0860f39448619882c148ffa5d4338cba3f6bf9d31d4ec3fc4d0842062ae605c9

Analysis

max time kernel
91s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c44b5aadf89a4bfe0d34f28fdab0490N.exe
Size

128KB
MD5

2c44b5aadf89a4bfe0d34f28fdab0490
SHA1

ec015490ebe1377d05a016e90d910676eb2da0a6
SHA256

0860f39448619882c148ffa5d4338cba3f6bf9d31d4ec3fc4d0842062ae605c9
SHA512

b984f1bf88f8cbead736f731a6797102252456df92b28bfea7ff1a1358c23e6abed1942c3a065b552638b1bd846c67dd43c092b82c02c42707a532fd50a515ec
SSDEEP

3072:EWNU8pVUQMeNAlQAHV1d1p1d1d1B1B1B1iuCa08uFafmHURHAVgnvedh6:n7pnMeNAOA11d1p1d1d1B1B1B1ija08G

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmbje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acohnhab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abkkpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmmcjjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ankedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afbnec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caenkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcjoci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahhchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfikod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbnec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afndjdpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aljmbknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abinjdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biccfalm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abdeoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeenapck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdcofop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afndjdpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnofp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abinjdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clhecl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almihjlj.exe

Executes dropped EXE 53 IoCs

pid	Process
2216	Pjbjjc32.exe
2884	Qcjoci32.exe
2864	Qfikod32.exe
3000	Qcmkhi32.exe
2716	Qfkgdd32.exe
2740	Qijdqp32.exe
2916	Acohnhab.exe
2272	Afndjdpe.exe
1084	Ailqfooi.exe
2920	Aljmbknm.exe
2204	Abdeoe32.exe
2372	Aebakp32.exe
2924	Almihjlj.exe
768	Ankedf32.exe
596	Afbnec32.exe
2132	Aeenapck.exe
1996	Anmbje32.exe
1616	Abinjdad.exe
1508	Aicfgn32.exe
608	Ajdcofop.exe
2592	Abkkpd32.exe
1320	Aejglo32.exe
1804	Admgglep.exe
1736	Ahhchk32.exe
1704	Bjfpdf32.exe
1580	Bmelpa32.exe
2992	Bacefpbg.exe
3028	Bdaabk32.exe
2876	Bhmmcjjd.exe
304	Bkkioeig.exe
1796	Baealp32.exe
2348	Bdcnhk32.exe
1892	Bfbjdf32.exe
2400	Biqfpb32.exe
1252	Blobmm32.exe
1612	Bpjnmlel.exe
2984	Beggec32.exe
2136	Biccfalm.exe
884	Bmnofp32.exe
3060	Bopknhjd.exe
1960	Ceickb32.exe
2212	Chhpgn32.exe
1044	Ccnddg32.exe
2436	Celpqbon.exe
2192	Chjmmnnb.exe
2200	Ckiiiine.exe
1448	Cdamao32.exe
824	Clhecl32.exe
2672	Cniajdkg.exe
752	Caenkc32.exe
2500	Ceqjla32.exe
2084	Cgbfcjag.exe
2368	Coindgbi.exe

Loads dropped DLL 64 IoCs

pid	Process
2744	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
2744	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
2216	Pjbjjc32.exe
2216	Pjbjjc32.exe
2884	Qcjoci32.exe
2884	Qcjoci32.exe
2864	Qfikod32.exe
2864	Qfikod32.exe
3000	Qcmkhi32.exe
3000	Qcmkhi32.exe
2716	Qfkgdd32.exe
2716	Qfkgdd32.exe
2740	Qijdqp32.exe
2740	Qijdqp32.exe
2916	Acohnhab.exe
2916	Acohnhab.exe
2272	Afndjdpe.exe
2272	Afndjdpe.exe
1084	Ailqfooi.exe
1084	Ailqfooi.exe
2920	Aljmbknm.exe
2920	Aljmbknm.exe
2204	Abdeoe32.exe
2204	Abdeoe32.exe
2372	Aebakp32.exe
2372	Aebakp32.exe
2924	Almihjlj.exe
2924	Almihjlj.exe
768	Ankedf32.exe
768	Ankedf32.exe
596	Afbnec32.exe
596	Afbnec32.exe
2132	Aeenapck.exe
2132	Aeenapck.exe
1996	Anmbje32.exe
1996	Anmbje32.exe
1616	Abinjdad.exe
1616	Abinjdad.exe
1508	Aicfgn32.exe
1508	Aicfgn32.exe
608	Ajdcofop.exe
608	Ajdcofop.exe
2592	Abkkpd32.exe
2592	Abkkpd32.exe
1320	Aejglo32.exe
1320	Aejglo32.exe
1804	Admgglep.exe
1804	Admgglep.exe
1736	Ahhchk32.exe
1736	Ahhchk32.exe
1704	Bjfpdf32.exe
1704	Bjfpdf32.exe
1580	Bmelpa32.exe
1580	Bmelpa32.exe
2992	Bacefpbg.exe
2992	Bacefpbg.exe
3028	Bdaabk32.exe
3028	Bdaabk32.exe
2876	Bhmmcjjd.exe
2876	Bhmmcjjd.exe
304	Bkkioeig.exe
304	Bkkioeig.exe
1796	Baealp32.exe
1796	Baealp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Fmdkki32.dll	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Abkkpd32.exe	Ajdcofop.exe
File created	C:\Windows\SysWOW64\Mjhdbb32.dll	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Ceickb32.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Celpqbon.exe
File opened for modification	C:\Windows\SysWOW64\Qcmkhi32.exe	Qfikod32.exe
File created	C:\Windows\SysWOW64\Nhjpkq32.dll	Qcmkhi32.exe
File created	C:\Windows\SysWOW64\Olilod32.dll	Almihjlj.exe
File created	C:\Windows\SysWOW64\Aejglo32.exe	Abkkpd32.exe
File opened for modification	C:\Windows\SysWOW64\Celpqbon.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Caenkc32.exe
File created	C:\Windows\SysWOW64\Qcmkhi32.exe	Qfikod32.exe
File created	C:\Windows\SysWOW64\Gaklhb32.dll	Qfkgdd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfpdf32.exe	Ahhchk32.exe
File opened for modification	C:\Windows\SysWOW64\Bdaabk32.exe	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Beggec32.exe	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Bchmahjj.dll	Pjbjjc32.exe
File opened for modification	C:\Windows\SysWOW64\Bkkioeig.exe	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Bdcnhk32.exe
File created	C:\Windows\SysWOW64\Kbmamh32.dll	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Biqfpb32.exe	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Pfapgnji.dll	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Chjmmnnb.exe
File opened for modification	C:\Windows\SysWOW64\Qijdqp32.exe	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Eiibij32.dll	Aljmbknm.exe
File created	C:\Windows\SysWOW64\Djcnme32.dll	Afbnec32.exe
File opened for modification	C:\Windows\SysWOW64\Abinjdad.exe	Anmbje32.exe
File created	C:\Windows\SysWOW64\Bhhjdb32.dll	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Cgbfcjag.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Knoegqbp.dll	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Kpijio32.dll	Blobmm32.exe
File created	C:\Windows\SysWOW64\Pjbjjc32.exe	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
File created	C:\Windows\SysWOW64\Pfekjn32.dll	Qcjoci32.exe
File opened for modification	C:\Windows\SysWOW64\Aebakp32.exe	Abdeoe32.exe
File created	C:\Windows\SysWOW64\Hmecge32.dll	Abinjdad.exe
File created	C:\Windows\SysWOW64\Khfhio32.dll	Admgglep.exe
File created	C:\Windows\SysWOW64\Afndjdpe.exe	Acohnhab.exe
File opened for modification	C:\Windows\SysWOW64\Abkkpd32.exe	Ajdcofop.exe
File opened for modification	C:\Windows\SysWOW64\Aejglo32.exe	Abkkpd32.exe
File created	C:\Windows\SysWOW64\Aljmbknm.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Lflppehm.dll	Aebakp32.exe
File created	C:\Windows\SysWOW64\Gpfecckm.dll	Afndjdpe.exe
File created	C:\Windows\SysWOW64\Bdcnhk32.exe	Baealp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Chjmmnnb.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfcjag.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Admgglep.exe	Aejglo32.exe
File created	C:\Windows\SysWOW64\Bmelpa32.exe	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjjc32.exe	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Lfehem32.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Caenkc32.exe	Cniajdkg.exe
File opened for modification	C:\Windows\SysWOW64\Ahhchk32.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Blobmm32.exe	Biqfpb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Caenkc32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Aicfgn32.exe	Abinjdad.exe
File opened for modification	C:\Windows\SysWOW64\Blobmm32.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Bpjnmlel.exe	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Khpbbn32.dll	Clhecl32.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcnhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmbje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenapck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicfgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmmcjjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdeoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkgdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aljmbknm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almihjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbnec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celpqbon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caenkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abinjdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnofp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acohnhab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjnmlel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacefpbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcjoci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aejglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clhecl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcmkhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmelpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beggec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahhchk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfikod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfcjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abkkpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkioeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailqfooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdcofop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afndjdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biccfalm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll"	Pjbjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abkkpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglnmheg.dll"	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abkkpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caenkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll"	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll"	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfekjn32.dll"	Qcjoci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahhchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2c44b5aadf89a4bfe0d34f28fdab0490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeenapck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ankedf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfikod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemmee32.dll"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beggec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjbjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ankedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll"	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aebakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpjnmlel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befima32.dll"	Abkkpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdkkkqh.dll"	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll"	Beggec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abdeoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmelpa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2216	2744	2c44b5aadf89a4bfe0d34f28fdab0490N.exe	30
PID 2744 wrote to memory of 2216	2744	2c44b5aadf89a4bfe0d34f28fdab0490N.exe	30
PID 2744 wrote to memory of 2216	2744	2c44b5aadf89a4bfe0d34f28fdab0490N.exe	30
PID 2744 wrote to memory of 2216	2744	2c44b5aadf89a4bfe0d34f28fdab0490N.exe	30
PID 2216 wrote to memory of 2884	2216	Pjbjjc32.exe	31
PID 2216 wrote to memory of 2884	2216	Pjbjjc32.exe	31
PID 2216 wrote to memory of 2884	2216	Pjbjjc32.exe	31
PID 2216 wrote to memory of 2884	2216	Pjbjjc32.exe	31
PID 2884 wrote to memory of 2864	2884	Qcjoci32.exe	32
PID 2884 wrote to memory of 2864	2884	Qcjoci32.exe	32
PID 2884 wrote to memory of 2864	2884	Qcjoci32.exe	32
PID 2884 wrote to memory of 2864	2884	Qcjoci32.exe	32
PID 2864 wrote to memory of 3000	2864	Qfikod32.exe	33
PID 2864 wrote to memory of 3000	2864	Qfikod32.exe	33
PID 2864 wrote to memory of 3000	2864	Qfikod32.exe	33
PID 2864 wrote to memory of 3000	2864	Qfikod32.exe	33
PID 3000 wrote to memory of 2716	3000	Qcmkhi32.exe	34
PID 3000 wrote to memory of 2716	3000	Qcmkhi32.exe	34
PID 3000 wrote to memory of 2716	3000	Qcmkhi32.exe	34
PID 3000 wrote to memory of 2716	3000	Qcmkhi32.exe	34
PID 2716 wrote to memory of 2740	2716	Qfkgdd32.exe	35
PID 2716 wrote to memory of 2740	2716	Qfkgdd32.exe	35
PID 2716 wrote to memory of 2740	2716	Qfkgdd32.exe	35
PID 2716 wrote to memory of 2740	2716	Qfkgdd32.exe	35
PID 2740 wrote to memory of 2916	2740	Qijdqp32.exe	36
PID 2740 wrote to memory of 2916	2740	Qijdqp32.exe	36
PID 2740 wrote to memory of 2916	2740	Qijdqp32.exe	36
PID 2740 wrote to memory of 2916	2740	Qijdqp32.exe	36
PID 2916 wrote to memory of 2272	2916	Acohnhab.exe	37
PID 2916 wrote to memory of 2272	2916	Acohnhab.exe	37
PID 2916 wrote to memory of 2272	2916	Acohnhab.exe	37
PID 2916 wrote to memory of 2272	2916	Acohnhab.exe	37
PID 2272 wrote to memory of 1084	2272	Afndjdpe.exe	38
PID 2272 wrote to memory of 1084	2272	Afndjdpe.exe	38
PID 2272 wrote to memory of 1084	2272	Afndjdpe.exe	38
PID 2272 wrote to memory of 1084	2272	Afndjdpe.exe	38
PID 1084 wrote to memory of 2920	1084	Ailqfooi.exe	39
PID 1084 wrote to memory of 2920	1084	Ailqfooi.exe	39
PID 1084 wrote to memory of 2920	1084	Ailqfooi.exe	39
PID 1084 wrote to memory of 2920	1084	Ailqfooi.exe	39
PID 2920 wrote to memory of 2204	2920	Aljmbknm.exe	40
PID 2920 wrote to memory of 2204	2920	Aljmbknm.exe	40
PID 2920 wrote to memory of 2204	2920	Aljmbknm.exe	40
PID 2920 wrote to memory of 2204	2920	Aljmbknm.exe	40
PID 2204 wrote to memory of 2372	2204	Abdeoe32.exe	41
PID 2204 wrote to memory of 2372	2204	Abdeoe32.exe	41
PID 2204 wrote to memory of 2372	2204	Abdeoe32.exe	41
PID 2204 wrote to memory of 2372	2204	Abdeoe32.exe	41
PID 2372 wrote to memory of 2924	2372	Aebakp32.exe	42
PID 2372 wrote to memory of 2924	2372	Aebakp32.exe	42
PID 2372 wrote to memory of 2924	2372	Aebakp32.exe	42
PID 2372 wrote to memory of 2924	2372	Aebakp32.exe	42
PID 2924 wrote to memory of 768	2924	Almihjlj.exe	43
PID 2924 wrote to memory of 768	2924	Almihjlj.exe	43
PID 2924 wrote to memory of 768	2924	Almihjlj.exe	43
PID 2924 wrote to memory of 768	2924	Almihjlj.exe	43
PID 768 wrote to memory of 596	768	Ankedf32.exe	44
PID 768 wrote to memory of 596	768	Ankedf32.exe	44
PID 768 wrote to memory of 596	768	Ankedf32.exe	44
PID 768 wrote to memory of 596	768	Ankedf32.exe	44
PID 596 wrote to memory of 2132	596	Afbnec32.exe	45
PID 596 wrote to memory of 2132	596	Afbnec32.exe	45
PID 596 wrote to memory of 2132	596	Afbnec32.exe	45
PID 596 wrote to memory of 2132	596	Afbnec32.exe	45

C:\Users\Admin\AppData\Local\Temp\2c44b5aadf89a4bfe0d34f28fdab0490N.exe
"C:\Users\Admin\AppData\Local\Temp\2c44b5aadf89a4bfe0d34f28fdab0490N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\Pjbjjc32.exe
  C:\Windows\system32\Pjbjjc32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Qcjoci32.exe
    C:\Windows\system32\Qcjoci32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\Qfikod32.exe
      C:\Windows\system32\Qfikod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Qcmkhi32.exe
        
        C:\Windows\system32\Qcmkhi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\Qfkgdd32.exe
        
        C:\Windows\system32\Qfkgdd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Acohnhab.exe
        
        C:\Windows\system32\Acohnhab.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Afndjdpe.exe
        
        C:\Windows\system32\Afndjdpe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ailqfooi.exe
        
        C:\Windows\system32\Ailqfooi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Aljmbknm.exe
        
        C:\Windows\system32\Aljmbknm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Abdeoe32.exe
        
        C:\Windows\system32\Abdeoe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Aebakp32.exe
        
        C:\Windows\system32\Aebakp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Almihjlj.exe
        
        C:\Windows\system32\Almihjlj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ankedf32.exe
        
        C:\Windows\system32\Ankedf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Afbnec32.exe
        
        C:\Windows\system32\Afbnec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Aeenapck.exe
        
        C:\Windows\system32\Aeenapck.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Anmbje32.exe
        
        C:\Windows\system32\Anmbje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Abinjdad.exe
        
        C:\Windows\system32\Abinjdad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Aicfgn32.exe
        
        C:\Windows\system32\Aicfgn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ajdcofop.exe
        
        C:\Windows\system32\Ajdcofop.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\Abkkpd32.exe
        
        C:\Windows\system32\Abkkpd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Aejglo32.exe
        
        C:\Windows\system32\Aejglo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ahhchk32.exe
        
        C:\Windows\system32\Ahhchk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Bjfpdf32.exe
        
        C:\Windows\system32\Bjfpdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Bmelpa32.exe
        
        C:\Windows\system32\Bmelpa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Bacefpbg.exe
        
        C:\Windows\system32\Bacefpbg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bdaabk32.exe
        
        C:\Windows\system32\Bdaabk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Bhmmcjjd.exe
        
        C:\Windows\system32\Bhmmcjjd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Bkkioeig.exe
        
        C:\Windows\system32\Bkkioeig.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Baealp32.exe
        
        C:\Windows\system32\Baealp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Bdcnhk32.exe
        
        C:\Windows\system32\Bdcnhk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bfbjdf32.exe
        
        C:\Windows\system32\Bfbjdf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Blobmm32.exe
        
        C:\Windows\system32\Blobmm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Bpjnmlel.exe
        
        C:\Windows\system32\Bpjnmlel.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Beggec32.exe
        
        C:\Windows\system32\Beggec32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Biccfalm.exe
        
        C:\Windows\system32\Biccfalm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Bmnofp32.exe
        
        C:\Windows\system32\Bmnofp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Bopknhjd.exe
        
        C:\Windows\system32\Bopknhjd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Celpqbon.exe
        
        C:\Windows\system32\Celpqbon.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Clhecl32.exe
        
        C:\Windows\system32\Clhecl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Caenkc32.exe
        
        C:\Windows\system32\Caenkc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Cgbfcjag.exe
        
        C:\Windows\system32\Cgbfcjag.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abdeoe32.exe

Filesize
128KB

MD5
ee17944bb924fc04f77fe6f6eea87b41

SHA1
f7953450ad5ddcd1b78807687c8662cf06ce5bc3

SHA256
df9efc253559848f2dddd5f7a371abe0037698da098d3f8c2cd8890e872f1195

SHA512
76304a3f22eabdea9d5f5ca62adf40e3d7e7b011401872b624334a0570fd807308c3425089fcb4f1f5cd00e8f39e4b14f173762c9eeb15b6a446e0e5235ced00

Download Submit
C:\Windows\SysWOW64\Abinjdad.exe

Filesize
128KB

MD5
e6360daae9a3ff81c10ad54d01833f08

SHA1
d86f966e6b470aaac638ad653081011fd8431a78

SHA256
d0649baaeda705427ef50f7a1d0d6e72a6e0484b28ef81a678ccced63b851a7f

SHA512
e28c84763db5fcbde81869f80c72fc47d30b2533aa9536f90fc557729f1ce08c800cdc787efad6c75ac699a86f7fba1be1a427d2b9863158c0fd16280fdf6887

Download Submit
C:\Windows\SysWOW64\Abkkpd32.exe

Filesize
128KB

MD5
1ce9bd54e303726cd30ad9de48fd3661

SHA1
f8ca2a69d118c764fd2b888f8a2a36a67575011e

SHA256
8e93e7471c4dc580957b33e7addff90b08a781da2aa8ca2df97ae83eb378232e

SHA512
d8d7be830a03aa5157186363a129dd224cc646eff5a08ea86406cc31dfe06874f3e67d7f32102bbff1826b77738323c7d101ab1a96580b566a0934a9bf8bc128

Download Submit
C:\Windows\SysWOW64\Acohnhab.exe

Filesize
128KB

MD5
fb4ff78c892a5b1ea3fca890ffa293f6

SHA1
7970a7323f80b8a4bbabaf5475c3b66930789f46

SHA256
65efeac7ecf1b39de4e8b5d59668f1de91d86b41d196725f3368881cb3ddcad6

SHA512
251ce73d065e62b31220f4d1c9d64e7e9c56908aa55c857c7019933be32dba1cb4033efbbe423480cba9630244950626941b116cbaf729744f073f51e72e3107

Download Submit
C:\Windows\SysWOW64\Admgglep.exe

Filesize
128KB

MD5
dcdc0ac4cf9bc6d9b4cfd4571216f045

SHA1
f3393520583f4e8601a493336a5c9efa46ad69bd

SHA256
f6e55beb1eb7a52a08e88aea23f273f6382df93e7f549e3f6f7a72f37b987f06

SHA512
1dbb29a6c9e72ec28a850b86808f716ad9ab9c8e38a4d70a35241ff2cb466ee02b02569cb79cdcb4f3113e72db0b3a0d026dc71bb2d4b53cd65c6e13d11e64c5

Download Submit
C:\Windows\SysWOW64\Aebakp32.exe

Filesize
128KB

MD5
215ecf1ad03a90c8cae5483411e05da8

SHA1
93311d2721ca012cebcb2787396f1f7e686c54bf

SHA256
57dbf89b77a43b7c3512f1b5d764fdcfd21e699bfbee6ec7d5f6232d5ae4a433

SHA512
08c49c868f7b5c21da81d0dbc8bb5ca545fa83427c5a6724ac2d7e4770db4ad9b0493720daa40b00ca54f2e3d3689de171f2eb55b1c33ee8046ed716786c067e

Download Submit
C:\Windows\SysWOW64\Aeenapck.exe

Filesize
128KB

MD5
345658ca706b2f2512f2ebb75a4d0c25

SHA1
dd77e65cb28458ed181a9ea6d01bc0334d10e15e

SHA256
1eee2043e1bc5da299daf06511700920f8fd99dbd78a513a538ee89e1dd31c74

SHA512
40214c041d66264455f3a639eb9bac27db349d3aeff9b51ce9c9cdbc6fd06fecf80236a3a61c0790057086dc19be9804a1b06fbc0008417ce3f99949ae8711ac

Download Submit
C:\Windows\SysWOW64\Aejglo32.exe

Filesize
128KB

MD5
38886935be368b5021f729458e53e19b

SHA1
6767babb47cac17a9e83581306a601f88f38a3f1

SHA256
f33f9ec8819a2183b077a0744db396856fc436f070f9c1684da0efda7e7d0db7

SHA512
2e4d2d111b6d7587931f4f7350cdc128ae3f87deac229ca154f63546e903e88586179f2a6f507e4baaa4527250e5897e2eb51837c6723d515e9da0011708a083

Download Submit
C:\Windows\SysWOW64\Afbnec32.exe

Filesize
128KB

MD5
520bfb0f8627142825c84fa869f2430b

SHA1
c5b08ff19a937e7e5fda87138f782fd9f77bad03

SHA256
07dca1e48712ebe122007c193f85821aa93cee6a4e8a27c0efd5d659fb565643

SHA512
7ac707354e977b1af64fc3d2a5ec646e54b60d9bb764d68a3c506f98605a81c398e2399b0293529d9bae8eec07bd0b9268713172634f45e6d44b981617e31881

Download Submit
C:\Windows\SysWOW64\Afndjdpe.exe

Filesize
128KB

MD5
e1fdddddfc43add118ee01360fd386b3

SHA1
864fd53de58fd2c439a4cfbdab579d73bd2f3f8f

SHA256
0bb6759c600eb122e3d984da94fae891ef4edbc117ad7938e12661be680b3233

SHA512
57f05ce4b719c25bd81413192d3c1d29bce44793d2b1726f7f87be523a691c96f97f9f14490e0ca985fdb301623621e3c3b0ea28013dadb7b50c8fb700dd7f40

Download Submit
C:\Windows\SysWOW64\Ahhchk32.exe

Filesize
128KB

MD5
2185688ea0c306a755773d443296dc54

SHA1
f12fde3d157950d21e4c6a71758793a27b1f238d

SHA256
d310cea186bd0c0a7d69cb482029d4b4a7333b7182e4cc5acc16363173b51308

SHA512
858b0180784e5e38f09754446514ce1ad201acd7ed0f1e8df58dad58bc53b723086b8cf215f1ec258635080d3be69a8f4fffa1fde0ef5264b405c3ae8e0a8ad0

Download Submit
C:\Windows\SysWOW64\Aicfgn32.exe

Filesize
128KB

MD5
fdcaa770ea30556f01eba810fec1e931

SHA1
434fc353c416c0d4fdc66986ce81a8cb3209f459

SHA256
7b6af1d0e034d7b01dcddb65a3c9141ce6faee90347f137bc0a53665f2531c2d

SHA512
3a79fa7f4d7f68337a74d457dc445516b1f7f4eac74c5a419bf50af21051ea05151f39d045dd5b346c2762921fd822278d9ba0b92416dbbe61257e547a0a1b4f

Download Submit
C:\Windows\SysWOW64\Ailqfooi.exe

Filesize
128KB

MD5
de7d24ddc167d3af7d37fb3ac82969c6

SHA1
37ffd8dbf61db183bb06d317434a6c1d3c53b973

SHA256
5aabb7da2318e51f7c3f71c154c9f7de0cb7c191172be9ae2b012e258a5571df

SHA512
781e8409e3106dfea50720178e9273bd498b92332004a07b3715a2feb1126231cafd5b540ffc8bc3e41975e2e8311edf7099cb8e7914844818eb2e496011fa07

Download Submit
C:\Windows\SysWOW64\Ajdcofop.exe

Filesize
128KB

MD5
9e52b40ccf8d6f2ca857b7dd3cc85b58

SHA1
cad0c336c84b2924ef8eb6501a05b0f4be108a09

SHA256
425ca93e9948180e3b47761914a624675e87b93ccf5793dd9cad3fd1ac7fbaf9

SHA512
206d9ae0523ba13311e7186a4d8e60acb8a28fbe148f30810ccb2363df6a11e6d2a65971023de4d17a4c9a46fcb0edac41cd20e555913b9afd622b81545c4693

Download Submit
C:\Windows\SysWOW64\Aljmbknm.exe

Filesize
128KB

MD5
ac5601d9f7b2ab95448b9e8e090378ae

SHA1
f27352cc778bb5221c89547f68c25c0a3a2020d6

SHA256
61c8302f9c744b525b9dcdb05ab3e80efca7c615f891b96f6b1afab7dfdf086b

SHA512
4d48d7c13893a3d5905a94755fc7054a623edb613147a9c38d3e0e3c5f3d721353b2b53d63fc22ab179eeb6850dc6dfcf1223ff3abd8d6324e642473fdd5cce7

Download Submit
C:\Windows\SysWOW64\Almihjlj.exe

Filesize
128KB

MD5
9824d7809c1066870fb82b5de4ea4db4

SHA1
0a6a303a542ea7fbb736e9e31a945d7156773bbe

SHA256
d38c4b25fc48e1f39f743cb328951af1feb02266befc2326c706583218ab7042

SHA512
15f644f0820e4ed2c7facec77d5037da3cccfb5edaa8d0b0618530ab4028e4f55cfccf4cadb1cd4bb3f5783f416549573ad7529ac693c6cf68093f9f3cc995c5

Download Submit
C:\Windows\SysWOW64\Anmbje32.exe

Filesize
128KB

MD5
9fbb37b7796fa209193d477fecb45c10

SHA1
e8dee8c33ce0d3eeb61d76eab0ad28f7ad04895b

SHA256
1409ec3216e25e7e04857339f893a472c9396127f2e70b19eea74f8c8eebc70a

SHA512
4ce6bbd804b43f69f5368f321f0f335a41c01b613d3b2d4b691c7280bc2de8134162a24fc52e5de69539a6750e4823b41013256ff69c6c60943f246d6a5bff04

Download Submit
C:\Windows\SysWOW64\Bacefpbg.exe

Filesize
128KB

MD5
ce90c618cea5fe12c3a89a78448e15c5

SHA1
fb9f1d052acce56b172a51a5de54b709409f1446

SHA256
4ce510a14253c5a7436c4750f5d25ed2793fd761315266b80e8e5f170ab4907f

SHA512
befd85d018686a48245dedbadb050c9d77cae9a7ffbcd2fe31ac454a34da4c22e896b39920ac5cc541acd3d099699503610f325bc4189a2ca76d859621eec5d6

Download Submit
C:\Windows\SysWOW64\Baealp32.exe

Filesize
128KB

MD5
281a8160c871442e9e98d89688923c7a

SHA1
6576f16a9dd63fbaae424ca64f1f796f56451666

SHA256
baf33ce2e644488948291a0546a210683c6350a044f15a5a0937569874685f82

SHA512
65aab88e7f5049c09a360b4e8ae1d8e9194fc6b8e66d7dafa534fe1253601f8598def7acde6f940ee838a860d615f43b3fcbca76006d4a766d5b15bdf1cf2548

Download Submit
C:\Windows\SysWOW64\Bdaabk32.exe

Filesize
128KB

MD5
7f938a818f9b547cbbadd4ccb3d1d981

SHA1
ee56f9dd9b0725cd198b1cf20bfb8ba952406fb3

SHA256
dc056ef59713871d9fa80cad73e1f6ef8b9f61f628dc16e8eac4f117ebf42710

SHA512
35a58b89ef2113322f8830fddc8be8f4b30bd796e381e382194b63ea832c391e50efb581a4d382f4a5cc1eb79733d4e1e8359f004b20a9c5a11bdec78c3cded7

Download Submit
C:\Windows\SysWOW64\Bdcnhk32.exe

Filesize
128KB

MD5
f6cc213354d1ddbdf25805404f5f0704

SHA1
39a74e41e33f981c39882db412dabe240b5a1ba3

SHA256
34518e803e421c338e9c053b266f5c32bad32ac2d5ba80619c0d3cdc4e50637a

SHA512
2ce6312ed8832c127a8a38bf9da84a2dd9cf63aa01eb34aaad597d4b0ea21612476b3107c0c1a4561ca40cf649d7b878746d260c4ec11c209759ec47947238a6

Download Submit
C:\Windows\SysWOW64\Beggec32.exe

Filesize
128KB

MD5
2c26f56def8ea8e2f6fe078ebbb2f715

SHA1
7829bc20adf769f09706411a7e806908642c63aa

SHA256
ef7de0c09c617e38b0e07e445dd87f37ce5beb09c44fd8b57fdfeab7dda93ed6

SHA512
3f5d13d48b1b3fb8173b742d781236c4bd562733ef2b9699c0dc0211a72e89de901142af6fec693390974f768869909261030f571205c0ef74f972cc07066768

Download Submit
C:\Windows\SysWOW64\Bfbjdf32.exe

Filesize
128KB

MD5
5c491322a4136ee56c9ab7c24d949899

SHA1
3e725763260a28aaf95a4f906b2dcd502e9aadfb

SHA256
3876e966b9817f6aa6d46158f04e04ad2993bf6745ebdeaa0bc4d1c231c44ccb

SHA512
7d19fb071a01c3f3954126ada85636c61a5d89a6fc53e85cb998c7bc3d48ec0b0f9b9303a56fb6ed6cd6064ae11f72f8118716a0f3966b7f2b3f7d5c2ab4b4f6

Download Submit
C:\Windows\SysWOW64\Bhmmcjjd.exe

Filesize
128KB

MD5
a0d34a49a8966d4b70560000fa4b0387

SHA1
4b1b274a6f61b1f7e36bff02ba1d300bb914482d

SHA256
3fc31f542ba503afdf8f32e1e62a17a60099c8f0f7c472d63dde8903c3910073

SHA512
ceea8bf4a12d361ba4af6c9dc63a6d331e372e455bacff70ed5d573d545423ab69e79cc718231421f1c27fec5aba45126dbd65d01eafa64dfd6b0c00bb447cd1

Download Submit
C:\Windows\SysWOW64\Biccfalm.exe

Filesize
128KB

MD5
9d3dc29ae67f23d08b1ff447f31028d1

SHA1
405814082785093d8be4f7f47b3dd1b560ce1d83

SHA256
e646741e4384a757f86d874fa60a637e4504798c425e4062a05922a629f510b3

SHA512
bb341c3c22d6a6cdd0ed5afb93a4f7b6b53eb65c42e1e5dcf12d7431e02b228b22466194224c9768e6d9a59a18068558b90b84dddf04d12d301ee2783cd3b1cf

Download Submit
C:\Windows\SysWOW64\Biqfpb32.exe

Filesize
128KB

MD5
0b9faed7d52c3d97c149e9fabe82f388

SHA1
59ec0cde29c8b24a2f605d79dcccebaf0c82e7e2

SHA256
d8e5c605e50b240db7abcb64933a7a1551dc52029784f9c62ede4b974bc7a490

SHA512
7b0f04413c387dcd4d9becb375bf2a391e77897c94c8eb9b9380d3846ec49b7f8dd9c5ef31eebc0f786cab362f1159aa578518febf335b367fba7563402e7e3e

Download Submit
C:\Windows\SysWOW64\Bjfpdf32.exe

Filesize
128KB

MD5
e4da42546b3cf917526bb42402ec0c6d

SHA1
bc14a6778dbfa954c218cdcbbe0b063dfda1596b

SHA256
599a88a73722670693e57164f711c263cb1836df8415a132f51bd37bd91decfe

SHA512
f5cc2b618602d367bf65db78bcc2f8fd697610c7e92d66a28fbf9286d4599c316f3e4e1cf13e7d4a8d244685e15f8d5ee5f27eb864b45f34e62685f63fafe511

Download Submit
C:\Windows\SysWOW64\Bkkioeig.exe

Filesize
128KB

MD5
8ec5763136d3547e4c666c220086df6a

SHA1
ec71aaffecc60d8756ae02dc79556e2d2bbf515c

SHA256
178686637567310aa84d6c1b0b6da176f0aa7dad1d4d0dbd2d560a0e9b975753

SHA512
5deea8541f9b029e136eed1658c7e7304cb45eb95573b7c7366cd42dfaebfe9058d58d402d0088b326230077169bbda7fe51b30dc0ce99ae3556f4f3c6cad756

Download Submit
C:\Windows\SysWOW64\Blobmm32.exe

Filesize
128KB

MD5
4db10f9047cb22af6da2ee6bb322300c

SHA1
16fc7695e4063bcb1c4f1e5da9a560d453ea0464

SHA256
21840835b829a3879e0f2c543febfc3736997a74d2db3219354a02e32fa794fc

SHA512
dbc8c85b892c724fbab4f6d4914d81459132a9b4f9b0191ed7f5b137359d087662abcd73a48d62e1934f2696f4a176d4844938f6fa6959802521f1ce505ff36c

Download Submit
C:\Windows\SysWOW64\Bmelpa32.exe

Filesize
128KB

MD5
8fc2d8b13d62025fd87e72bc1afa6222

SHA1
b2fe1c82347933b268def743fa1c374317101103

SHA256
3d6cb5f88b0a7bfd2d456d0054a7487d51542bb51f3be781c569e9fb870a3cc5

SHA512
9b7758c017cccb644bb7c12146526e5badcab6ab65aa71f8e20e29285ca1ce7c1eb86046f44bf3239b5d3a010173d8b8a1e72164fcd2609abe06d77c8542fa03

Download Submit
C:\Windows\SysWOW64\Bmnofp32.exe

Filesize
128KB

MD5
c9c4d3761189b0f4b928b1a3f1aaffe5

SHA1
2e5876af1b0c039f7e7c5fde6422504c53f9f6c3

SHA256
22eb4542f5f99a4228165fa0ffa5f08454651e17d8b29e48297d1ffa24c66bf0

SHA512
0c012737ce3cfd95e34400eb16e1ac5520ad6e406d504d26664483c786f14962fc25c55bc1b778f90a20b364dc64c4a7ec02f192161bf70a0a19bcf28c23890b

Download Submit
C:\Windows\SysWOW64\Bopknhjd.exe

Filesize
128KB

MD5
67e134eae1ac5de7dda806067f3316e0

SHA1
0f6080b065084675b0e837f27fde8bd30353fee6

SHA256
2e7e1675750bc32ff843289d643df35ac103e742dda7622b1524d9ea174b7c81

SHA512
dc56da2e711b6fe30dd40c88c95af7d3f5b1b6d23aa7a5d3f1d9fff8216707d287ededb76916293f7a48298d07b33a81d79dc0dc4bd352ce20562c219f199b28

Download Submit
C:\Windows\SysWOW64\Bpjnmlel.exe

Filesize
128KB

MD5
311f80de5f7986130baa469823c6183b

SHA1
c078c108c9f7800216c2cdaeb038b43c3a1f2e1d

SHA256
670ad1872679e5987a94bab0aa5f2f0e13ff11ad21a1d53c75ae9d5728a3631c

SHA512
dae1efa8f30455c1ea4720683eed103f12b2280981819574d1b758373c96cc0c48cd9a5c20a842e10cd5650930f94df4eb26a1e48cd1e77e5d8abd9198929ce4

Download Submit
C:\Windows\SysWOW64\Caenkc32.exe

Filesize
128KB

MD5
2ec765e43a752bf12e2498d8ea415353

SHA1
a5fcf6807d47415fda934c12b0d84ba9b133618c

SHA256
f6c60372c8efe987d9c6aec504b43de4823fd1198772385a15d7b365a3ad0a04

SHA512
ad54052d75711096904534feb2877b58dd4710dabb4737ea4ba048681ad76c6d8eff1aa74bffdb1397fc74b8a7dc71b1afc492038527cce7146e1df95bf4b60e

Download Submit
C:\Windows\SysWOW64\Ccnddg32.exe

Filesize
128KB

MD5
2c62078ebf98f8677a4bf9be4c618f98

SHA1
5ffef88e86283f3b1e3154eb666f3924130edfbd

SHA256
af4dbfbc44e490b368aa06c522bcc3116190af31e497efd1840ba21f03313154

SHA512
13b953bb7a05940a211ec1ea578cfd0970cdf39885a15fd5d8922b5a4ea5ef3a2f1f48975f1b2956b36ae063bfb78b5b7f20c727f1230b4ae02c11c5ed072c48

Download Submit
C:\Windows\SysWOW64\Cdamao32.exe

Filesize
128KB

MD5
f75b8294b5c5fbcb4c8125192f01ed00

SHA1
b705d5016fd555f982197d91c2fab7d9cc80c86c

SHA256
a442d3101c6da3352dd6770b3bb99e1c0bf02d3c1651e68b94b9215d02b9a57f

SHA512
ac899b697b0919b1875bee7e00c8683beb98026602bec87a51afec75b71c08f3fd8bc3d813129a2542f2fce7f02ec4221ef58e4132628fca44757e911606d660

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
128KB

MD5
b7a618b1d4f746d54a7cf4a94e325c52

SHA1
0873396967f2821f1b34a2626262951f5bd710d5

SHA256
642ca7bb844df5184693418173438de1cf420b18160be97ae522308874081dc6

SHA512
84b83169fd4de8243ad7b0a738f746b803b5ecb586a62eb38734c68cdc4728a393c230cb94855590298590494fee8619ddaa132a4ce6144d41457d2c14a08663

Download Submit
C:\Windows\SysWOW64\Celpqbon.exe

Filesize
128KB

MD5
ef690901b0c67668ecbefa90b3f7cd7d

SHA1
0384e4d6eff773ec943c4a3e56ade11043e56541

SHA256
ce8e30b43db7b41f0d750dadc3d620a5e6ebcbab016208db57b1b5f0f0c64454

SHA512
c3f4a4cc1cb37e4f6a8be029db97f2a17abf98517f06d7756b58d9501575447bd4f2dfd19432fcf25f101b592b5fd7883a2d8c4ee639c3bd76cbbc2e18a291c7

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
128KB

MD5
76d18e6b89939969684b465996447a8b

SHA1
14975e505b76b2a8a71dd20a73efd72cb2f9ab93

SHA256
9e2795dc338a59e6515b7fd927c682830fb90331da3238d62a5de8943029615a

SHA512
a498dbbc40fd005f6e2441f6cb22914bbd5f0e49ef27ede344a945ded52f95bbf07463bee35316109dcd3adb370810a5f7418cd28a2886409e1bf9079c93ca6b

Download Submit
C:\Windows\SysWOW64\Cgbfcjag.exe

Filesize
128KB

MD5
16a6256683d7ac52902d81c39489407d

SHA1
048b8e12ad37e24eb4d25a812a537576c7f492e6

SHA256
f710a355ca39c27ab54baf6981b22bb7ab9bbe91942e95b22b421ec9f3ddf055

SHA512
0852092ff5eeb4dd70776a47529a690cd4d00ee6c1aa06f2c5f7aef7182504ea5682bcc4f865a526ca68f82294d612027c7764ffc6304ab3d853eaed58865612

Download Submit
C:\Windows\SysWOW64\Chhpgn32.exe

Filesize
128KB

MD5
8bf869b576f43b3f20f94b0857f156ea

SHA1
2dace66e49f5bf4278cd6fa3584154ec73d32433

SHA256
47d270f7a067720e9ccbcbf3f7927b400893ca4844b551744d0d4ce16f530ac2

SHA512
24336b5342ecd4fb98cd93f66ccf4f1047b34f7f8818a50e6fccafe9c70cc4fab3e3eca36f89b69d4d9d7de0a6eb210bb28091d3ac00adcc1ff2e910103678a9

Download Submit
C:\Windows\SysWOW64\Chjmmnnb.exe

Filesize
128KB

MD5
792d73c37db514d5cc81ba2ce7783245

SHA1
262f615bbce21827991c9cfa382687c689906de5

SHA256
80612696a212cd2c793bfa0f043c4eed5170dfad84f76c8c5391d1758713a2cf

SHA512
6c8cd65258484edfc9067ec2c466a2b1833ead7df2c91d22201627ef10061a012929b6a2eca5e7c37875bd9757f96d20b0e93092437d5aff605121b77c02bc8d

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
128KB

MD5
59dfe5bfff497cf29ebecf62c977b4a1

SHA1
e528535fc1b1665a21f2409d0a536234911aac1c

SHA256
6817dc7d852f287a1dd54cfa8dfd5e0ed054aabbdb5cc29821cf12323eee2fb8

SHA512
e4fa9061e8e144392cc71b0708e3ac8b091de24be85e6878dd27002fbae6b93e616bd3a5fa9f448ab44f1ab288c6a932e68c5132daaccadbff233eb42fcddd40

Download Submit
C:\Windows\SysWOW64\Clhecl32.exe

Filesize
128KB

MD5
30900d8e87253d0b8bab3de00280b3c2

SHA1
d66613bdbe4299eb92883e165eee024db2f2341f

SHA256
33186421cc890f4d648218a58c82ab21a190fb2518686f75ab8248c4832a60f4

SHA512
cbc03987c8fbfc2fa1bcd86ed7a6e8bcc7c89d03085dc604407477e3d94d1634d11303469e397945547c80c3d12b5d90cc6c1e4c1f82050a9a92347aa5876c12

Download Submit
C:\Windows\SysWOW64\Cniajdkg.exe

Filesize
128KB

MD5
1aa01fe97ad10d9cff4da25a6cf392d4

SHA1
d35ab7c3fe589ea1ff365ecef695a70d5b7cfc66

SHA256
12db42f2f51637707542cad970b9a269b532f83474219ad546040c5f681ea915

SHA512
eab60f38288f2ff7fa0e93219f9ab99587115adb6e8737be21de2feb81edb66b3b3b2afa12f0c183183b5142dfc8c580cc97780a0f1ac8d0d4227ad73c6d3254

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
128KB

MD5
8af925c8532e20afbf32d0c51c22c159

SHA1
a31650567d0ebd20777ee32ff53ac93d42ad0bb0

SHA256
56e936d9c3104e9f2579be28b12fc87e5e93f52dc0f0be1a64039da368616e9f

SHA512
43830b43393c9956883f2044d4bee6d24dd790048fcaff2ebca7bcbf806eb1d15378a579481f6de7fe54524f36293080179b7c283590a1b654b53d2ad0b1c1cb

Download Submit
C:\Windows\SysWOW64\Nhjpkq32.dll

Filesize
7KB

MD5
35ccc5bf305806f15ea1aec9f1abb260

SHA1
2e5d7080d5ca5a60cf72453fec5e40c3469d2459

SHA256
b3ae7b2e1e2ed715dad57925038bbbf9b86c951920128d0a2cc01ba925a13eae

SHA512
249db7353d9e48037acaf0e11efd817ee57fa49a38c174333027ea945a6415cdbc91fed60fe4da426015834e69f3f2a0797d6d3d6e398466b8bb8f6ea15784a8

Download Submit
C:\Windows\SysWOW64\Qcjoci32.exe

Filesize
128KB

MD5
620d97c340bd7a15ffa36a60ee1e4f3c

SHA1
f89fa45a8b3bd0eb179b2c4a41c73d7ce7be7fe1

SHA256
3fd14886f57c0652188582fae10303bbc72d6ee4dfaf3a5d8c73e1365e7a46ee

SHA512
0561e6d9bd77b1c0f36a7e5ac04cb338d2f91a4b3ea8ce93642e24efadbb2ab848e7962975ecd6094622573adb4fec195a92971b516e1f366f38c642be73f764

Download Submit
C:\Windows\SysWOW64\Qfikod32.exe

Filesize
128KB

MD5
01a03fe4d7c6e51d45742cd44343b383

SHA1
6503ff6be336252b54254a73607db79fb6eb988a

SHA256
2d29e1b0a1a2491fc6ee58fa9a6f3aab6f005db1bee9fa51671f9df21f3d19be

SHA512
7f91e9ad0a757b1e4e1be9d8ede1cd7440d5aa23d8c8c4cc33e893a920992146903bee323de920dff580a0441b571d1b4530640d242c91ccd217dbd93d64ddaf

Download Submit
C:\Windows\SysWOW64\Qijdqp32.exe

Filesize
128KB

MD5
791eed20476343eccb91ded3f927fd99

SHA1
f85602b5fa38a9745fd5eb75110f20b0f4f9ae03

SHA256
255d49a0cdf341de00a9559d04ad2147716525eec95a6bf24c2f8c53591b2dd7

SHA512
3ae794e8690c104b5c3bf882bc8e0fa7d4115a968e0973b0776becd63f2c36ad7889d6d67a22047837fa9e52566abfe88936e7779f3efc82eb9586b4884703f8

Download Submit
\Windows\SysWOW64\Ankedf32.exe

Filesize
128KB

MD5
7063ebf8b55fbd24452dd54182ef635e

SHA1
b65b5314e9c4310c4dd396dbd868d3dc56a227e0

SHA256
f4008a51e162d1767cf9640db84ab730c472d82588a30dfb69af672fc2228c9d

SHA512
8c6bd175b10dabb057f1c283dbbe9714374654cfdff6b31650d11c9789c89b2d8fc06615028b46dff800b46d98ddbaf0419412670e4496b8e8341b84c2c19405

Download Submit
\Windows\SysWOW64\Pjbjjc32.exe

Filesize
128KB

MD5
2bf6ed3ea8c8ba1122277fbb7f47c5b5

SHA1
399b77add54891b972d008f04b4763811a8afed1

SHA256
e0998872589397f3bfaf16fddcf75e2c638c933610b586b6f20494321fba7785

SHA512
a3f0c81351534db4a317ec5c1f89ced9eef3b7bb7c7745d4148e361702363cc8d425191a7ecb98b277df5d1d7d1a6015ed23642d75007244d687883ec1019dae

Download Submit
\Windows\SysWOW64\Qcmkhi32.exe

Filesize
128KB

MD5
cf2ab3dc4c373e74d4260327b413c61b

SHA1
c3914f07617209dd5d22eaf596ecf6e708c09b3f

SHA256
532d3a4d569e8bcb56d9a6dee8e6292070e2a567455a12ef4d0a5e51bddd0683

SHA512
dd8399001506fe0e3319e0a376b465f7dff554022eed6e10f2f38019bc252ba3f83e542e3dd9969c23822f83f71e6286169cec5e5c6242d21e2e264284c7aae6

Download Submit
\Windows\SysWOW64\Qfkgdd32.exe

Filesize
128KB

MD5
3721f4fa64c19173a572f50878fecafa

SHA1
d216593bf3975f6bbcb8545a041a3b192729ff5b

SHA256
4bb53a167b385cc48423025704ee036488cc354ac95a275a7f7747aaaa320a8c

SHA512
083d75f025f6ed21acc776dd41a5d02805de2dd97c18d56cc3a60b300d925d7ad3892739e3d8eb7ed0d168daac49ceb693276e353348cab03a89ffb1ae7588ee

Download Submit
memory/304-380-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/304-375-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/304-385-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/596-228-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/596-217-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/596-204-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/608-272-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/768-203-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/768-189-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/768-197-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/884-484-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/884-469-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1084-121-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1084-129-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/1252-433-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/1252-432-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1320-293-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/1320-295-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/1320-284-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1508-259-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1508-263-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1508-252-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1580-337-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1580-328-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1580-338-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1612-435-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1616-253-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1616-251-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1616-242-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1704-326-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/1704-317-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1704-327-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/1736-316-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/1736-315-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/1736-306-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1796-391-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1796-386-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1804-294-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1804-304-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1804-305-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1892-402-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1996-237-0x0000000000320000-0x0000000000365000-memory.dmp

Filesize
276KB

Download
memory/1996-233-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1996-241-0x0000000000320000-0x0000000000365000-memory.dmp

Filesize
276KB

Download
memory/2132-235-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2132-222-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2132-229-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2136-454-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2204-156-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2204-149-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2216-434-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2216-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2216-27-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2272-115-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2348-392-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2348-401-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2372-162-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2372-175-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/2400-430-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2400-431-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2400-417-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2592-283-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2592-279-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2592-273-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2716-67-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2716-485-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2716-75-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download
memory/2740-94-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2740-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-11-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2744-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-409-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-12-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2864-53-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/2864-41-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2864-449-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2876-370-0x0000000000360000-0x00000000003A5000-memory.dmp

Filesize
276KB

Download
memory/2876-369-0x0000000000360000-0x00000000003A5000-memory.dmp

Filesize
276KB

Download
memory/2876-360-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2884-404-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2884-33-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2916-102-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/2920-147-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2924-183-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2984-453-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2984-464-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/2984-463-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/2992-345-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2992-349-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2992-339-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3000-471-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3028-350-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3028-359-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/3060-487-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/3060-475-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3060-486-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads