9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe
Size

59KB
MD5

6214c5f9375c44bcedd5ec2664b85b09
SHA1

b650a20e19fbbfb5ea7e5ea1eb8e449076082c49
SHA256

9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248
SHA512

5d8960b5f89e877faeac0317b64da53dd386b8c3f5ab6552614d6a1da444ccee2377973726bb3466a0bcd9d25981af343933fc48f66f274491a83ebd0915bc3e
SSDEEP

1536:+ZsJA/2oT7/krM4D9EyxoXQJWMkPCWm8gvfNCyVso:+Zam2oT7/kKrzgQeso

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe

Executes dropped EXE 58 IoCs

pid	Process
2888	Pokieo32.exe
1808	Pcfefmnk.exe
2648	Pfdabino.exe
2284	Picnndmb.exe
1268	Pfgngh32.exe
580	Piekcd32.exe
2076	Poocpnbm.exe
2828	Pfikmh32.exe
2800	Pihgic32.exe
2944	Pkfceo32.exe
3004	Qbplbi32.exe
1856	Qeohnd32.exe
2576	Qgmdjp32.exe
2144	Qodlkm32.exe
2196	Qqeicede.exe
2492	Qiladcdh.exe
3064	Qjnmlk32.exe
1208	Aniimjbo.exe
912	Aaheie32.exe
1664	Aganeoip.exe
1308	Akmjfn32.exe
2568	Amnfnfgg.exe
2964	Aajbne32.exe
2372	Afgkfl32.exe
2548	Annbhi32.exe
2780	Ackkppma.exe
2692	Ajecmj32.exe
536	Aaolidlk.exe
752	Afkdakjb.exe
1408	Aijpnfif.exe
2100	Amelne32.exe
2984	Acpdko32.exe
1300	Afnagk32.exe
1952	Bilmcf32.exe
1804	Bmhideol.exe
1280	Bbdallnd.exe
1828	Becnhgmg.exe
3040	Blmfea32.exe
2164	Bnkbam32.exe
2500	Beejng32.exe
1892	Bhdgjb32.exe
2332	Blobjaba.exe
1380	Bonoflae.exe
1560	Behgcf32.exe
904	Bdkgocpm.exe
2036	Blaopqpo.exe
2552	Bjdplm32.exe
556	Bmclhi32.exe
2708	Bfkpqn32.exe
2668	Bobhal32.exe
2084	Bmeimhdj.exe
784	Baadng32.exe
584	Cdoajb32.exe
2712	Chkmkacq.exe
2068	Cfnmfn32.exe
1956	Ckiigmcd.exe
3052	Cmgechbh.exe
1328	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2768	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe
2768	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe
2888	Pokieo32.exe
2888	Pokieo32.exe
1808	Pcfefmnk.exe
1808	Pcfefmnk.exe
2648	Pfdabino.exe
2648	Pfdabino.exe
2284	Picnndmb.exe
2284	Picnndmb.exe
1268	Pfgngh32.exe
1268	Pfgngh32.exe
580	Piekcd32.exe
580	Piekcd32.exe
2076	Poocpnbm.exe
2076	Poocpnbm.exe
2828	Pfikmh32.exe
2828	Pfikmh32.exe
2800	Pihgic32.exe
2800	Pihgic32.exe
2944	Pkfceo32.exe
2944	Pkfceo32.exe
3004	Qbplbi32.exe
3004	Qbplbi32.exe
1856	Qeohnd32.exe
1856	Qeohnd32.exe
2576	Qgmdjp32.exe
2576	Qgmdjp32.exe
2144	Qodlkm32.exe
2144	Qodlkm32.exe
2196	Qqeicede.exe
2196	Qqeicede.exe
2492	Qiladcdh.exe
2492	Qiladcdh.exe
3064	Qjnmlk32.exe
3064	Qjnmlk32.exe
1208	Aniimjbo.exe
1208	Aniimjbo.exe
912	Aaheie32.exe
912	Aaheie32.exe
1664	Aganeoip.exe
1664	Aganeoip.exe
1308	Akmjfn32.exe
1308	Akmjfn32.exe
2568	Amnfnfgg.exe
2568	Amnfnfgg.exe
2964	Aajbne32.exe
2964	Aajbne32.exe
2372	Afgkfl32.exe
2372	Afgkfl32.exe
2548	Annbhi32.exe
2548	Annbhi32.exe
2780	Ackkppma.exe
2780	Ackkppma.exe
2692	Ajecmj32.exe
2692	Ajecmj32.exe
536	Aaolidlk.exe
536	Aaolidlk.exe
752	Afkdakjb.exe
752	Afkdakjb.exe
1408	Aijpnfif.exe
1408	Aijpnfif.exe
2100	Amelne32.exe
2100	Amelne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Momeefin.dll	Bmhideol.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Pfdabino.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Aaheie32.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Pcfefmnk.exe	Pokieo32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Akmjfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1984	1328	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qgmdjp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2888	2768	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe	30
PID 2768 wrote to memory of 2888	2768	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe	30
PID 2768 wrote to memory of 2888	2768	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe	30
PID 2768 wrote to memory of 2888	2768	9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe	30
PID 2888 wrote to memory of 1808	2888	Pokieo32.exe	31
PID 2888 wrote to memory of 1808	2888	Pokieo32.exe	31
PID 2888 wrote to memory of 1808	2888	Pokieo32.exe	31
PID 2888 wrote to memory of 1808	2888	Pokieo32.exe	31
PID 1808 wrote to memory of 2648	1808	Pcfefmnk.exe	32
PID 1808 wrote to memory of 2648	1808	Pcfefmnk.exe	32
PID 1808 wrote to memory of 2648	1808	Pcfefmnk.exe	32
PID 1808 wrote to memory of 2648	1808	Pcfefmnk.exe	32
PID 2648 wrote to memory of 2284	2648	Pfdabino.exe	33
PID 2648 wrote to memory of 2284	2648	Pfdabino.exe	33
PID 2648 wrote to memory of 2284	2648	Pfdabino.exe	33
PID 2648 wrote to memory of 2284	2648	Pfdabino.exe	33
PID 2284 wrote to memory of 1268	2284	Picnndmb.exe	34
PID 2284 wrote to memory of 1268	2284	Picnndmb.exe	34
PID 2284 wrote to memory of 1268	2284	Picnndmb.exe	34
PID 2284 wrote to memory of 1268	2284	Picnndmb.exe	34
PID 1268 wrote to memory of 580	1268	Pfgngh32.exe	35
PID 1268 wrote to memory of 580	1268	Pfgngh32.exe	35
PID 1268 wrote to memory of 580	1268	Pfgngh32.exe	35
PID 1268 wrote to memory of 580	1268	Pfgngh32.exe	35
PID 580 wrote to memory of 2076	580	Piekcd32.exe	36
PID 580 wrote to memory of 2076	580	Piekcd32.exe	36
PID 580 wrote to memory of 2076	580	Piekcd32.exe	36
PID 580 wrote to memory of 2076	580	Piekcd32.exe	36
PID 2076 wrote to memory of 2828	2076	Poocpnbm.exe	37
PID 2076 wrote to memory of 2828	2076	Poocpnbm.exe	37
PID 2076 wrote to memory of 2828	2076	Poocpnbm.exe	37
PID 2076 wrote to memory of 2828	2076	Poocpnbm.exe	37
PID 2828 wrote to memory of 2800	2828	Pfikmh32.exe	38
PID 2828 wrote to memory of 2800	2828	Pfikmh32.exe	38
PID 2828 wrote to memory of 2800	2828	Pfikmh32.exe	38
PID 2828 wrote to memory of 2800	2828	Pfikmh32.exe	38
PID 2800 wrote to memory of 2944	2800	Pihgic32.exe	39
PID 2800 wrote to memory of 2944	2800	Pihgic32.exe	39
PID 2800 wrote to memory of 2944	2800	Pihgic32.exe	39
PID 2800 wrote to memory of 2944	2800	Pihgic32.exe	39
PID 2944 wrote to memory of 3004	2944	Pkfceo32.exe	40
PID 2944 wrote to memory of 3004	2944	Pkfceo32.exe	40
PID 2944 wrote to memory of 3004	2944	Pkfceo32.exe	40
PID 2944 wrote to memory of 3004	2944	Pkfceo32.exe	40
PID 3004 wrote to memory of 1856	3004	Qbplbi32.exe	41
PID 3004 wrote to memory of 1856	3004	Qbplbi32.exe	41
PID 3004 wrote to memory of 1856	3004	Qbplbi32.exe	41
PID 3004 wrote to memory of 1856	3004	Qbplbi32.exe	41
PID 1856 wrote to memory of 2576	1856	Qeohnd32.exe	42
PID 1856 wrote to memory of 2576	1856	Qeohnd32.exe	42
PID 1856 wrote to memory of 2576	1856	Qeohnd32.exe	42
PID 1856 wrote to memory of 2576	1856	Qeohnd32.exe	42
PID 2576 wrote to memory of 2144	2576	Qgmdjp32.exe	43
PID 2576 wrote to memory of 2144	2576	Qgmdjp32.exe	43
PID 2576 wrote to memory of 2144	2576	Qgmdjp32.exe	43
PID 2576 wrote to memory of 2144	2576	Qgmdjp32.exe	43
PID 2144 wrote to memory of 2196	2144	Qodlkm32.exe	44
PID 2144 wrote to memory of 2196	2144	Qodlkm32.exe	44
PID 2144 wrote to memory of 2196	2144	Qodlkm32.exe	44
PID 2144 wrote to memory of 2196	2144	Qodlkm32.exe	44
PID 2196 wrote to memory of 2492	2196	Qqeicede.exe	45
PID 2196 wrote to memory of 2492	2196	Qqeicede.exe	45
PID 2196 wrote to memory of 2492	2196	Qqeicede.exe	45
PID 2196 wrote to memory of 2492	2196	Qqeicede.exe	45

C:\Users\Admin\AppData\Local\Temp\9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe
"C:\Users\Admin\AppData\Local\Temp\9daf66f000b6897e6c4043d0c5ef4f59f34a479b9e70660a914cef19e7a26248.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\Pokieo32.exe
  C:\Windows\system32\Pokieo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Pcfefmnk.exe
    C:\Windows\system32\Pcfefmnk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\Pfdabino.exe
      C:\Windows\system32\Pfdabino.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 140
        60⤵
        Program crash
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
59KB

MD5
33ee551642bfe89f4ab11564386610b0

SHA1
4240e513907d7b3918e7164d644a6ccd65c0070c

SHA256
dc3ff8d771a41bd0a1792f499aba4bb1ebc31a46323c321fe0c3a0cd559ad0ac

SHA512
f3c8a88d872f0fb75c993135823cb124e20914f7b89110739e7195638927336d3275a12daaa627f91b341c9e3cb1fd3a50a0fe6e59b3536c4b0112cc1e46268d

Download Submit
C:\Windows\SysWOW64\Aajbne32.exe

Filesize
59KB

MD5
3dac948953ce938f65a8940d019167c1

SHA1
cbb613da9b839e667ace1b56d53c9d70718f0fd3

SHA256
fa3e5042b924648f09b0e3a9d04accc723f8d0f038341839a7bf59c34324831f

SHA512
9f119633e68da16a1203e29e4f2ea9d48c38d9d8167d3729673f1dedec41af3226174a8be46334a4fb10644a7134f9783b48638d7d355ae52e1a33885647cd2b

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
59KB

MD5
2ac705213bcba336a5bb5b015b77644b

SHA1
c44482644f1fa006bf677b904da9b8f184ef0dbf

SHA256
1931ef606eb2828c935606b499af62558beea17b2630ec252d88cb51f5628c60

SHA512
564f7ef5904fb892acbe4337f8f4ae13d58ec120a90ea6e0b1d05620a4018fe62ef028e619370c21de1317efc0aee4ac4a6bdaa7c0d13460ae2586bfffe3f582

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
59KB

MD5
2a3e0f3d6e106de33771d6dbb84dae54

SHA1
afaf5ded69d7d30370d03610fda3da58c0074e04

SHA256
d115cd013b80b1cb57afb06a73e6163e6e537070023d88791a37c5ac2580767d

SHA512
083a3d96478e99603789c4a4379e9a76b2aea88ba5edc9a6c12325bd4427858664cd95a8885c33490cbf362a24c1a288a8c267e955f10a076412277d9416fc42

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
59KB

MD5
9dcd510d7a70c576c1058c54503e01d4

SHA1
dc596302d6664a0a03979c04bf68514e6cda3e05

SHA256
d08f59e1091d26c97694a0fad47129c20af44a436332fc7bb987a5ebce515748

SHA512
708142467fa9cd3bdf87d419aa6c2496b480135786c3e600d979f36c0a37ef5b8fe4929c90f9dd5c593eefd0ead0eba310cb81d2a3cd8fe73640d68082f2ed9b

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
59KB

MD5
e9bc5447ab348fd86930772df5417ea3

SHA1
92c3cc2f1d6f6e363e996ccee2fc89f1dc12ab3b

SHA256
e1cf180e0df585e22081a46ab4e2edd7f395303101e24e1d4e0c15071f0c13ed

SHA512
6b7188f00779bbfb1f8dfabb6adc301aff4782781c9e9737172e18595dcc57ba5d07086c0d3c8ea913f544104bcabf18e42a904093fa622b2fc838bf532356d9

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
59KB

MD5
55385545ab6c16ed4bc2ca478312bb1c

SHA1
429306985e556baefd065b1f6e633e94acd29dcf

SHA256
71a5a8ee18c84aa2601710a3c40d60a9b0135989a79b7fd39e391167796ca685

SHA512
6936e100a92ae02f177c07dc4a441794c9f7c3b5a5fd2d659247c20b0883e09c1d47c3ea314856381e000eabb5874076816e571d4d931a95ce6334460a13c7b3

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
59KB

MD5
d2b4a1cc0bf2e2e68b25006376971232

SHA1
6c958fe0af2f01d2fad13a95abd9aaa373aaadc8

SHA256
22d666580b6bbdc258e3f1f013c86211af5c94d79c0d6058c224171e6e078d1e

SHA512
c8455b78e1a4096f08d5e3806c158782a758dc796e7c17defed5842cc7a108b7917cd29cb1aa4eab5bfce65480028f6ded4e7969afddbac6051c337232b532bd

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
59KB

MD5
91eb1ee236e021dad60a430fa51738ef

SHA1
7d07b92fd2af6fb6a03d5fb3cc395028a56c78fd

SHA256
ff9c670aeb0856042e527a910ab4de9fe089aa4a39c788e254b433c5f7a2f584

SHA512
1179d94ade24f604666d82ffa08d617f6f0730f809412119036f7bcefdb06779e2c280241f98de636153d58b4158116e07c7dba6be5dc85d02a0bcf684e5a299

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
59KB

MD5
a5d9f5064c0abd79422e1c7b3e76e567

SHA1
8f3c05484a901faafa875c4bd70186d90336c848

SHA256
e4139585efee913feb7a343742a90f327f345f786154285d6eaffb068b5ef3ba

SHA512
ea45aaa2a67c0dd8792d72e3fd42e3925a6eb3c1f522930e9d48b860fd36e643f160dff464488cd9e331247bb7f22a6ea85a8832a801721cdd3e4dd798efa4aa

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
59KB

MD5
5f4c560103c6d43c963fba3ac0030a39

SHA1
f00d8a4d2e486ad8aae407cf5467d1a71dcc2784

SHA256
29c58adaf5dd93915a46e70ac3019fc9c84c7264784cbf05ebff1877022fedbe

SHA512
2512197a31318139a7f6391ceec36f63d1f5370939b630bd42c696925191d839f1e79dd0409b8f201a271b9d67a720ce6ca2d9eb6a688d62103102a8a2d83951

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
59KB

MD5
eea398eb6e6f417b6da88c71c6481d31

SHA1
17d92c2c3398ec82e4f15d09236fe2ce5f0b09b0

SHA256
4666e5be1c9b93e26dde575b62fc19ad630ac45a5c86dfa638aa49589d529307

SHA512
0a017ad304f57a9f0c06e48225eb4b9df951651d5c167fa5c13c0a81f67d84ab1f0bd8629d7facd26fb0859ec8da35f1a9ddeb55e25cccf61c2aab2c7f9627c7

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
59KB

MD5
4209919fe5586b385713c4304c07b8f7

SHA1
d85dd6bc86b88fc9a0e8757e0212d44a93128d5d

SHA256
12a54353dbacd000922d1b02dafcad202818d10fd522c8440cb543165eeca44e

SHA512
8f746e7d2e9ae1757985817a52409e1d244a5c5b045b0eac0c38fbcfb3d63ad1e32fe87a7ab8d07652b91a77df2808c999cce0fdf77ece7e50cd161edb437b3c

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
59KB

MD5
89e715f332563c8877bd6d8dfe1c86c9

SHA1
6d08d8d46fce028891cd4c15070ea10c6d0414fd

SHA256
8788f096f412b9ccabe7e5a65f227b34a2cb25c388bc83e25827a71839adb6d3

SHA512
3a3e0f9b7b269b825c62008963aa287941d762592d981299fba653e729e5735366ba7e4c277521ac6ba21a271f80181113f16c85fd4b6690f285b2c1d1605ec7

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
59KB

MD5
068dc76c21b168550b26d7791d43fd26

SHA1
c81a86b4a2ee37e3b3c5d3ab77ae5ebed29887eb

SHA256
03765d4575a08af5c7653935227f10998580165aa2dcd85b3804ff04820dd9e0

SHA512
b28695ae657985be2ce68c5c7fc871e0afa549371a0308b9db9ae3579cf4d6c7de8f104114b8877838c8d72469757c3b0f0d1886250165e71ec34c6d0b5906ec

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
59KB

MD5
90020ece9926892727496a71628c3b83

SHA1
9f54d4aeb3d9509b37d56847625899ca5e1e244e

SHA256
1b14805ac0dc53e32723c09ec127f61dbc94b4ce061e9f01619962bd29f5840f

SHA512
517f6bb50c33a16b6ccb0ae5ad391897cdc164badaca79e64b4bde0e608b1fdb420282501f1817100f92f67a663f0509e0ece34aaa2fb1f9cb94baa5704c88b4

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
59KB

MD5
289c3a2721d7ea73395624578355ea87

SHA1
655c2cbed52ba77c50ae9b5cfbf31101fd63317d

SHA256
c63588de1f4ecb09af50ee208cf488c68baddc0222f70aec0bf03f88337c834a

SHA512
7cdc53580c714dfdf249e6858ef3c06b3a2b5372e5defeb0148df8a05414f5a89f08ea1fd8a9ed4349a1927de83eb7fe0e392b6ad55fd8f0c931f5633fef9856

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
59KB

MD5
04d528e7b711ba3887382dee39adc0ed

SHA1
c1b52157ebda68358a939ff6f95964341c4d1e67

SHA256
828e9875f132baab7d48ff8d2ef4500c00653bc905f895135ce7eeae22a8d4d9

SHA512
35e4dc348658975ffd3ddcfe97ceafa7a63dd88b10a5bf1dd885dd9dde8a83277dd8264858f94b5843d1ff2b6ab4099deb6a691d75f73a32cf4445d2bce8779e

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
59KB

MD5
f3215a8f8f545889092fccdceec602d8

SHA1
cd40529f6d94c053c4ea6ba9dc93c45bdc8500e1

SHA256
1cc75d7a079225be7390e29e8cc6c667c8a7c85d4d1519af0027b159e6631dca

SHA512
970328fb6d5b332b23df926de40074e1a7b2b0b479f5eff5ee2d01414ff2de8d90c4fbd84066ad1e702552824f769c31988b817b62ed6acf600840269e99b227

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
59KB

MD5
ab2c41d3a8cf4273aa511efffa2b2a72

SHA1
2f394ffefbdaee4151ffd052b735e1d4fff64b37

SHA256
a132b0ecde4bb3b9b21507d31ae6888e8688de4495021c51895e187053b1dcc5

SHA512
0f2127dccac15f19d685ea4e0f963d60bc93d7c0f7c213eb1780fef61fa9d0cb2bde005744c1b93052d5ca097184730477a33629595410148b0e78a2c1586c01

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
59KB

MD5
0e97184286b9cfa5dfbe4a2d1767966d

SHA1
c4647688ec195edc0ffa4de93acb3f12671a7cbb

SHA256
c094cf2b1445f35c8314be91fa27c10a67ecb7730e70208bbe33affda3c994c9

SHA512
bf01f835aa53505cdd088aa938b32bb9d4261635917d3d5d769ebe418e17e55d0bdf720c1cc740764fb95c9dd0f921db5f06716ec5b11f4fd9142ccfabd04fdc

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
59KB

MD5
a485857c4c8b74ddbe6edef8760d723d

SHA1
43dc2d94cd3112af0b8b58bf6921d6d3dcc916f8

SHA256
73fafe5b0a1a10e19a6224fb85ce38dae9cc975f2a3d287a36c41c8a728d0890

SHA512
beb967a1c5a57c839c852f27c191494e92797121b44f5de6f49ec6012734479d4021fc60a2296f2c07b59b593f4e1984a722df3f4baa3e1050d58a31076a7ecb

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
59KB

MD5
f3e817b0d833bb248c9fd82c3b80b24d

SHA1
f6fefd110b11ec512b8a7f9c318b0a375e8c8292

SHA256
5bc44e8479f926be247894f7e1305f64fb88e705aafc5406793b6823f99cb6bc

SHA512
867d5f4180fd30c324ec532fce50ed465dae95e2ff2744adaac861fbda889b935ed255991692cfd443038a1ae17d5e7623760f1a7c96f51d76b0fa1e497e62dc

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
59KB

MD5
7dba7934f43e10784e7021066474c1b6

SHA1
85d1ba0bde4f935f82a0d05cc69cd346d2fe8698

SHA256
f3e9580d5eb4d8860656264b57776d5f4d551618534b8c301d388436f7f591e5

SHA512
6b312e1e77b8f2d5b09f0ed389f636ef7ce2e56bf0b9e2d0f28010003d0022f7a3c3984595021e3a8b8115954d7c66fc6f69a6d561e5260ff92a3983373712bd

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
59KB

MD5
9ea517104e1c01dc203d5bd695323515

SHA1
97e162d291da290e75fe19df1c32b4994fd9b2de

SHA256
4df2ce1073eede6081ca6aad4132948f04b4fd40b9ada45933a0c854d30d5cf0

SHA512
baaf20f46f785cd8a9bc56d834f2a5bf24e9386548f682f4e0f9f32a0d46a73e0148a59710565944134bb7dc037baab7ac77dd304f998709a832ff8b4de67895

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
59KB

MD5
b540159937826ec2a56294721996e586

SHA1
bdc538820a801016ed2673921ce94f7392f3f564

SHA256
c5a6a4b55867e27992cf17ab88f093d2907f6ed8acae713cd1dc10dd15b48049

SHA512
3577816fb3d163d071624636ebb1a6f7217051c596579bd0c54ad43b6adb0cef81c2a8e229082e9081681e747b28ad975cb9dff208462a449c4cf28737103259

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
59KB

MD5
0e2ec2a3cf6c2cc8f52625d1e79f11c3

SHA1
406231f5caf04558f922bacd6d0a99b5e9ce6b01

SHA256
07181cfeb651405ccd633a0765c76b3bde0216302b586fa4bcb36de27b828d28

SHA512
06f48a9af4641c9e4f1840743514a5e5945199a1498bfd8ecae265ccd776d3b5e31382fac3deadfbd2946b2a871497f4a563d84490834a5d156e96884c7abd20

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
59KB

MD5
289421c9276b00fbd5666aa466890099

SHA1
21b893b6810c138b23a8ed9994bd8032371447a1

SHA256
167b59ede94cac263b6a761620208bc8fcb8ac34cf2ae26ff31747a41b6d43f3

SHA512
44dd174194247d27d272af0540669ef61356ea00cfbb258564bc98072c04561763da995b2031a031d796af92f10945883365317aeda7f3faa062e40088cb30ad

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
59KB

MD5
96a56ad4f12d15136c27d27a2156637b

SHA1
2aa0888e06743a5a35193bc3d7a99430e625b627

SHA256
4719482133f1e670f734b92dd3f2c75ff2e55a491d937f219754f0272d68129e

SHA512
13a959a499203f2d02db226a15b7c230d20e3d42a56f07dacc178baf67eb972c5111562a9cb9b3a74f16714e770cd0b969e595236333d3f1acf7d2043060c840

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
59KB

MD5
134274992300eb96ab9ab279c70786df

SHA1
3b1214e487712cc0b4a1204b1a4224924da49097

SHA256
080e3d2324d8ca1af85e65652d6ecdabe4f3fea6e2da8999eb2f030ffb06ee2b

SHA512
46db3fd2b1798a5e289236692659d591d133794881af159f928cfbc9df2703c2e5e0154d278859d03041ebc692043c2dba39aa9bb7cdf866220fc5671ce8f47c

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
59KB

MD5
af1017481ea23205ab14021ef1b6d15f

SHA1
bb01528d2939da19e75c416d141306765ea38f31

SHA256
07511c1b4277e85d5401ba5813161ab8dd802ffb59a98d07990d5d4ddb13d698

SHA512
97adbf975207aea837b7419f2b0a74a9e08c811d2ca4cfa6c332bc72b67a46d3a435b2d6dc85a45518f7ba596dcc8428660a95834bafdbfa2905ecd7bd741bff

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
59KB

MD5
6199df8d4d468241a2ff9008f51e6c9b

SHA1
a7653e6028a670d28f65956b3073d6f655505cc1

SHA256
f9b23d02743d7804c6730e2bf865f6aa8aa6fc23d8c74e92bea8c39a98174c0a

SHA512
762abb55aeb8471873e9fa55322da3f8b9f6c312b21b4af84cb8a5f85eb8d406c964c0f6da05c93ae9103b276c8b6cdb06cadbc4c4319077068039bc7db6d575

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
59KB

MD5
a3ec145999ba7c4ce2a66512eb83fc86

SHA1
00558ee5d17e096cacb236d13526c3e4e28de367

SHA256
28bd07cb836f187c3a3da8ab9ea8d718c12bb207a2f2dce8cd37131d32419884

SHA512
b2057ef81c3a0be2dc9b70e45b728106ba8540f4a8189506bb9129226a2f98dddc19add7edd0a333b1b3db099059522d87976f4e5130591b7f68a1b48a77d03a

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
59KB

MD5
3b5ab69b916c97495c8b8bd27fe7b20f

SHA1
b3f23e6f374aa91148bb0fc50924fa371c997bed

SHA256
55cc6d7665f24d17a4501a36b2cdf94796f4cb725777253ab4394d4a6ef2e5fb

SHA512
15fa6e43b0fca0410ca5ae3e1adcb171d8066644b28bc09e6a5b056eea46f0f5756529d71804bdf2fbff92b5a59a82e892a8dbb814afcce2e62ee0678abcc417

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
59KB

MD5
497f95870b01f1223d34a3c43316d039

SHA1
53953a72aeff9a9b229ea79097afdb8f6600cfce

SHA256
cede2b6250eb767df2aa10415160dd87fa6aab2c73176fee275a9f911c46f3c3

SHA512
fa7fa7ae56a451ed0579b7acf78d5051ec8acd0f19db0bee5d3cb36eef67cbbef75b9fa0467f71b63e68598a3d87119d9507f86299e8ba7f974a25fa4a66ab00

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
59KB

MD5
7a691f128ff3fb1d06a7539252b6889c

SHA1
35e1ae4137ebbea1279e72fba069fffeb98c28ae

SHA256
49a21b40fc5807e00946dd77eacd8f9c1cc58c4719e9c47c70d1d301a7b62c7d

SHA512
968402d497884989e580b32843948d2b204157a39c3f00fb9d95bb854faa036ba39aff454f3ee259d6611c5c32caf62d03446a2ffe7379e73d61e3c7c0071fbd

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
59KB

MD5
d13db113d9bfee78a50e9c53d754d1ec

SHA1
08673a32aa875adf817871e2346cedd28bc2e142

SHA256
c9472b4273a7d3f99fa623c3326fa96874ce846b598c5768282116e677dadd91

SHA512
2f08cf4c939f20ffeaf9c26b9f2ca5aea14392a401273bc0d0634e410c57271834a74d49e15e4eeccc4fc594ce80277fbe7488cd45c739877a67a6a9cd4de2ad

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
59KB

MD5
e4f1236491dc668ce0d1fece555d17be

SHA1
f6f56e716965c17af7def7905d8769d6bbb5f970

SHA256
838ca7d900247b873bfcc1f46a4d843c03321cb4d09fbb204e2b73d094ef4852

SHA512
f82c53feade177068e964866e20ed10448f00c5157d9e7601cd86d8aa2bce5c5b3282cf19f4b83185ed40d8a118b365881beb532051dda1a009bf1c9786eb312

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
59KB

MD5
0d068d869984cfe44f5eb88eccbb396d

SHA1
08c04641de2fa9ac4b644dd515de66969da3a5c6

SHA256
bce37e8d31ec3f55861f304e0ec6968c236bd7d2e4a1c7d447f8e9adae055059

SHA512
63171e7cac908812c123509ae9c98942fc41068588b717d347abc594fc35752e61090c4b031c1064e78ec1a81e81636be4960fe82ff07a8abb8b3c9dfc29a1ec

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
59KB

MD5
99dc933b9ea0c615235a69a94b9b2cfa

SHA1
19e661c653617a1b21c301b593359b035edfc7fd

SHA256
055ca56ba349b9d557c9ccf2dbf20a86a9e78933d12677a0c1e6edf173da2b91

SHA512
01008f3f3d2cd2174ce7df1f05c3f4dd59e35eb22571fd56d0ef6d7c435a395dd66c52b547a89b308cf5fb28b1f3fc1bdaacd79d0da42df0df4fe4d5f5df5501

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
59KB

MD5
6caedbb0c84defcbb1befa26cb45f92c

SHA1
61e9e4aaf2dc34a76ab398248f5155afbc981309

SHA256
31649fa5374ca3d7d450af39b1e59efd44654e7a68d7d8f2f40e1765f74154b0

SHA512
6472525ad576da2b6ca03e0f63580a6d63b652ca5e6e8097440ad29afa8eca5f44652946e75b1730f144970d74f94ef0117a576fadfb6f8ab4c8b496bbc60979

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
59KB

MD5
e3db2bef30c812d74cb7de409b98e1d0

SHA1
9d36ddba697efb7fafbf9f2d3cee630eb210215a

SHA256
2a78a0900c403d2e09e79a2cc0e8ab6fa0a25f20e4f659759a721552f8cf1d35

SHA512
0c7c3e9cc16bfca9d8425bcf962550808a7560a5ede2cd79c5de738703fd8b11af96e8ecce1ef4f6b831d62517724912537db4b1cbc51c76f67fe2d5fc4d6d36

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
59KB

MD5
40d0e70fc65bde2ffe0bb6ecf535d1fd

SHA1
f9aae3ce3dd76a41cb188cbad9b74dbe172fd2c2

SHA256
3c9c84f8c7846b8e5b6dc53c9bbd9b22b6456ab91a95cc1cd766487fdaf09d86

SHA512
43c4cff68b259828b7b11894bda1df610b95b41a2bc5de209388b7bdde3c012257a8fa2ccb6518947a9e38e47473731cb289004f7b519862f518530aeee136e4

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
59KB

MD5
80ea632040f8f64ae51c846f1f87c6b1

SHA1
f526379e583430a056d07a172e935029d8a4d68e

SHA256
2ad43f46d63bbf2cef241b44ea19e0d46a98cde550600c8544f6e7594702122a

SHA512
b1a5422c16b49b7df09369c2e0ec699f8d933b4d733570f14bdf9953e00146317358717558ec4fd0fe4d7d4ebb6d91741bae86d7b0ad9aa6632808f9e93ccb0c

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
59KB

MD5
10725d0231b54154890fcde768c06455

SHA1
a4752e850d1a558ea375c5c2ad23eb0c3bc221a4

SHA256
58f69b555496246f7b5e78944aa638bbd6adb71f57efc856295a7751290bceae

SHA512
1cc49d747a152b16da010ad01f7d39aa5f68c5ef883b47cdcfdc387e69662593625d97d303fca7e7aa601489c9ea742160cdd6ed6fa1a88fb35e751f86f6a460

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
59KB

MD5
4725c345c8445b43c47d1338b446ad8a

SHA1
aa987506201729349c17f30d6d72df016e2d6fb2

SHA256
682ff6bad3a8bfe8ee7f8b7cd0d9a80b42f8f9332c36dca444201caa37de688d

SHA512
c0fa286bbd958a3079f178d9baf2de1a2763f14e4e890290cadbca9e122d62a0bbcf7f5430fa936b3cf0e4b2f3e2c99603faf5422ad0d5a8074160db1eae3240

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
59KB

MD5
1470bbc33e94a930fe2154094b0cc584

SHA1
7a3c10e85689fec7e6e2c9b38a8dbdea1a06d7af

SHA256
5c2f126fdd0613c1211eb60ed8ff82825cd6eeb4b60d2cdd7ea0326f405c5eb7

SHA512
85695b8a8a11feb38f180e18a1706cf79ccbd08f4e838a3dff97fa79196583e5fa1b295564fbc6df2face359cb969bf796dbb41681c16b049e610f5c9a740069

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
59KB

MD5
59e108553076a75b381acb622a670245

SHA1
f4e2a0605810ba5416486364e68c8817d6143654

SHA256
b3e47d02aace3e0389e718439e50ad6475a27981108422a61a88ce4ba5a1b769

SHA512
decf53e4443a9077b73c23dc5975365c8ee15a6ed53f55849d88266224bb4ad9ccdf3ac70265b6880c863fd94adf71af483717c779f2b8c37ee21526fe75ac20

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
59KB

MD5
ddb1b31781f0954a20ff5f36ba0c9788

SHA1
7de25c7babeac8f34fd453a2cc12484114060070

SHA256
0a73f4d652ca87307dfb74c265affbb9846183676f82ce99a86db574ee30fec0

SHA512
c2e30de25de69d75f828858deb77565fa5b28bd486178102f49fe9656a780a69bca318b55a14175b9f1ef6cbba036e0a9b36c2ae3cec8423249f536038a7be6f

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
59KB

MD5
7f06577901fbe132cf595bcf0a330bba

SHA1
d4b9ab5def5619968373704dcfb482475adc8452

SHA256
8821dd4caadc8e119cc89abc3b301a60486c223bc0b7861e0de6e08ea50b690c

SHA512
fe6fbc7aec8e19c76bd1ec167146c79287f2b101ecce5e5499d344d4c8cd376ef6b44619dc5dd85ed3288ad84873714f2067597d339bbf5e2002554b068da670

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
59KB

MD5
5e481cb1fb26c00c1ee4e89c2cbf1bea

SHA1
1157dc62e7c89fe19cba02b05a3b63a500231cea

SHA256
98f9d3deb01451ecb90080866cf8d09114b23d2908ea627bebe65c2156fdd853

SHA512
566899bcbd821fd7b8d3de2546f2fe1012b5f925ac188ecdb75954d789448a20e81fe5b871ebae915ffe8f7de6d5fc273a8f4be1aa2995563989c2f5bdb3b900

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
59KB

MD5
e0681c9ba63423e95c4ca78b0f50b04e

SHA1
37ff3ddc11115182ba2e93821aaa09359c58c342

SHA256
4b95ff0cee77f73a35d3f59a1cbd8143386ef7eb065526fca48cd129e01620d1

SHA512
2a78d8b0fda63efa27f625ab1b6ef25e091f9e67e19cf4c9814a4eab92d2b24ca974047d3f69e802d23222f964f43d2cda9ec0279a34f561328dcd91d17bef81

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
59KB

MD5
ade36e21b6c15e4cf4b01deaebf09cda

SHA1
16c0f16a51b75446151557d80e91e4912b18c3aa

SHA256
18c4eed1b786769c090d6b33c2bc3d5826d2f446ac323fec83bc694bd34dad16

SHA512
ad73bcfdf89fab7f99f2d30ac620e1c08a0b0c62f2a5d45583cecf6d776f1662b0ee3f582fa0053c80a9e23a4a476de75de6a3dfa17cd6cced7712b4660bb005

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
59KB

MD5
fa474cd81b7281835dc75e920d611079

SHA1
38782b2e2d3c3e13123138c8d1eb2ae930708a51

SHA256
3a10fe3dc96d5bcbe93928e7453002df882c2da7f14c5ffeb776a31b32e678f1

SHA512
7abb0b6f35c0d17566c864c18c362e35959240e0d7a4ff098d0a23dd69edfd7e9eafc0f1e69229fea0b538ebd125fce8e3ba5317897d4a3c1df29b350cca0680

Download Submit
\Windows\SysWOW64\Qbplbi32.exe

Filesize
59KB

MD5
39e8fc59121f05df6f092d5e2fddd5a1

SHA1
3ffe2fc1ed1349476a4f74cf753672291d178ae9

SHA256
d74af38d0889396bff53fad2679d647ba3df379a25b4731b4da2b78f4bda5820

SHA512
2eddbec74ea10881b0f009c9658462216f869e4baa92ffd0cd186b1bda9638c0a8a4dcbc87b2958dadbdce28ee1f6317cead99e24776e60bf3569cb20b91df42

Download Submit
\Windows\SysWOW64\Qeohnd32.exe

Filesize
59KB

MD5
d321d2e3b0addadc1f1e8623ee3cda7f

SHA1
7517f848cf04bac020b86bda5f5d96f70c9146dc

SHA256
560d4b75e7faa8d1e91a81ebd40f503415aabbaed36d62c10ccc8117b4faaa6f

SHA512
fe18ad85391a806b94b0486deaba3d183bb034fbc1760a6443bcde73a6945de9afe158558737af038ed63ae9be23f7a5cd89f847ff38bfe4107da8c95be19419

Download Submit
\Windows\SysWOW64\Qgmdjp32.exe

Filesize
59KB

MD5
68ec4c30d2f7696a0a61de552e22f062

SHA1
baec75bb4417242d09d9de0cd835773223a00cef

SHA256
65748b5fafb0fae1823ad10cda8ece4d572479e42002ae16c1cfcfb750f4df6a

SHA512
e30c40dc58bbb2b17f83f7c503551fcfada3a514df343f5b9052d053e30f0fb338838d2e2aeb1bd73257dc8f108f5991a1f5b8877b631c3eba920737dbf8fe29

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
59KB

MD5
47b64a161cba47779734001eb5484072

SHA1
e8031ffb61f062709ce6bddbfff93ee9ee394dd9

SHA256
06cabdb89fd47a6e65d5007b460055f00f3c46e9461efe0e5a43bd1e9aad6e1e

SHA512
d35c6fa6915e54aeecb317b58b99cb1e649165e4a7123bcf25049fcd73fc56d4a2aaba4203f3bd7219c45d44dd53060d5f85391c42fb45fd7cf85ce9ec3b93f9

Download Submit
memory/536-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/536-347-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/536-348-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/556-551-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/556-542-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/580-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/580-90-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/580-96-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/752-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/904-510-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/904-519-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1208-238-0x0000000001F40000-0x0000000001F7A000-memory.dmp

Filesize
232KB

Download
memory/1268-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1280-431-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1280-422-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1300-400-0x0000000001F70000-0x0000000001FAA000-memory.dmp

Filesize
232KB

Download
memory/1300-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1300-399-0x0000000001F70000-0x0000000001FAA000-memory.dmp

Filesize
232KB

Download
memory/1308-271-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1308-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-270-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1380-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1380-500-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1408-369-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1560-501-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1664-260-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1664-259-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1664-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-421-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/1804-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-432-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-441-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1856-169-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1856-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1892-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1892-480-0x0000000001F40000-0x0000000001F7A000-memory.dmp

Filesize
232KB

Download
memory/1952-401-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-529-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2036-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-530-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2144-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-195-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2164-461-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2164-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-411-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2284-407-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2284-62-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2284-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-486-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/2332-481-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2372-303-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2372-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2372-304-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2492-213-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2492-220-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2500-470-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2548-310-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2548-315-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2548-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2552-541-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2552-537-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2552-531-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2568-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2568-282-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2568-280-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2648-393-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2648-388-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2648-53-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2648-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-52-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2692-336-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2692-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2692-337-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2768-13-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2768-360-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2768-12-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2768-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-321-0x0000000001F30000-0x0000000001F6A000-memory.dmp

Filesize
232KB

Download
memory/2780-326-0x0000000001F30000-0x0000000001F6A000-memory.dmp

Filesize
232KB

Download
memory/2780-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2828-117-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2828-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-142-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2964-294-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2964-292-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2964-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-387-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/3040-451-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3040-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3064-232-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads