njrat | 9e57b35d67fddf6f5f27f0c8073bcb994217bff76b796e2c8699ad74c9b1db04

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c782bb991c293947a56df38f9530b6c0N.exe
Size

337KB
MD5

c782bb991c293947a56df38f9530b6c0
SHA1

1aa0161436e8d10850daf9e34263c3be92c5472a
SHA256

9e57b35d67fddf6f5f27f0c8073bcb994217bff76b796e2c8699ad74c9b1db04
SHA512

b64ca076f13d21ab432a38c188548f73d7e446bdfc3fb848890d7e9a42ca3c9c8d99ffc021a203a82f1b9c38a7ab246b34b62d5e7780a57b16bfe2b073fd54fa
SSDEEP

3072:x1IvalklJaukUrgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:xiaWHaCr1+fIyG5jZkCwi8r

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c782bb991c293947a56df38f9530b6c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c782bb991c293947a56df38f9530b6c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 32 IoCs

pid	Process
2924	Pmlmic32.exe
2868	Pcfefmnk.exe
2864	Pcibkm32.exe
2168	Piekcd32.exe
776	Pihgic32.exe
632	Qbplbi32.exe
2372	Qodlkm32.exe
2688	Qeaedd32.exe
1036	Aaheie32.exe
1792	Acfaeq32.exe
1756	Aeenochi.exe
760	Ajbggjfq.exe
2948	Agfgqo32.exe
1712	Amcpie32.exe
1476	Amelne32.exe
2524	Aeqabgoj.exe
2548	Bnielm32.exe
2500	Becnhgmg.exe
560	Bphbeplm.exe
2092	Bbgnak32.exe
2412	Biafnecn.exe
1488	Bjbcfn32.exe
1816	Balkchpi.exe
2404	Bhfcpb32.exe
2760	Bjdplm32.exe
3052	Bhhpeafc.exe
2768	Baadng32.exe
2720	Cdoajb32.exe
692	Cpfaocal.exe
840	Cgpjlnhh.exe
732	Cphndc32.exe
2668	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2860	c782bb991c293947a56df38f9530b6c0N.exe
2860	c782bb991c293947a56df38f9530b6c0N.exe
2924	Pmlmic32.exe
2924	Pmlmic32.exe
2868	Pcfefmnk.exe
2868	Pcfefmnk.exe
2864	Pcibkm32.exe
2864	Pcibkm32.exe
2168	Piekcd32.exe
2168	Piekcd32.exe
776	Pihgic32.exe
776	Pihgic32.exe
632	Qbplbi32.exe
632	Qbplbi32.exe
2372	Qodlkm32.exe
2372	Qodlkm32.exe
2688	Qeaedd32.exe
2688	Qeaedd32.exe
1036	Aaheie32.exe
1036	Aaheie32.exe
1792	Acfaeq32.exe
1792	Acfaeq32.exe
1756	Aeenochi.exe
1756	Aeenochi.exe
760	Ajbggjfq.exe
760	Ajbggjfq.exe
2948	Agfgqo32.exe
2948	Agfgqo32.exe
1712	Amcpie32.exe
1712	Amcpie32.exe
1476	Amelne32.exe
1476	Amelne32.exe
2524	Aeqabgoj.exe
2524	Aeqabgoj.exe
2548	Bnielm32.exe
2548	Bnielm32.exe
2500	Becnhgmg.exe
2500	Becnhgmg.exe
560	Bphbeplm.exe
560	Bphbeplm.exe
2092	Bbgnak32.exe
2092	Bbgnak32.exe
2412	Biafnecn.exe
2412	Biafnecn.exe
1488	Bjbcfn32.exe
1488	Bjbcfn32.exe
1816	Balkchpi.exe
1816	Balkchpi.exe
2404	Bhfcpb32.exe
2404	Bhfcpb32.exe
2760	Bjdplm32.exe
2760	Bjdplm32.exe
3052	Bhhpeafc.exe
3052	Bhhpeafc.exe
2768	Baadng32.exe
2768	Baadng32.exe
2720	Cdoajb32.exe
2720	Cdoajb32.exe
692	Cpfaocal.exe
692	Cpfaocal.exe
840	Cgpjlnhh.exe
840	Cgpjlnhh.exe
732	Cphndc32.exe
732	Cphndc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	c782bb991c293947a56df38f9530b6c0N.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	c782bb991c293947a56df38f9530b6c0N.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1740	2668	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c782bb991c293947a56df38f9530b6c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c782bb991c293947a56df38f9530b6c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c782bb991c293947a56df38f9530b6c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c782bb991c293947a56df38f9530b6c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Amcpie32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2924	2860	c782bb991c293947a56df38f9530b6c0N.exe	30
PID 2860 wrote to memory of 2924	2860	c782bb991c293947a56df38f9530b6c0N.exe	30
PID 2860 wrote to memory of 2924	2860	c782bb991c293947a56df38f9530b6c0N.exe	30
PID 2860 wrote to memory of 2924	2860	c782bb991c293947a56df38f9530b6c0N.exe	30
PID 2924 wrote to memory of 2868	2924	Pmlmic32.exe	31
PID 2924 wrote to memory of 2868	2924	Pmlmic32.exe	31
PID 2924 wrote to memory of 2868	2924	Pmlmic32.exe	31
PID 2924 wrote to memory of 2868	2924	Pmlmic32.exe	31
PID 2868 wrote to memory of 2864	2868	Pcfefmnk.exe	32
PID 2868 wrote to memory of 2864	2868	Pcfefmnk.exe	32
PID 2868 wrote to memory of 2864	2868	Pcfefmnk.exe	32
PID 2868 wrote to memory of 2864	2868	Pcfefmnk.exe	32
PID 2864 wrote to memory of 2168	2864	Pcibkm32.exe	33
PID 2864 wrote to memory of 2168	2864	Pcibkm32.exe	33
PID 2864 wrote to memory of 2168	2864	Pcibkm32.exe	33
PID 2864 wrote to memory of 2168	2864	Pcibkm32.exe	33
PID 2168 wrote to memory of 776	2168	Piekcd32.exe	34
PID 2168 wrote to memory of 776	2168	Piekcd32.exe	34
PID 2168 wrote to memory of 776	2168	Piekcd32.exe	34
PID 2168 wrote to memory of 776	2168	Piekcd32.exe	34
PID 776 wrote to memory of 632	776	Pihgic32.exe	35
PID 776 wrote to memory of 632	776	Pihgic32.exe	35
PID 776 wrote to memory of 632	776	Pihgic32.exe	35
PID 776 wrote to memory of 632	776	Pihgic32.exe	35
PID 632 wrote to memory of 2372	632	Qbplbi32.exe	36
PID 632 wrote to memory of 2372	632	Qbplbi32.exe	36
PID 632 wrote to memory of 2372	632	Qbplbi32.exe	36
PID 632 wrote to memory of 2372	632	Qbplbi32.exe	36
PID 2372 wrote to memory of 2688	2372	Qodlkm32.exe	37
PID 2372 wrote to memory of 2688	2372	Qodlkm32.exe	37
PID 2372 wrote to memory of 2688	2372	Qodlkm32.exe	37
PID 2372 wrote to memory of 2688	2372	Qodlkm32.exe	37
PID 2688 wrote to memory of 1036	2688	Qeaedd32.exe	38
PID 2688 wrote to memory of 1036	2688	Qeaedd32.exe	38
PID 2688 wrote to memory of 1036	2688	Qeaedd32.exe	38
PID 2688 wrote to memory of 1036	2688	Qeaedd32.exe	38
PID 1036 wrote to memory of 1792	1036	Aaheie32.exe	39
PID 1036 wrote to memory of 1792	1036	Aaheie32.exe	39
PID 1036 wrote to memory of 1792	1036	Aaheie32.exe	39
PID 1036 wrote to memory of 1792	1036	Aaheie32.exe	39
PID 1792 wrote to memory of 1756	1792	Acfaeq32.exe	40
PID 1792 wrote to memory of 1756	1792	Acfaeq32.exe	40
PID 1792 wrote to memory of 1756	1792	Acfaeq32.exe	40
PID 1792 wrote to memory of 1756	1792	Acfaeq32.exe	40
PID 1756 wrote to memory of 760	1756	Aeenochi.exe	41
PID 1756 wrote to memory of 760	1756	Aeenochi.exe	41
PID 1756 wrote to memory of 760	1756	Aeenochi.exe	41
PID 1756 wrote to memory of 760	1756	Aeenochi.exe	41
PID 760 wrote to memory of 2948	760	Ajbggjfq.exe	42
PID 760 wrote to memory of 2948	760	Ajbggjfq.exe	42
PID 760 wrote to memory of 2948	760	Ajbggjfq.exe	42
PID 760 wrote to memory of 2948	760	Ajbggjfq.exe	42
PID 2948 wrote to memory of 1712	2948	Agfgqo32.exe	43
PID 2948 wrote to memory of 1712	2948	Agfgqo32.exe	43
PID 2948 wrote to memory of 1712	2948	Agfgqo32.exe	43
PID 2948 wrote to memory of 1712	2948	Agfgqo32.exe	43
PID 1712 wrote to memory of 1476	1712	Amcpie32.exe	44
PID 1712 wrote to memory of 1476	1712	Amcpie32.exe	44
PID 1712 wrote to memory of 1476	1712	Amcpie32.exe	44
PID 1712 wrote to memory of 1476	1712	Amcpie32.exe	44
PID 1476 wrote to memory of 2524	1476	Amelne32.exe	45
PID 1476 wrote to memory of 2524	1476	Amelne32.exe	45
PID 1476 wrote to memory of 2524	1476	Amelne32.exe	45
PID 1476 wrote to memory of 2524	1476	Amelne32.exe	45

C:\Users\Admin\AppData\Local\Temp\c782bb991c293947a56df38f9530b6c0N.exe
"C:\Users\Admin\AppData\Local\Temp\c782bb991c293947a56df38f9530b6c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Pmlmic32.exe
  C:\Windows\system32\Pmlmic32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\Pcfefmnk.exe
    C:\Windows\system32\Pcfefmnk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\Pcibkm32.exe
      C:\Windows\system32\Pcibkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 140
        34⤵
        Program crash
        
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
337KB

MD5
3a9ad2d5f34e09c6f28dc6c41902a795

SHA1
71a6f8adadd0584719889635573c5f9c67a5a493

SHA256
a6c9a295c252e18cac7f2f41e2e05cc38e499fd41246175442d1ade9c97c4387

SHA512
da89cba6f8fa210a49442f48540caf802abe0ea305f354ff8ba41b672be55531a586417b042f627f725fd3c80af3de7c2eaaef9260637df6e245e714649c3b2e

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
337KB

MD5
cbdda47ddfa78d11aacc79fb4616da63

SHA1
1423325e6b35b1f8d62d8ccde16c14bde677c5a4

SHA256
37a969c5759405c3f295a02caf99ad3ef7a729d11a07413d8d84242db6bbefaf

SHA512
c1236b61b674d2cf1722a3cd4e13e8ff6d4051ecb4c2bf90cf187d32922122e3cad4e59b0d2f67f10f8dcebbe542164d998cab317488c0b009cdf0b4585e955c

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
337KB

MD5
9c2606d3dff99c529476ec5c60d2b268

SHA1
c6d69e94c9aed80a444e7473715a77efeadfaec0

SHA256
80374cd81050a3caea366df5ecd5d5fd19d0453955ffaa45ff18891937329d67

SHA512
7102246e09c47bbcf6f32ecebbd0c0bbce4bbe24cf400dc012b8ef994b82eaad675b335aa4f540632ee2781bb20de362dcae1e80e9450c7d041ad2bd1d7d7c4d

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
337KB

MD5
4301c22d7bdb066a222158aa8aa97b3d

SHA1
db5fe86f13dfde3a6539fe622181d5dc463ab37f

SHA256
7427859411214751dd32edb5edee1c9761877525087a8e95356affa4815b509d

SHA512
7f38fc282e18d93be33c6edbbce0e76af24a43ab1692aaccf1e08062df6d5e5910086724d6beb3425e7f9ee5ef0e301e884acd2594019112c84b571e09f0ec3e

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
337KB

MD5
8217b331e2048d8ed7d921a627116069

SHA1
1e3990a2a8b3787bb643817f0215de3820218bf7

SHA256
48f248ab4eaab864ef9d8ca5c20590c804b9999a40f992bd06c3e0958249fd69

SHA512
b0f8529ec628bae907937161a5dcc446b997669530bc9ef492a13e1e826e1e2c4d65c7cedf2b8840708aa01018395c03d040d11b8d8c7e092fd5b3cffdb3c5c0

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
337KB

MD5
f0380e20421c3e90b7e19108e66af62d

SHA1
dc3b6ca66c17578316a7e4353014c76dc250a810

SHA256
42958e62f19c0b955c6ba65df07133867f343a349e56d2d5ad56faa938681148

SHA512
15070807b736b660ba5cd6373122841aae5ffe382cdef21bcbe08eaf7e2689902b56718605165566d527740fe79b1cef0f57778df12e209d20207aff8ad6d361

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
337KB

MD5
7c832e045f7b083c0681b137b69c59d3

SHA1
40cf495b556cc729255a458c18e9ee45fd97865d

SHA256
468d1286bcdf7d665a20ab632b6c9fde0e937b51213d520df6ad32b80a22fda5

SHA512
6ca66d9952fdd8e85f33080c7911cb877456107edf9d0fe31ca5e6ce0776232789ad64a7586cc155d5588cdc544dc2f31a8da561c1d3e7ef76c7cda8eb57c796

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
337KB

MD5
1afe39210240b956bc16ea565d999bb5

SHA1
d782d9d7ec487130ea7179c9da35140c2577ca0a

SHA256
d2e2d64ad2163720cc8098b4bbc689fe2decb4d153af01ddc42b019ba74e5cbe

SHA512
c38808f9a68d624e78be799c82a06dc607ae791715d73d5d021a41fd7480b4f931a89cc02dd4216c40fcc25cb4d7f32c3ca6608085cecee6036eb5e050edd845

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
337KB

MD5
9e6e293f67fa78d71cfef208f901a5bf

SHA1
8db92a9826aa17a470d6df8ed02d138a12f5a7b7

SHA256
a0eb646f28f25120d99ceb0d958a881c057d4a86f5b7c319c06cb6e98b15954e

SHA512
42667d410c1ba52180b94b8b19ec3ea58c2e4e13d77f3dc375646ae6e099729b2468f2843d8866e3fb65b81f0bc9c6c0fc71860fbc25e18b2eb5087fca9b44b4

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
337KB

MD5
b9d4db9d964dcff96190c08316726d64

SHA1
9291c1f27306a0309c899ab7f1e48c7c2f17a601

SHA256
9f398f5bfbb3754fa2aebfee6151b55485a0964764ccffc5c47eabfee7bac25f

SHA512
d7dcd91cf7e66f359cfc5fa25b288353061cdce0e7ee2a5adc274a1201084a3dd7b1160947284d7ea536bd6e4c4cf28ec164e7ad49689c2a19d5ae1ca491edb6

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
337KB

MD5
a30b7544e0b1ac8f849196fd0a25368c

SHA1
4f324d35a9e2501e6d5373cd5814399e736862a4

SHA256
b27123a062cedc8eaaaf3c6ca5772ab900242fb4e4c6ff725ae00b9b5eaf5cf9

SHA512
dcd2ecf7be7d2364dab46664a9ef5690d0432d4ffbaf58c075c2e7cf39f7d12bf32f050fac9188f163878bb46feff99d9a723a7ebdbf291caa66d695e8e220ef

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
337KB

MD5
d3f9e5a6ebd7428fb5331bb26abb5efc

SHA1
3f16ab88154101931b10c095eeb71f0718b2ff5a

SHA256
6bc9cb195640c70a69350cccf7613bc36bbb24224a6b98eee05c35ff66dd97eb

SHA512
13d2581c2c482f3b9f502f19e2c7338eeb0e69c7e6e18c09f801cd97a9e1fea83f8677c5165b2f59eb261d434d2472e93a4b25a32bd46fa2928d318cf7d6bf79

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
337KB

MD5
d07770b94f8bf68e3ad704af01a9588c

SHA1
eaedfffe1faec46ce1959c07577390f873e4d982

SHA256
b5bc404947cfce1b8591e8d5a6373c43c63e15273ce6ffebd862b619c1a38caa

SHA512
dc22df9ebf04505e559fc653ade49f22848e0a5aac0ed2fb1c0011be1082bb1df48ba4e9e6832a9bc9a7e56a03bcd6dfbe2911f6acb0925d2944950090781c02

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
337KB

MD5
db920fb1320fdc156438696a348b2b45

SHA1
114c5d5e05d9fdeacb7b6bac54275d3b7443bab3

SHA256
2b1136a849745e107995e5c376b759c76b94c11ebc9aa1f0c1c9ead9569e4c51

SHA512
e123c2b3e21891555fb161a950a0922b3cf5eafb8a313de5b9d6f742067d4d149a140c7384928cffbca8021bb95c26702fa2f10644c384d75847f8b194bc0cf5

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
337KB

MD5
320447b6eeed5728fefc7959e8b8ccf9

SHA1
159e7171010d1b67902113cb15854a12077f5eea

SHA256
3ec846c174d54f06c5e6c48415737891d04988d3db9ae779bb42872a24fb05f8

SHA512
9f885b74fb433343720d5fc7dac30ddca0c1551f6a7b2ad5c9052f145e8bfc5846dcdf77f63a544f2504bb811dfc06b28806a309f64d980bf99aaa46c4e28418

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
337KB

MD5
41f90541602959da399f492909ef9569

SHA1
5d146f679433193c81b57df469abfb1f015d1aa0

SHA256
cf239dbf9b2c52877a7b2bb70c896de232b532548adab401f974640ece02b0a1

SHA512
155b46b19fcd060c31b8b63c9221c73db7a4a5638705a3ea611757cb4332a0fadcf84086c65305216f42ef544dfbd898ea5e784010b76cac3372515d25e5f192

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
337KB

MD5
34ea275c66af9561226d7c147465f9b3

SHA1
8b978821e43229111af55bf03afd045b4868f6d9

SHA256
298cc7aa8f6b9deb6682af1c6fa7a10bf33a744f0d612c08870b12a538ddf75a

SHA512
1708ba76b47bea84d1894d28636a704622be91686cd2fb7e36d3bbbf4991929fa66921770e8402f8c0d78e4edb1628e13094261ebfad73aa42126bdf56cb1714

Download Submit
C:\Windows\SysWOW64\Pcfefmnk.exe

Filesize
337KB

MD5
fd5271a0767e4a227fdfe0d9e178aaba

SHA1
786a10b3e3d137fff691d5c7a3f7096480470b74

SHA256
9d1ef9ece88b06e8081189a5cca9f56f8e56cf767b8c2df62229412d5248df5c

SHA512
92c24c40aba4a37bcc07df9c62bb0f6fea8a76b8a7ddc1dc39e5b289ed3eb42cdc9684bbfe0ca07f29b5c60fe283f9e4ffaa2da2d16eae40fd9f84c7b3aa8529

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
337KB

MD5
9f58ff5d96e827d87e0e37cfffddb031

SHA1
db417da7d7c1dc5395c3e8e9baf852beccee97f5

SHA256
9edac7d080f866494da52bb3b3414d086eeee9fdcba15893b3257742e7e4a040

SHA512
8f7b0ac0a2fc583da898789e23593c9fd2875b1094bb3c71b680e672e9a705afa30a53ed28e5b5f94daf13adb3da45d0fd343a33475b40c701adeb3092565a57

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
337KB

MD5
8c341174f2ab41a42c9068a7d6ef9ada

SHA1
a45cbb8f531e85092011c95def86e0fc7b98e418

SHA256
c7160911b07bbff51533a6fc97d3f748b613f8c5561dbeaee72306befe8b59b5

SHA512
13203717f29c9820d6b47f792f338d925a1400a2bbd5982a491c7b935167fa549656facc52a7e05def1da0fc38628673e5a3d350333ebc2fc347ca0ac0725f09

Download Submit
\Windows\SysWOW64\Aeenochi.exe

Filesize
337KB

MD5
49fae8f963e070efd567b25ba7487295

SHA1
cb4e7012ab6810f98ebb28ed437cfff1a8991a2e

SHA256
dfb52b5c623e09b77b67af783311f4ede65ad949782648a5ca0666079fd565d2

SHA512
4e2c595372183c53fc873c263bdd9e36c305a7005226aecdf7c7cd3731dd33de8ef7b1bfa328996ab8fc1d5a520f14ceb6b23b2f8519cc296931a6b4b73f160a

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
337KB

MD5
69472d05d99d6d5cd66a3c69a841a4c2

SHA1
6acde857acc717a17f1442cf7a307aa5cb3c54da

SHA256
a86c505ead18144b1a8509b7d281ef4b8eb4fd602442d4272b13071dc01f283f

SHA512
61832d2d60241dc2696ebd2f06dd4dc57a2584e7cc859a024cba78fdec2b7178052b36b4f5d642444505c236062a113f4b2a6e1caacd8fa2952e6c2b6e8ca3b6

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
337KB

MD5
3d1dc658a83eb824fb91cb82089e020a

SHA1
2bf1684a43d5f932541794c7998b8f9589536c28

SHA256
29c45405917cfc55a3adce0c5f94285e45d94f89a657bf8ad967808817420540

SHA512
d53ae8401bbc0d48d4e0a665d6bbf6637303c7ebd32a8830eff264094ad1b5d6793fa4408c8a3baf87f4d612f018e24de2d6b255fbe9880d4f0287405f676e0d

Download Submit
\Windows\SysWOW64\Ajbggjfq.exe

Filesize
337KB

MD5
8855492d8cacbd3686dfe4804df22785

SHA1
d4a2a9e387a3c5b1164e57c7ebce830a7ac8a1b0

SHA256
f5b866c24e09b3c20b88d89e8f662d22fbf612bf3de006dd583411fda74b0bb3

SHA512
77606d6f6485f2c0d15fa40ecc6a3128f2ce2d77bec4e90c15b9740a574d131bf096b8631f1c3ceead1cc88f92b2a0fc1d2f50a611e564aed0c072436fe287f9

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
337KB

MD5
b1bbb9c4b51bff1aa113b23a065d4205

SHA1
627c59c646e3f2e13469914fa9fec3c0988cde92

SHA256
1862f21c3c04d9502285e6b5be7ea28e5de5d0b50fd4371168767eca290873b6

SHA512
f77a38e3aa7c281948220100b565eb6faea2db50df4168edb12b7c662b1435fa77d729ae9a1ca052404bcf5ffb71caaffd66845dc19d47282eae171a63ca1cad

Download Submit
\Windows\SysWOW64\Amelne32.exe

Filesize
337KB

MD5
7319e4cf153fd846946d3149c9817231

SHA1
fe7b4568d043d20252d7ef290b3d1f2e7590e4b0

SHA256
188b9ce578a561f3451edf7a1e63d6bab94c526368cab446e357ed6b48c04a68

SHA512
18e173818af00e619833a0019f3b95955463a81dc3f8dd64e82832f75c1e638c320b40bebf71f7aa0fbcd4a10c7d0daf67e846f8391edd00099ccbbc9d15b9d5

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
337KB

MD5
1476ce29bc0ac18e009a1dfdd81a8bf9

SHA1
cb25043ccfe97cd7be0bbcdeeef36ba971c308f5

SHA256
451b88b62ebd1129680daef53e5c5e1b86e9dc29307dad2326553499e8892e01

SHA512
cb674b209d60a2542ac6ff47ababa456147a221d02716c3e7346591249cf12e8f47bf44e5a026168dcb17df9e88f105fc4587bb410ec3741f2fc8acc9ec0a697

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
337KB

MD5
90ee64636744a01c3475db0e1c98750c

SHA1
acc7c4a8eaaf8e226469d20bfb43143f1b6999d6

SHA256
bb275309b07f7eae5e72a2bc30c1a39befdb31d89083172956d5ca7926f72cdd

SHA512
87fa77adc9928d7db577dba9a7c62215433dcaf9e02fb9731d11c336dbbdcca6e4b4deace42a04663fc557dac066869ac99fd56a2068dd7cd2a296986f6ffb0a

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
337KB

MD5
533bac7483a5c3c73e38f576d1839ebe

SHA1
91670ec256c456411d71ce6654d459939c1b0b59

SHA256
3f10e12910fd83415751f6c92a92021179ee03afef469cb852cd7ee1970ab3a9

SHA512
18142b28d017ef5921448bf71035ff5b426227c699873974d5b98c9568916a28adc54f0dce34ec1a2682a3362f71f143dd2238e16b137238ab0b5b9dbba187be

Download Submit
\Windows\SysWOW64\Qbplbi32.exe

Filesize
337KB

MD5
7c34ad7835c0f42340b2f9dea66dc31e

SHA1
266ce08043e33f40d3fccd5e50c0b518cef1976f

SHA256
8615e181b3c085bb20d882553789baadbc0d3c8f8a9bf45941bcd6327fa779ec

SHA512
9d584db3774b277fa9a3bd2be4390434691aec5d71ffe2dd29df0cf9dc2c856a1e22a873f9176afc5bcaa2d549766d9fed72694211172245d6d86b0064efe7bf

Download Submit
\Windows\SysWOW64\Qeaedd32.exe

Filesize
337KB

MD5
800488f90cf0c90631d002d5b1971e82

SHA1
d2e0539eee38365c06d2706cf67e735300a2b794

SHA256
ee0ff44d10381ccca75da0ec6c84c03565f1b456f82a0314670ff7bf14f83b95

SHA512
20529a9b1d463b36e49f95abaa606b8b585b3b0dae16bababe3f4c47db9427e2d05b859da5bb4879c54ed6915ba8f47b0bab9123117907a1ef001a79b4b8cadb

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
337KB

MD5
e65a13f1707907ac95c98c72e9aa4ed0

SHA1
81e6eb653babc0ec1cd163a4171e65938937e18d

SHA256
b9f46f12e4086997e105e67722563873aa7aea08102a46558615d8153b5bc50f

SHA512
63a58a2e13aa6ea3502b0402d06c6574f43e0b752fa81c3de2fb9e1988b897c9b22421b4c75532c7889164392cf8a66dd9f2f029d52dd97a7b5c40d9a921ac24

Download Submit
memory/560-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-265-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/632-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-92-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/632-401-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/632-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-368-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/692-373-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/692-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-177-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/760-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-471-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/776-82-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/776-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-399-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/840-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-140-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1036-437-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1476-223-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1476-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-290-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1488-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-294-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/1712-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-209-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1712-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-486-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1756-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-167-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1792-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-438-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1792-153-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1816-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-305-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1816-304-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2092-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-272-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2168-396-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2168-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-63-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2372-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-423-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2372-409-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2372-110-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2404-316-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2404-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-312-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2412-284-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2412-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-255-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2500-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-235-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2524-236-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2524-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-124-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2688-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-125-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2720-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-323-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2760-327-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2760-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-350-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2768-349-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2860-343-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-385-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2864-54-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2864-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-379-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2868-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-35-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2924-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2924-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-191-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2948-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-472-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2948-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-334-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3052-338-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads