3d329dfc0d84

SHA256
bcd3d44d74c5a67511d9841e833ab6aebd07e5cd91fec690f1c0057123f10ce9

SHA512
122f8ea7668f356103af7e8a57482b48cf16b09ce6e2d63b7223e1005dc3a9acca7a0c1753a3551f70b4c4e90285c48a7d1e3003655a2aef5e97de59752dcdd8

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
91KB

MD5
9c9a62ed8cdc35f5d6b96645b6900ac4

SHA1
5e53a8fb40a781e20eeef426b88b2d588a3090b9

SHA256
4cb2aa5b0f5fcd1e018a93dfd423874588084e231f68d43c2dfc9e0cb1614ac5

SHA512
dcb3b5befc1d954bd8d00229b6470b57316bb4b088308b25168b6fe2b578e70ff3626bc2f1379b0d4d8b596382f503d9261692c180d07ea56239d1c851618f11

Download Submit
\Windows\SysWOW64\Apalea32.exe

Filesize
91KB

MD5
89b6e8adbe5e67e28b0e74fa2c59fd3f

SHA1
5b4bb37ae58010b314c341e332abad47240d9e80

SHA256
bc0c873974244defbf482caa8ae5c77ae7f46086908957182245ab7eb84dbb9a

SHA512
d3d3780b3ca8dcd61ddff0e0d015cfb0081ddd2f062cdfd8468a6e590688bc2d12300c90d5b6568228a0313ec351907fe4cc81c552873b3861e362afb8ee51eb

Download Submit
\Windows\SysWOW64\Apoooa32.exe

Filesize
91KB

MD5
bcd6c9afc675c83753952a2ac12e2de4

SHA1
705df57deab5ba704c5b2bcb6e6f2aca214199f9

SHA256
c538afae0ca5fde7d38276ad872bfe8698dfa3fb8e181b0312579cdb18741a48

SHA512
cd8decb443213b448d507b57c0a20e31f6596a4784a093a406d9e36238f0be707acec7d47980f1421392257b8b514b276ffb7ca429d2a745370804290c532835

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
91KB

MD5
5a83e184682288a26f47096934708bda

SHA1
816e68ff3f26905a348ce29a42588fc71bc57152

SHA256
249d686ab6cedfd552f2321cd6f0df624ad5c3aead07303356059678fab891ff

SHA512
7b336717e8be4bb0ab69e4aa4eb6f833102f47c67665b38d2aea5df3b2aa6c30653d5fd04a3c23e0db1b9c96db179b083396a8d09382f2e1c18dd7ef7c83ff4b

Download Submit
\Windows\SysWOW64\Qbplbi32.exe

Filesize
91KB

MD5
99cfc3c5c031d9574095ca864cc5ee75

SHA1
c2ef4a5df40ec605bb37dc40a29fb73962b70bf4

SHA256
7140ed67087db5ab7686ca7f4f5ed5c90455fa69a7ca27e10503665ae0724fa4

SHA512
2b0da6ef677fa1f821a9007ad012d7290971e50137fb22c237b3272a6ed3440a43c76596349430fa54d4adb7ab49e04765cb5942408ef4ee1b6266cf80408d13

Download Submit
\Windows\SysWOW64\Qngmgjeb.exe

Filesize
91KB

MD5
1f6cd65b28148ef70a1fb1e8d90a3f43

SHA1
f6f2a02bcc86d75d4d0429e0e2ec65a5cd68c102

SHA256
0b5f301ec1a7e50081570a87978905faf2c900f24cca0322d5c75cb8d705d22d

SHA512
e653a7be93409a6b17e1209f1260f89520cccaa39e79ff5da552caa9d80b01f7b7dcc047dab1bd50016aa6abff34c2356e3ba0ea2130da4e649feceb83ccc9df

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
91KB

MD5
3e1e671e238bd564a39258cdda56d230

SHA1
c12178fea762377a2de8f831af3cdc44c3382eae

SHA256
b7e1b90cc52356a3bd01fe9f8066937276c5fc6fd0d125d6baad2c369a65ca33

SHA512
0a5655874765c3d78817ae2b9cb0df3d5c6431c0e6156238f6fa77f692087078c99926ee620ac57d60486e25f6bee2efae023610c9dfcbf4f49aa1d0975de39c

Download Submit
memory/528-365-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/528-366-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/528-356-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/596-386-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/596-70-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/908-403-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/908-263-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/908-264-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/908-246-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/948-241-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1260-165-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1260-397-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1312-125-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1312-393-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1312-394-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1320-91-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/1320-96-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/1320-388-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/1320-387-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1320-84-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-378-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1608-312-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1608-407-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1608-321-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1608-322-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1652-376-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1652-377-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1652-375-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1668-401-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1668-222-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1748-289-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1748-283-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1748-288-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1764-392-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1764-391-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-405-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-290-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-300-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1800-299-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1976-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1976-277-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1976-404-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1976-278-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2092-106-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2092-112-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2092-389-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2092-390-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2092-98-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2120-178-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2120-398-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2236-236-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2236-402-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2236-227-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2328-196-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2328-399-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2364-301-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2364-311-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2364-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2364-310-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/2460-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2460-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2512-267-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2512-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2512-266-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2612-383-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2612-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-40-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2612-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2648-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2648-151-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2648-395-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-355-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2664-350-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-354-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2716-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-27-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2820-12-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2820-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2820-381-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2820-379-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2820-13-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2832-50-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2832-42-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-384-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-56-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2844-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2844-343-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2844-344-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2908-333-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2908-331-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-332-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/3032-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3032-385-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-396-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads