244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Size

87KB
MD5

78b36e4aa873ec25b156ec557c8e2900
SHA1

20cab3805a854e13e5dd618b3c454d49a32fcaca
SHA256

244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96
SHA512

cc0e5e04184e5b1811d28ebbe6d751aa3a7f6fa6dcc92c53792269a5b90c8e687bb229b7f9ef8758ac9affc3a31a42c2f1f0cbc00ff98a68af4e3ab487278109
SSDEEP

1536:v84q1V2z+kViKXUbFw81Lx/F6XQCDVa3PDI5c6nGRQ4sRSRBDNrR0RVe7R6R8RPk:vNnoKXKLJF6XnDQPDI66GetAnDlmbGch

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe

Executes dropped EXE 51 IoCs

pid	Process
3024	Pnimnfpc.exe
2820	Pmlmic32.exe
2636	Pjpnbg32.exe
2312	Pqjfoa32.exe
1156	Pcibkm32.exe
1408	Pfgngh32.exe
2100	Pmagdbci.exe
2676	Pckoam32.exe
2808	Pihgic32.exe
2920	Pkfceo32.exe
1516	Qijdocfj.exe
2180	Qkhpkoen.exe
2476	Qeaedd32.exe
2196	Qkkmqnck.exe
1644	Aaheie32.exe
2468	Aecaidjl.exe
912	Amnfnfgg.exe
1864	Aeenochi.exe
916	Ajbggjfq.exe
3060	Amqccfed.exe
2392	Aaloddnn.exe
2020	Amcpie32.exe
2460	Apalea32.exe
1732	Acmhepko.exe
1700	Amelne32.exe
476	Apdhjq32.exe
2364	Aeqabgoj.exe
1608	Bmhideol.exe
2388	Bpfeppop.exe
1928	Becnhgmg.exe
1956	Bnkbam32.exe
2948	Bajomhbl.exe
2988	Biafnecn.exe
804	Blobjaba.exe
2376	Bjbcfn32.exe
2136	Bbikgk32.exe
2448	Behgcf32.exe
352	Bdkgocpm.exe
1616	Bhfcpb32.exe
1612	Bjdplm32.exe
1560	Bjdplm32.exe
1308	Baohhgnf.exe
1012	Bdmddc32.exe
2552	Bhhpeafc.exe
2532	Bkglameg.exe
876	Bmeimhdj.exe
1756	Cpceidcn.exe
2740	Chkmkacq.exe
1268	Ckiigmcd.exe
584	Cilibi32.exe
1688	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2852	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
2852	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
3024	Pnimnfpc.exe
3024	Pnimnfpc.exe
2820	Pmlmic32.exe
2820	Pmlmic32.exe
2636	Pjpnbg32.exe
2636	Pjpnbg32.exe
2312	Pqjfoa32.exe
2312	Pqjfoa32.exe
1156	Pcibkm32.exe
1156	Pcibkm32.exe
1408	Pfgngh32.exe
1408	Pfgngh32.exe
2100	Pmagdbci.exe
2100	Pmagdbci.exe
2676	Pckoam32.exe
2676	Pckoam32.exe
2808	Pihgic32.exe
2808	Pihgic32.exe
2920	Pkfceo32.exe
2920	Pkfceo32.exe
1516	Qijdocfj.exe
1516	Qijdocfj.exe
2180	Qkhpkoen.exe
2180	Qkhpkoen.exe
2476	Qeaedd32.exe
2476	Qeaedd32.exe
2196	Qkkmqnck.exe
2196	Qkkmqnck.exe
1644	Aaheie32.exe
1644	Aaheie32.exe
2468	Aecaidjl.exe
2468	Aecaidjl.exe
912	Amnfnfgg.exe
912	Amnfnfgg.exe
1864	Aeenochi.exe
1864	Aeenochi.exe
916	Ajbggjfq.exe
916	Ajbggjfq.exe
3060	Amqccfed.exe
3060	Amqccfed.exe
2392	Aaloddnn.exe
2392	Aaloddnn.exe
2020	Amcpie32.exe
2020	Amcpie32.exe
2460	Apalea32.exe
2460	Apalea32.exe
1732	Acmhepko.exe
1732	Acmhepko.exe
1700	Amelne32.exe
1700	Amelne32.exe
476	Apdhjq32.exe
476	Apdhjq32.exe
2364	Aeqabgoj.exe
2364	Aeqabgoj.exe
1608	Bmhideol.exe
1608	Bmhideol.exe
2388	Bpfeppop.exe
2388	Bpfeppop.exe
1928	Becnhgmg.exe
1928	Becnhgmg.exe
1956	Bnkbam32.exe
1956	Bnkbam32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pckoam32.exe
File created	C:\Windows\SysWOW64\Qkkmqnck.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Fpcopobi.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cjakbabj.dll	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Pmagdbci.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2600	1688	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3024	2852	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe	30
PID 2852 wrote to memory of 3024	2852	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe	30
PID 2852 wrote to memory of 3024	2852	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe	30
PID 2852 wrote to memory of 3024	2852	244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe	30
PID 3024 wrote to memory of 2820	3024	Pnimnfpc.exe	31
PID 3024 wrote to memory of 2820	3024	Pnimnfpc.exe	31
PID 3024 wrote to memory of 2820	3024	Pnimnfpc.exe	31
PID 3024 wrote to memory of 2820	3024	Pnimnfpc.exe	31
PID 2820 wrote to memory of 2636	2820	Pmlmic32.exe	32
PID 2820 wrote to memory of 2636	2820	Pmlmic32.exe	32
PID 2820 wrote to memory of 2636	2820	Pmlmic32.exe	32
PID 2820 wrote to memory of 2636	2820	Pmlmic32.exe	32
PID 2636 wrote to memory of 2312	2636	Pjpnbg32.exe	33
PID 2636 wrote to memory of 2312	2636	Pjpnbg32.exe	33
PID 2636 wrote to memory of 2312	2636	Pjpnbg32.exe	33
PID 2636 wrote to memory of 2312	2636	Pjpnbg32.exe	33
PID 2312 wrote to memory of 1156	2312	Pqjfoa32.exe	34
PID 2312 wrote to memory of 1156	2312	Pqjfoa32.exe	34
PID 2312 wrote to memory of 1156	2312	Pqjfoa32.exe	34
PID 2312 wrote to memory of 1156	2312	Pqjfoa32.exe	34
PID 1156 wrote to memory of 1408	1156	Pcibkm32.exe	35
PID 1156 wrote to memory of 1408	1156	Pcibkm32.exe	35
PID 1156 wrote to memory of 1408	1156	Pcibkm32.exe	35
PID 1156 wrote to memory of 1408	1156	Pcibkm32.exe	35
PID 1408 wrote to memory of 2100	1408	Pfgngh32.exe	36
PID 1408 wrote to memory of 2100	1408	Pfgngh32.exe	36
PID 1408 wrote to memory of 2100	1408	Pfgngh32.exe	36
PID 1408 wrote to memory of 2100	1408	Pfgngh32.exe	36
PID 2100 wrote to memory of 2676	2100	Pmagdbci.exe	37
PID 2100 wrote to memory of 2676	2100	Pmagdbci.exe	37
PID 2100 wrote to memory of 2676	2100	Pmagdbci.exe	37
PID 2100 wrote to memory of 2676	2100	Pmagdbci.exe	37
PID 2676 wrote to memory of 2808	2676	Pckoam32.exe	38
PID 2676 wrote to memory of 2808	2676	Pckoam32.exe	38
PID 2676 wrote to memory of 2808	2676	Pckoam32.exe	38
PID 2676 wrote to memory of 2808	2676	Pckoam32.exe	38
PID 2808 wrote to memory of 2920	2808	Pihgic32.exe	39
PID 2808 wrote to memory of 2920	2808	Pihgic32.exe	39
PID 2808 wrote to memory of 2920	2808	Pihgic32.exe	39
PID 2808 wrote to memory of 2920	2808	Pihgic32.exe	39
PID 2920 wrote to memory of 1516	2920	Pkfceo32.exe	40
PID 2920 wrote to memory of 1516	2920	Pkfceo32.exe	40
PID 2920 wrote to memory of 1516	2920	Pkfceo32.exe	40
PID 2920 wrote to memory of 1516	2920	Pkfceo32.exe	40
PID 1516 wrote to memory of 2180	1516	Qijdocfj.exe	41
PID 1516 wrote to memory of 2180	1516	Qijdocfj.exe	41
PID 1516 wrote to memory of 2180	1516	Qijdocfj.exe	41
PID 1516 wrote to memory of 2180	1516	Qijdocfj.exe	41
PID 2180 wrote to memory of 2476	2180	Qkhpkoen.exe	42
PID 2180 wrote to memory of 2476	2180	Qkhpkoen.exe	42
PID 2180 wrote to memory of 2476	2180	Qkhpkoen.exe	42
PID 2180 wrote to memory of 2476	2180	Qkhpkoen.exe	42
PID 2476 wrote to memory of 2196	2476	Qeaedd32.exe	43
PID 2476 wrote to memory of 2196	2476	Qeaedd32.exe	43
PID 2476 wrote to memory of 2196	2476	Qeaedd32.exe	43
PID 2476 wrote to memory of 2196	2476	Qeaedd32.exe	43
PID 2196 wrote to memory of 1644	2196	Qkkmqnck.exe	44
PID 2196 wrote to memory of 1644	2196	Qkkmqnck.exe	44
PID 2196 wrote to memory of 1644	2196	Qkkmqnck.exe	44
PID 2196 wrote to memory of 1644	2196	Qkkmqnck.exe	44
PID 1644 wrote to memory of 2468	1644	Aaheie32.exe	45
PID 1644 wrote to memory of 2468	1644	Aaheie32.exe	45
PID 1644 wrote to memory of 2468	1644	Aaheie32.exe	45
PID 1644 wrote to memory of 2468	1644	Aaheie32.exe	45

C:\Users\Admin\AppData\Local\Temp\244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe
"C:\Users\Admin\AppData\Local\Temp\244b11e2161c97c7fc9b1813eaeea4b9dbe61e6aebd637cf8efda56e04418b96N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Pnimnfpc.exe
  C:\Windows\system32\Pnimnfpc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\Pmlmic32.exe
    C:\Windows\system32\Pmlmic32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Pjpnbg32.exe
      C:\Windows\system32\Pjpnbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:476
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 140
        53⤵
        Program crash
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
87KB

MD5
081266a4369ffa6ed4316f3c3cfffa8b

SHA1
521f50887d21aa18ac3d3676e2d63f4c09a7ffb4

SHA256
efe52926b2222b56582653b6710069eb758c65b0d4934e4e1eeb17dd0cde533b

SHA512
392c804601d3f8477f1b507159ba7495ecde4e2038cead024b1ea4d0d4e97582278637760f6007d6a11a671b8b9955213b2c7ddfa35383ac36681d5b2228ef1a

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
87KB

MD5
dbe021390d720707b1f4e55c34100979

SHA1
7b0ffd6ab04e76cac44aa4eecfee0d8d13a1b5fa

SHA256
987529e667844009500526d32b3819769f0410b44696efbaddf14ba32b86bb8c

SHA512
ff21d20ef0c3d8c8ce0ea70f041052b6c879cd60f5e4baff90b0a41814c7a4ef61116b8ec5cb7d785bb7b195466d2213ed9f7802fb51042e16a04ede19f7fec7

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
87KB

MD5
570d1c089eb236616e2cfccb877b79b4

SHA1
9d85ee4653fac6536d8a229c929e554e7d9f6447

SHA256
90d4f235667101016c52dd58e8a6d65187cc671d47bc8df23822d8f7bd32cbc5

SHA512
e6ae87b4ef9a27117ecda725b59e6687d610841c40f68a0f6f865c96a392122477d2d91cd4eb9a7ab91f35d80a004504e925f4ead2fc66674666988c79fdfeed

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
87KB

MD5
e1d2d3d9b9a8fefc0968cbf337294577

SHA1
528a52f16e0ef3cf5d7780511a3912a27d48cfbc

SHA256
be6a3a3c77c2df09003367c29bfacb22e75a2dcc22477d5639202507872bbeb5

SHA512
ba5e8738d7516e19e99cd108f45f4af478e12ef1ef45d007e0f66bab368910e3b202212fa0ca8f8704e20f093cc691ad3bcd3dac63b9c2d4e2b4d981b6522a91

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
87KB

MD5
8c56970d14aa61f0ad6ff0a26ffe4901

SHA1
509ea24794c9f085aae14dc8e9df060309847248

SHA256
4d810b86686b7c4b77d0a475ae367b3a5c0c6e754e60e2c717eaa9292498ddfd

SHA512
956b3c08054598dd829a95db2d4fad2951c15df507d8ae586bfa6143e4bc6e32d944a8f11a549efddb074e22cd93650832908f0c55279289e60a374b4922e460

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
87KB

MD5
f6569873faf441fa1995b2d3272593e7

SHA1
596b65000320d753e7b7dd6d1f8cde4f3abeda2a

SHA256
7c95c423ee74e14ed32977a3581c3f51fe8a59260b9015f2f3a97604aee42162

SHA512
16610394165c69c8eaeb9f0304f4089fae0a8c3ecc4d9a6cc20038ca26452f94558b4ba5c1e25602f018ef510207407272f186b197f5b0755c51a96508f85791

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
87KB

MD5
46814114ba01060012324a1b3f170df6

SHA1
04603eee9793e26a775a2a672e1f31609ae78e76

SHA256
3e0a1cd835d93a4d4005a94455f10b0bb064d620b7741ca114649ea8ca28a36f

SHA512
a98b8e6cd5b9813df64567cbde6e8e5fd523a3d19678bddfa55c7ae81171b1980bf7524063d14d06ae16998f722a811976dcbf2f3e8c18071a45ca7eca92e50e

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
87KB

MD5
c2b265ccc01b8a6fa36c10f0e932ffba

SHA1
89ba9ead342119524bc931546fed02cfde8debc8

SHA256
4aa074424f4eb51ef51d643bdc60582b6ccc5fd49194870e0232a7bfbb3f86e2

SHA512
30fd1b68d7142a244cae862df8e93a504578822193abececdb0d87e87ed1d5568b5d0e1eee1ea3c366c72c3d7c6676fb6ca7f39fe1215719ce9976a8807016f2

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
87KB

MD5
af44b727f53096100e1b4b13e2f6a90c

SHA1
1c03b8f5d9fb18dc361126698f9ee841bf93997b

SHA256
7a0ced8b01d1d9e78d39a25cb131dc4f520ddb9b62fa3a9f94a73404be0ca688

SHA512
f69151b3c6a122b7c3585954ee98f80350c4595e8470dcc46b90f93a0f43ca140f7e4a0a936210d4b4c6e69c014a947ece7af2ae77d0f92b6aa03cff74ad30a5

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
87KB

MD5
ef3ff7586ecf79f3604c4b4205e13717

SHA1
944e396ce1305fdab55f7528aa0f3f0e5362c54b

SHA256
41d21aa42137c31a8fb07b3b2804f9615d935992125b3b61702e48d788fcbf43

SHA512
19c9c5f307e554819b5a7aee89c0eee82a0ae81b6ff254c2f60971d04c1b478f562209f62067974122c4b5273a507b86d92e380c3953dc63e74c58c0f7833fdd

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
87KB

MD5
f8c481474ff38e46114011cef2dff2f9

SHA1
37b42805545288f7cb191c797a8bf436e7d53e31

SHA256
adbb798bf7b3b9eed66d9a7de4c54ff01098f661b7747df7cad0f01cf736e823

SHA512
22e2e7fa42f5c20a0b8e416e08fe6b681bd8bc4fa151f592b4f48251c37f3ddae53ff6d0e055cbc07b467a39e4aab902866c267b1c774fceb3e413671f498be5

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
87KB

MD5
79f229c45b911456e377b9c3b50c5162

SHA1
e7ec1fa89debbf710002118a7d6912555ab8e5dc

SHA256
079efb2ffc68374ecda64bd9c3b573562210308e42709f222676d1f56dd297e8

SHA512
08f06726558728896015c53131d483c97ea32c1e78117183a5b1fbb9228ae7fbe1a8f278b07bb764e9364612c9a9aa36c9284587d1da0b07b08e5bdbac63a79e

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
87KB

MD5
da381b617496bd495e78e84c1cffd384

SHA1
07c185f181334926018df6e0e7b11f1497129290

SHA256
7e6603f02d843e63635d7e20d8a34d8285a2642a7a702c5a5d1d35d09120666e

SHA512
2051f8e7b8bacdeef4bfdb510de1b40e5d51065b2fd8aa3f3aa016c8c8ed2b6da7528a9c730d131cb48dbc5f4964035d309eb09973839b384be78de59312fdc5

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
87KB

MD5
f7d85add14585ac7ace3691363d0dc2a

SHA1
d8d6c6cdd84af151ed51fc24513e29c5c8636368

SHA256
5fcb84fc1d86a380bfe170c297fd3b19ea764d53d2c0f637572dee2fbecfdcaa

SHA512
db68287ac7ef325871068b80ab8fcca97ec20adc1046da558f56e9a579f5a2f56bf40869f8d4a311328995ec3577d249d120f55b8aa8e802280b87a6a77d6380

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
87KB

MD5
d1f0b3157aaffb142329c89850d115c4

SHA1
f2d630572c5d11a04eff516eae826df19f04e818

SHA256
5c6967b5a5634af994c3b4cd45337b2acd74011bf3a25746e3213b2b3b15492e

SHA512
6f43f34d1eb0fad36d29e66223cb7597b574718ddebc6e82bddf9c649579f1abb5716b041f2db55f868602d55691a8ea226d4d812362471cacbc80da0d7a86cf

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
87KB

MD5
23eecfa79512fff87ad097cd2c16dc0f

SHA1
46a68cd9ee015fb44d6f1d62be9f535655582200

SHA256
e71a237ad11927a19f153f496714fe7ca1a40229b1d2e83092eb2f7833dedce9

SHA512
48a84bda782e8c6bbc4b35ba763a6c6702560ca71b5a264004680580d0890359c5635a4d6c09fd2c521d3a18db06a47b63cb3c87ea3e59d671ef0423152afb4f

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
87KB

MD5
0e38fa0c226d2c761f63b09fe9c65a73

SHA1
36bd30c0ed3210eb70426e625b3941632cc292d9

SHA256
78810c91c4d91781f03e5a2bbaf55fc3c438dc412c9117efe4b961a03c19aad1

SHA512
c61836a30b2ba5b9f44248b88985177078d41f545dedbf3736dc515def5f2dffee1ad85601c1d15d7c54ad7b330c439b874f78c77c9abdc1566d581981868d95

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
87KB

MD5
748d64d25da84dfd911225302a4d8584

SHA1
4c85e5d43d4d7378e754e8e3f1963748a691bec7

SHA256
ed09e05a4b860c5cf4ec57124dd20f42014bc77c7dbacd8f1314691116516b09

SHA512
bba5da811bb25a1a5a3e7390f8719eaeb5535bbe7eaeaef09099f2c5863449ef4b37106426cd1d2f28583884b5e6368a9a9365e9255925f05e646bf0c2ede81b

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
87KB

MD5
bc5c869b6a7a0efdae666db742c8cfc9

SHA1
1eefc6ecf8de4339b30d932dd68f3fb8ebe31eb1

SHA256
f7aac93f6cb68b07421fafde60b0b90a82d14cc4b1bcd719ea29e60678cb5d31

SHA512
5f1a89bbdf669f68c76f6d6f6aa28a3a08bec1d3b562ba5b873fec104681e3fb83f438bea14ed6108fffd38d5ae89d0ba8941ce36f3e0f8cba0ce8f73e16f7e9

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
87KB

MD5
726c8f6ed7640b34b8d27661644ed3ac

SHA1
f147371a17e162bbe0017c52e75183bbf04624a9

SHA256
842d1ff524572fcf4503513a1c5560b3289c8cbbcefeff12840ea58dec73591f

SHA512
6518d23b02a70c3b6104c6758d0838dda953432b9f5acd08c95ae1d5a2da1e881535558cac702904bc51a164444e3dd2c0ff5ef1658838aa4c4e26043f63df7b

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
87KB

MD5
79c39655b214872b63d517385243f2d3

SHA1
0f3ce6b9231640c5de121fcf76a7aab5a610f2af

SHA256
ee87e5ff305c6be7f359365992bb5c18f6ba497f611c5876d30cc338254ea5b6

SHA512
0f6eb33a45a2c5bc201b46ad73e139bac0766eb9714cc82d1e9983bc07b99dce6c7c2f588cd2b6668c0804e6a95a9f70d28d5983f3079c0859149ef953db345c

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
87KB

MD5
1b4b38ac17f513ea53874b6b7d885adf

SHA1
33585a62ed88bd257fd8c8812501f7e6d45da710

SHA256
e8ab4e102df0f4d23852a745e3ef89964090105c7288e74d5887201c1014380b

SHA512
52b57bac9b3ae6bfc281cedd453acdc212e47dd77bff6fcc05f97cb42a4c9e0e80ed8f745f1098314ff33a2e5e1b4c79c6d72ca200a6cf194ebeadd52daff795

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
87KB

MD5
ed51c0c74f07d6bdd522a95b7fc06078

SHA1
ed46c8252de49595e45d71fe789bb11328e65a41

SHA256
4d53dc841aa164fe3ccebdcc816f897c9d917af107ea7dd6af7a0b7e8ebe054b

SHA512
ad3eeb316e0d9cbdcefe33e742fddc35f3c76ac7acdff6c66a486ad01f6ea1f761771a3ec466b2a55bcfc05cc63af29ca838aacee5e9db63b5bed41ff3028376

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
87KB

MD5
d6de38763db01ff1269db55c7d1ad252

SHA1
79ce597a2cb39a76bf42ba90220db7192941ae8b

SHA256
0ec1e32913ba4434b2dbfde3724ef9804ee018177199ef416b97bf0eff7314ae

SHA512
49fda616d4610d14b96dd0b4202f4217df435819e798d6ffdaa2919053849258acbf3a2a7a330431611c40787b1907f65a553c43ab5189508f5b6759b07a752b

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
87KB

MD5
89a35e6fef1c7935bdb21f684ac80768

SHA1
9015e0381e17128aec7558e06ba655b7e142e179

SHA256
2c29da519b2471524a59d122957c6bfe41dce7dee5799660ae4f50a4f86edd79

SHA512
135eeda0e5c2ee8c0367da5ed5dd427383084e3243b73a3dcc1a1d859b3767a8b228823dad855ce0778449fef57ff7b7779b23a0fcaa7cd0e40dd54b8d478498

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
87KB

MD5
5801cb527a3ea82a763721073fe06be8

SHA1
451c7c7b84c529f6465ce70ed8f967941dd60300

SHA256
91a0134adbe249f879ed4f63924dd2360f15689de3ff2aba862d1b2075abbac1

SHA512
4bb7a95054754dd8f4a6e6e475f6ee645d03802bacbc0325b0d1e4f4c37b79efd1099d8ef512d299cdbace1f79c72c88ea45c9be83a4d094d42f1f1d9b29785b

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
87KB

MD5
6e64e2594e46b11dcb162cb98c9cebee

SHA1
8545cade6e261db0791d3d1377732ce2ba55ec0a

SHA256
0f1350f237953c6187341406858fd43720825e2c13ffeec661bf6001895dc1bf

SHA512
9715c8180948f601dc33f11789438f7867cd829a7a29341e10cc6285882aa7d119265840389f87f7ee25cded336e6986f688b16b40dc449c8754564654223ed9

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
87KB

MD5
19c3705ad2a30f96eacfd4ade8ad028d

SHA1
360e4702ab09f5374012a13bf0bbf8cb401e990f

SHA256
d6b161725dd073118973ae91c8cc23bfc03c04215e86c55d377c4826bfa43f3a

SHA512
918d20c0c02fd29a3de0e3d68538689c49b4c22918bce9b7560c36efe8057a8cdef2dac217d8d0e726fefcbbbfe0638d3be598b495fd14f249dd134331db818d

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
87KB

MD5
c4391fc5500ee97e5999aac681981155

SHA1
d819b022ed779cca28d7633039d02c6d93c6dd4a

SHA256
623a7744346ff8a3efe7e1b746849b9008dccc3d859ddc648e3de1aa9677b946

SHA512
90f63667a2b3ce70a25e387c51282d9f615e547ca46a58e8bc1ff53b9f20de031f9e9dfff364174452b0cb8bc79134451c660c2acd0281a60d0b07650b86e7ee

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
87KB

MD5
7fb7f4ac9a478cc15b026131b4080352

SHA1
e822ac9a653ac72cca12303025132f35193d84ac

SHA256
f669e42fee98f7a03edab0b3501e6a6a393c8dc1b2bbb2c50dafeec6d3094eb2

SHA512
08b5e03641138f0901c7b4bc1632bcf4fc324f3942da80874c6c0620c9d2983b0019fc8c6c19b739d6bce2aed843b07c09068e5cf0f94137685363df41b5769f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
87KB

MD5
087c77723235de5b5863e0f7a2113298

SHA1
67195f20622c50f72a28d213443a1e3f53587ca7

SHA256
b3ca835e5dff0d884dfb05f8713b1fd07f0a7476b34f11b4cc2d44b348dc954f

SHA512
7c66dfed67e9f20bb447799947cbd7d0525f6d59e2785b9b1e342031f92d0a77a75741e4698251731cdc6b5a2c850bacd06b61454e161c866fd6984cd45c8a46

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
87KB

MD5
f1e9221c0e661a81a192acab6b1ef271

SHA1
c83142559c48006e4676f5d148c0be8758aa47cf

SHA256
4c4a32e430d7dd9ab6dfbf4f01698bd09c0a00e0a73da6b353b754291d0bca5b

SHA512
c96ebc2ee5bb8b3d658fd54420c964653d4f39c3a1845940fb02c09f50e6568b400508ace4ecd319f019d2c622d0ba0cfd84dd6e8bc65e9e438ddc62a319af53

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
87KB

MD5
93e08e647ca0379b6474b14ec512b557

SHA1
32f6bcf3aa84e70e406bfba377ccfe11e2b4813c

SHA256
1d4048dd94fb6d41e0f2450dcd01ee2740405ca70f8954f258d576686838c72b

SHA512
3c3180bbd18a4432fc14deab40f98da8cc9d898ee0b38f4a22e8f712fa749d34f675fb175dc148abd908bf53fea59627c91bae6e5675e803e41168a52ac8c454

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
87KB

MD5
a6faf0b865b4a64a01b02ab239eca12c

SHA1
90e14bdf176437bb0b35fc00619e3410b92a3d8f

SHA256
9bb709adeb9d0c7a839a7fbafb0e00b961632f14f217a43f8ce1105fcdfdf1ea

SHA512
12873e00975b7bffc40f093c05fab36635fe4a51987f92f62a5352ab0f2310ac1b35f3f67e71d3ab203d81b3d0a3938cb0f5ea4959e90bad5d9f82eae29c9f5d

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
87KB

MD5
1165d1524a392f0b370073bb8ea8ccf4

SHA1
6eb76bd1ccc87df40b3e50053eeb3a627491986b

SHA256
3f2398e15d8a8e6e617b6af5ecadfdfdab95df93924a88946019efa8d2554ff9

SHA512
4e31b3c20f88d09703745e0aa86c881233d42c1b22ac17847d6a39474e209b7a64b8ba1fbb62ed663f9acc06c4d879d8f78045e0fe6555bc54ea87e3c4c13a77

Download Submit
C:\Windows\SysWOW64\Paenhpdh.dll

Filesize
7KB

MD5
4229771fd42016360fa53ed0c70ac4a7

SHA1
deb125c6fc1f6286ae22fdeb416aec02d2ed1998

SHA256
257a2fa65d6a4efa7ee7344286608bedcb64fbbba9d08af53bd943b7cd4f25a9

SHA512
55191cbc268fe9b3c8fb16347daea98cc9dda08c99c297678f957cabec41567e6b1525656218ec3b2a90c14e90e738a3fcb29a268b9ee09294570135d37d93f7

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
87KB

MD5
afb8a634815fb48b10e506c5ac9ef870

SHA1
b8df49129c8ee181b58bc2fe6dfff8f102556516

SHA256
e42c8ee71d3147bcf80debd5f541de3eff72b0010b33f3291e8fc2c726251167

SHA512
cca58ac582feb0dad4e958e39e0bd84db5e3f7a568642389c9ca2b4d2fe375c04d5ffd7c567a00f3dbec54094dcc4415161f04f82bdc6241b98c4aa9678e5d77

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
87KB

MD5
e268f6173d2a047ea0b9cc026b94d85b

SHA1
69f29e60fbeaff45a8333897db876ddaf80caed0

SHA256
9be9db3899ef2398be97ff79d3e5529ef597f2ec72c314f180291f2fb87611e2

SHA512
7a4b6babeea935f50b9791586e8635c64d1d793d88208b326ac21697641808a04d6b0863ab1fd96b47a7e038e88d4180308c26ba0df3c353fa1869ae01ff007a

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
87KB

MD5
6de35b30cfb995b043ff596a57c982b3

SHA1
421be7b1141737c46a4d4347c642ca063f672cce

SHA256
1633c2c4bf3550acc316ef2ecefa6f7ca727c6dd6fb0c4b6f0afd8eb4fe080ad

SHA512
f89752b3c9c5e7dc61732e6d809397292e7a2b820fff275fe0133fd706f818a26f041dbb1e6f158afbe35e72b90cf019a0dcc700902eec18839aa3e53ffc9053

Download Submit
C:\Windows\SysWOW64\Pmlmic32.exe

Filesize
87KB

MD5
11243d1f04bb8191249e0bc356bd9da5

SHA1
0c60ab00c0313a71e6b2c042e17f4504f5409984

SHA256
6a2fd544ad4884af9defedeab474d966eb146194dbad1dfd09ee2031ec9e7e00

SHA512
01e96cc5a66d2469e91cff6bd3358dc900937fe096229fa7669cdce9fa24ea587832950d4f7fb0d51008c76be18e75a61d0b0d2a71f56011b53eacfd2042c260

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
87KB

MD5
d4f263761ea60a43db3183b7c813aeaf

SHA1
d7a61d363d0bce17ede223b155984346999cef0f

SHA256
c69e96a6dae4d2accd4f59cdfd95d129144c1e44f9e60146522eb6dc5ffe2684

SHA512
011aee2437e4473cdad742acca0bb6065aaecb2bdf9c621a5b12fc5f774064830fd15d4441a1ec19c60e0a7e6ae73f15bce12ec2ecbe8165454fab7163a9ed8f

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
87KB

MD5
89f9e7f34528e1ea56083c80b2f50dec

SHA1
191c0df5886a66b2057da8e500fbe9acc5ed1315

SHA256
1c8a4a1977168be8ea9dceb1854890abd634b0597327025eeb04c6bf2de3a449

SHA512
d5c785280eaa3eb4ac7709c739024065df3ac3800a342f659e42aadc40e0bc1ada8b2dc96127fd6445d16c79dc527211065bd32f97f39f6d9f879850afb1483e

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
87KB

MD5
1b66256ab9a1bd35b82248918d381525

SHA1
6bd242816dd5039b638057ab36ebd38602a40951

SHA256
ae13266a9537215340b9e500e4aec9f8111f86febc206016b4bf2ba2c6d24a23

SHA512
75588ecf578391b4f1080e33aa377b4073dbed7270b51d6c986cf9f8cd0cf44a3bcd99762e21270721f13328d551102eaafcf3dce80a04a2124a6302dc05342f

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
87KB

MD5
36239fa1452c9237421f059cbfee082d

SHA1
372e09b1dfd5b1c2062fbe7936bd4f022da5f4d8

SHA256
4bee1a86c30639bf98a574b55437a840c5b500e64382562930d808a0b3c3397b

SHA512
021881ed0ea0388ecf8b6f10d3fe79361017c5de733fb689bd01348a9b363b4713e67bde6d77a6c11b1d1a8106176cd533a64242b6a896e0f9cce0a1e969b2fb

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
87KB

MD5
1f6c3ce0268bc7d010a0799eb7c6f829

SHA1
458bbace405ce0f1c790b25d52ae4ffb028532fa

SHA256
a8fe40499a842022504f2d4725eb555f40dae26270b16c0b16b0f15f642957b8

SHA512
2fd2157e576d7bafe27d24303fad93bacbc4832535a609d41ce14574537bfeae1aecf95dec6f6011c7e4f82728f52df751904ef95cb32fbe32f983fe58987402

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
87KB

MD5
b169e8beba37be9d29466f898ad92630

SHA1
3b6dd12b157a38f06d6d6af3a49cecd09a57a699

SHA256
46a88b2d19c1ca63d44c034c02a038ff808121f735b4426cf62481d5d68cab4e

SHA512
940286d8c4299c1d1158aebb1a18bcfc34c515957e5688154f02a5bd922c64dd721ff182625abba1875bdce1d43dff328dd72cd3beaad92b361bc4a4c36a28e2

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
87KB

MD5
b4846b90b34f6bc550b78d339d465e99

SHA1
9cd308db1b6bba2aa11889ce64dda4fc6843cf21

SHA256
1b73a28a32c2947d7d80b3a4d0e987010186f5e371814ef26f548908bf0c6ded

SHA512
444a018139d57fd5aab15036b067241ba691edd91d4dd273dc2f394e3482bf1c952308a99f427cdbb7b737b91488530990071e708373e93832a5a3cbf230dd95

Download Submit
\Windows\SysWOW64\Qeaedd32.exe

Filesize
87KB

MD5
d765bce03e928d11483e8e3a249fd150

SHA1
3c09d8f24e64a9adaf2d36157d9612bc9bdd0247

SHA256
27ce0f36a6d05d0002687a82619ed8715cddf6320fca72698a3b81f57775d1fc

SHA512
e8a3a54975671fb853747ea5d74b4e981db41807b435d26d65d8a40c38f56bb1610a708d2fd210964fd0c9e8a0254fcb294f58c9bac1feba0345f2975b256b12

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
87KB

MD5
a050e9bd2b0b49e566a51814107a5a25

SHA1
a79e2b860525d73a984a2454b636dd9db6e00913

SHA256
b6c5d09985fd91d4e9ea4e4e5d75d4ea3be7c5be2c43e24bdb01e4554bd669d1

SHA512
ab5daefe41b30df0126401320600fa0d4330edaf3d10d0eb65f7544fcf9852b30489ef9c7b7eb9d448e8e1f7b8932b2dd4f3ed08d45eb709290a1ecaa9267427

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
87KB

MD5
338a2b354ca121be3175f2a3abb80823

SHA1
1b45f11ff16cc5e808199431883728676e802f66

SHA256
a631a2849f497eb184b6b5d1e4eef77ff31d483ce25fceeb7b64e621faf54621

SHA512
d4bd37deb38e63884a3590b067e3e1ee4041e9c73b8276b9187bd459c8e2d9dd4dd14b3d1dd8cdbdcfd23bc82ad1e25dd62b53bc391872021534dfef0af580f8

Download Submit
\Windows\SysWOW64\Qkkmqnck.exe

Filesize
87KB

MD5
5845ac6bd9062c95f12817d8658b7039

SHA1
64f5401db82ac9169338c93172532ec4a00ac6dc

SHA256
6c3d0238391a9a45dee460de31f5fb57defd4ebe50d56dc1a86b4ae8a818aa99

SHA512
6687909b8ef6a0d78fcf6c6ae84f0b6f20606b597f8d339f120e5e9606750adbfac044fa3c379733ce680b32159cc58413aff348c1924affbaba3f6880158df8

Download Submit
memory/476-356-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/476-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-282-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/916-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-326-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1156-128-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1156-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-91-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1516-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-270-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1644-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-234-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1700-345-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1700-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-335-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1864-266-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1864-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-271-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1864-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-406-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1928-401-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1928-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-110-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2100-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-159-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2100-160-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2180-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-184-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2180-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-258-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2196-219-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2312-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-66-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2312-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-375-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2364-373-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2364-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-306-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2392-350-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2392-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-361-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2460-328-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2460-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-368-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2468-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-288-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2468-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-244-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2476-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-203-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2476-248-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2636-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-125-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2676-119-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2676-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-175-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2676-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-140-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2808-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-67-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2852-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2852-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-18-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2920-157-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2920-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-150-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2920-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-205-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/3024-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-290-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3060-295-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3060-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads