e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
Size

96KB
MD5

bde89959c8c6bca129c55291611b4dd0
SHA1

18345c2a56c12645856e628b1e4961fe6ec96c7e
SHA256

e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6a
SHA512

ac877d211a846e2de915fc5732c08b7771fecbfb87c7f4e58637f2ee412780ed59500917778886b6dd54dff8a4702f731573aed949234fc6117b8be3bb0223ed
SSDEEP

1536:23CE2AqTWC2Zkzr2Lk1NPXuhiTMuZXGTIVefVDkryyAyqX:2yTAqP8aNPXuhuXGQmVDeCyqX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe

Executes dropped EXE 61 IoCs

pid	Process
2708	Pngphgbf.exe
2440	Pcdipnqn.exe
2656	Pjnamh32.exe
3008	Pokieo32.exe
476	Pfdabino.exe
2032	Pjpnbg32.exe
2564	Pomfkndo.exe
2668	Pfgngh32.exe
2352	Pmagdbci.exe
1804	Poocpnbm.exe
2200	Pfikmh32.exe
1188	Pihgic32.exe
2468	Pmccjbaf.exe
2460	Pndpajgd.exe
2456	Qeohnd32.exe
1248	Qgmdjp32.exe
2572	Qbbhgi32.exe
1680	Qeaedd32.exe
1240	Qgoapp32.exe
1540	Qjnmlk32.exe
2308	Aaheie32.exe
868	Acfaeq32.exe
2476	Akmjfn32.exe
2508	Anlfbi32.exe
1288	Achojp32.exe
2920	Agdjkogm.exe
2628	Amqccfed.exe
2676	Aaloddnn.exe
1484	Aigchgkh.exe
1080	Amcpie32.exe
2188	Apalea32.exe
2080	Afkdakjb.exe
1748	Apdhjq32.exe
1676	Aeqabgoj.exe
1852	Bmhideol.exe
1756	Bpfeppop.exe
880	Biojif32.exe
2084	Bphbeplm.exe
2448	Bnkbam32.exe
2964	Bajomhbl.exe
444	Biafnecn.exe
1312	Behgcf32.exe
1788	Bdkgocpm.exe
1716	Blaopqpo.exe
1044	Bjdplm32.exe
2288	Boplllob.exe
1784	Baohhgnf.exe
2540	Bdmddc32.exe
1708	Bfkpqn32.exe
2720	Bobhal32.exe
3028	Bmeimhdj.exe
572	Cpceidcn.exe
1432	Chkmkacq.exe
2588	Cilibi32.exe
1792	Cdanpb32.exe
1144	Cgpjlnhh.exe
1264	Cinfhigl.exe
2940	Clmbddgp.exe
1352	Cphndc32.exe
408	Cbgjqo32.exe
1620	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2856	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
2856	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
2708	Pngphgbf.exe
2708	Pngphgbf.exe
2440	Pcdipnqn.exe
2440	Pcdipnqn.exe
2656	Pjnamh32.exe
2656	Pjnamh32.exe
3008	Pokieo32.exe
3008	Pokieo32.exe
476	Pfdabino.exe
476	Pfdabino.exe
2032	Pjpnbg32.exe
2032	Pjpnbg32.exe
2564	Pomfkndo.exe
2564	Pomfkndo.exe
2668	Pfgngh32.exe
2668	Pfgngh32.exe
2352	Pmagdbci.exe
2352	Pmagdbci.exe
1804	Poocpnbm.exe
1804	Poocpnbm.exe
2200	Pfikmh32.exe
2200	Pfikmh32.exe
1188	Pihgic32.exe
1188	Pihgic32.exe
2468	Pmccjbaf.exe
2468	Pmccjbaf.exe
2460	Pndpajgd.exe
2460	Pndpajgd.exe
2456	Qeohnd32.exe
2456	Qeohnd32.exe
1248	Qgmdjp32.exe
1248	Qgmdjp32.exe
2572	Qbbhgi32.exe
2572	Qbbhgi32.exe
1680	Qeaedd32.exe
1680	Qeaedd32.exe
1240	Qgoapp32.exe
1240	Qgoapp32.exe
1540	Qjnmlk32.exe
1540	Qjnmlk32.exe
2308	Aaheie32.exe
2308	Aaheie32.exe
868	Acfaeq32.exe
868	Acfaeq32.exe
2476	Akmjfn32.exe
2476	Akmjfn32.exe
2508	Anlfbi32.exe
2508	Anlfbi32.exe
1288	Achojp32.exe
1288	Achojp32.exe
2920	Agdjkogm.exe
2920	Agdjkogm.exe
2628	Amqccfed.exe
2628	Amqccfed.exe
2676	Aaloddnn.exe
2676	Aaloddnn.exe
1484	Aigchgkh.exe
1484	Aigchgkh.exe
1080	Amcpie32.exe
1080	Amcpie32.exe
2188	Apalea32.exe
2188	Apalea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Ofbhhkda.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Pmagdbci.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Aaheie32.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pmagdbci.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qbbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Pjnamh32.exe	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Pjnamh32.exe	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Pfdabino.exe	Pokieo32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pjnamh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	1620	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2708	2856	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe	30
PID 2856 wrote to memory of 2708	2856	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe	30
PID 2856 wrote to memory of 2708	2856	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe	30
PID 2856 wrote to memory of 2708	2856	e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe	30
PID 2708 wrote to memory of 2440	2708	Pngphgbf.exe	31
PID 2708 wrote to memory of 2440	2708	Pngphgbf.exe	31
PID 2708 wrote to memory of 2440	2708	Pngphgbf.exe	31
PID 2708 wrote to memory of 2440	2708	Pngphgbf.exe	31
PID 2440 wrote to memory of 2656	2440	Pcdipnqn.exe	32
PID 2440 wrote to memory of 2656	2440	Pcdipnqn.exe	32
PID 2440 wrote to memory of 2656	2440	Pcdipnqn.exe	32
PID 2440 wrote to memory of 2656	2440	Pcdipnqn.exe	32
PID 2656 wrote to memory of 3008	2656	Pjnamh32.exe	33
PID 2656 wrote to memory of 3008	2656	Pjnamh32.exe	33
PID 2656 wrote to memory of 3008	2656	Pjnamh32.exe	33
PID 2656 wrote to memory of 3008	2656	Pjnamh32.exe	33
PID 3008 wrote to memory of 476	3008	Pokieo32.exe	34
PID 3008 wrote to memory of 476	3008	Pokieo32.exe	34
PID 3008 wrote to memory of 476	3008	Pokieo32.exe	34
PID 3008 wrote to memory of 476	3008	Pokieo32.exe	34
PID 476 wrote to memory of 2032	476	Pfdabino.exe	35
PID 476 wrote to memory of 2032	476	Pfdabino.exe	35
PID 476 wrote to memory of 2032	476	Pfdabino.exe	35
PID 476 wrote to memory of 2032	476	Pfdabino.exe	35
PID 2032 wrote to memory of 2564	2032	Pjpnbg32.exe	36
PID 2032 wrote to memory of 2564	2032	Pjpnbg32.exe	36
PID 2032 wrote to memory of 2564	2032	Pjpnbg32.exe	36
PID 2032 wrote to memory of 2564	2032	Pjpnbg32.exe	36
PID 2564 wrote to memory of 2668	2564	Pomfkndo.exe	37
PID 2564 wrote to memory of 2668	2564	Pomfkndo.exe	37
PID 2564 wrote to memory of 2668	2564	Pomfkndo.exe	37
PID 2564 wrote to memory of 2668	2564	Pomfkndo.exe	37
PID 2668 wrote to memory of 2352	2668	Pfgngh32.exe	38
PID 2668 wrote to memory of 2352	2668	Pfgngh32.exe	38
PID 2668 wrote to memory of 2352	2668	Pfgngh32.exe	38
PID 2668 wrote to memory of 2352	2668	Pfgngh32.exe	38
PID 2352 wrote to memory of 1804	2352	Pmagdbci.exe	39
PID 2352 wrote to memory of 1804	2352	Pmagdbci.exe	39
PID 2352 wrote to memory of 1804	2352	Pmagdbci.exe	39
PID 2352 wrote to memory of 1804	2352	Pmagdbci.exe	39
PID 1804 wrote to memory of 2200	1804	Poocpnbm.exe	40
PID 1804 wrote to memory of 2200	1804	Poocpnbm.exe	40
PID 1804 wrote to memory of 2200	1804	Poocpnbm.exe	40
PID 1804 wrote to memory of 2200	1804	Poocpnbm.exe	40
PID 2200 wrote to memory of 1188	2200	Pfikmh32.exe	41
PID 2200 wrote to memory of 1188	2200	Pfikmh32.exe	41
PID 2200 wrote to memory of 1188	2200	Pfikmh32.exe	41
PID 2200 wrote to memory of 1188	2200	Pfikmh32.exe	41
PID 1188 wrote to memory of 2468	1188	Pihgic32.exe	42
PID 1188 wrote to memory of 2468	1188	Pihgic32.exe	42
PID 1188 wrote to memory of 2468	1188	Pihgic32.exe	42
PID 1188 wrote to memory of 2468	1188	Pihgic32.exe	42
PID 2468 wrote to memory of 2460	2468	Pmccjbaf.exe	43
PID 2468 wrote to memory of 2460	2468	Pmccjbaf.exe	43
PID 2468 wrote to memory of 2460	2468	Pmccjbaf.exe	43
PID 2468 wrote to memory of 2460	2468	Pmccjbaf.exe	43
PID 2460 wrote to memory of 2456	2460	Pndpajgd.exe	44
PID 2460 wrote to memory of 2456	2460	Pndpajgd.exe	44
PID 2460 wrote to memory of 2456	2460	Pndpajgd.exe	44
PID 2460 wrote to memory of 2456	2460	Pndpajgd.exe	44
PID 2456 wrote to memory of 1248	2456	Qeohnd32.exe	45
PID 2456 wrote to memory of 1248	2456	Qeohnd32.exe	45
PID 2456 wrote to memory of 1248	2456	Qeohnd32.exe	45
PID 2456 wrote to memory of 1248	2456	Qeohnd32.exe	45

C:\Users\Admin\AppData\Local\Temp\e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe
"C:\Users\Admin\AppData\Local\Temp\e6aae16f3d481aa1b93e867663483c9121198ebbe2112328bceb839a8e1e6b6aN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Pngphgbf.exe
  C:\Windows\system32\Pngphgbf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Pcdipnqn.exe
    C:\Windows\system32\Pcdipnqn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\Pjnamh32.exe
      C:\Windows\system32\Pjnamh32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 140
        63⤵
        Program crash
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
96KB

MD5
4b11757895668860115b1eee1fa5474c

SHA1
689bb40b780b21f74404caf3c7ab98f915759432

SHA256
3e06dc8b7a087eac163a16310b452c88392236cf162c0565e2d81c4547210887

SHA512
9fc8bdfc1f7d78ec98161001fe7bf79d579157dd4934fb86b0418920f622075ab74019179773d0dce0a9c8dda2b4cb0ca3d750e639ef1ce3ed426d50bc09bfcd

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
96KB

MD5
733d68f2cd8f00ce3e45ed653fd6c15d

SHA1
89ef04839dc4ac96012d92a2ec14c2c732685e74

SHA256
01fc7c4e5348f047446c81538aaf8feafe5813be61483f32afb368c321c99534

SHA512
ccc32ea7efdba003cc76473256c72409198e780d5735a91a535d8c82facc1db3115abf89b322f053f326ca879ff054a1d6e3262d744be941a894d52a202b3e62

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
96KB

MD5
8f7b8f3afc2fe48c7eb1f78282fd2e94

SHA1
4a76a49acd404890a839a0e6a7636542ac9a0f8b

SHA256
82440845516d7e6b98ff606a3c67b54bf9a164f220d9eda161a1b56c464004c8

SHA512
dafba18b69861af1ccd6b23009f5a698a570d6c58fa82a53305b973dd8dfc470d880c2126d37598ec379100e06961318205be5b1ef1c697b3a0fbf47f1a36420

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
96KB

MD5
18523804c7ac1e7cda18b82806a489a6

SHA1
b9c4da4aa1be183ff4b69decc93c2b072ee90d99

SHA256
0ffe2aabba7bd62f0dc119fbcf45c299b127f903d7008df01f43a2b0dbf5b75e

SHA512
738c7f377afbd49dc382d508750d781cb4b50be2f2b2cb1332148c57e94f67b02608ed9efdf0dc10ed054434fe1f723705566e1c4e2dc0c928624273b179eb82

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
96KB

MD5
3ea876592a6e91531e099cdbf16deef1

SHA1
1236bc1dc7c3290490542415380e8d520da28b80

SHA256
ec200bea9904fcde45cfeef5889831dd08ff4feaac36cb2d33833af6f67482d1

SHA512
6751135a4a5890e0b6c7f2ac23712c1ae680c8e6442069778c30cb63f0ad80c1cde252f49ba1445806fd440d44f6a637fefc549b7864bb2c79cce52a9dbffd2e

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
96KB

MD5
00ca7b05dfdedcdb1285283ce7a32626

SHA1
160a620b5d44724c9c2d118d73d5ed92be76fcdd

SHA256
f183fb662a6d8c5d7372f55c3acb2a7abc5ad58e6954621c3da8ab863e1f6266

SHA512
c7c3f430dd4fb6007e1b0f5092b92353c9268181727d39fe58398f6ccbb96fae4557c89ae30bb9996840599e1103332bfc434adec81a9886471141bcc5b17b14

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
96KB

MD5
c7fc6766e6f2ca14d1d5aafa82771fd8

SHA1
9c5d880b54327d225af4427e591229098dc752ef

SHA256
e13c8d5f1441960a6df7ea7d10bfee3ceb89c0516a3ac54766f81fed89e803c5

SHA512
96a61219926f485e17090ca889f852f481158dfa6c92712306c094ded7325a94862b5e886cff7da604c550763d210d689a44f8e364f6e5b65bb7831a4403784c

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
96KB

MD5
db4dbdf688d99c478ef49ca6198cad19

SHA1
266e4d6e2b19a8f262735e12f23bc7720eec82b6

SHA256
4d1724a15d4fd01614763a84917c1013c864dc37409823e63ba5e8390b893b6c

SHA512
eac99a2ec0d9af501688b6104a76e0332bfec46a2cd9f492a411a326662573a34442d9f7628d8725b29ecb055828545b22dafa3ee4be9f9c90aabd19256e21bf

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
96KB

MD5
33c78ac733fd187c375258cfa2bb7adb

SHA1
49665febf889260ff447554c22fdb22e418d46df

SHA256
7f594fce223ec45040a574f6b017a45a9a0c1fddd412589c04411f098cd1422a

SHA512
d484328a6a8c3eeea2bfb82414761d1ae659618ecaba0c0af2af60bd6f757f54aa3b4850a70c6ce191b7c6ba22b97cef3a57129a0589497ea9776d0e84e14cbf

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
96KB

MD5
b651871fbb2184c519d8f3742496f1ad

SHA1
bf9cba29853ed5f1e9f9d0f16075d1866ac70332

SHA256
e822efec9206c758e5317fda8185da4f9dbaaa376f61f54c20e37f5e66f301e2

SHA512
5460a514e6418219edc7e12e888aa116659b6ae91336f67e7faa01fb2b80b42a0f2d599a2eda50f8159e46b8ee52db02d512e344e86cdd3124ca8aaad3b19659

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
96KB

MD5
c366bfe8d305c93eb8671fb0a6e1fa6b

SHA1
e184404bb8a4945359247fa6d4a1edd1a21a9178

SHA256
4a3d1d50784c82071b10b925a00bf79f433d9ff86790ba0f04ae98c280b7aeef

SHA512
519df607676cc71f1ff7108423df1c3a20bedf1194dcc5ad4a39f7c98e4a0cacc27b865b8860b2724db7906aa3fa2c053a8f983bf70d2b64d0e83c35bc0da1c2

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
96KB

MD5
39f8baf93aabc86e6d1c1f5ecbe2ee2e

SHA1
579fc5614993a6fc7a1a0c271b83034fde885628

SHA256
d75a011400fd780cbc5f1ed74f89896d205d1f5725211e1af638689bd21814f3

SHA512
f6117543ed1ece87dde7558496c2508ff24496ade0333422771e5c6d7005a098823fd6d0485f4fe4be5487136d0c2b11539714adddbfeba67bd8d580545dd536

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
96KB

MD5
5a967122c87c668f90092c7cd7270f06

SHA1
bcf162a3231d62e2437a8a44b1433ff1c2cde0b4

SHA256
4c6ca4ab42cb53e577d9dfec90dd691f401342181e6c6b6460f4eef6570ddcb5

SHA512
7cd35df0b16279df34f0ec95e8415abdc49c17ec39b222183def90b0d26986b674d684ebc290f08a077aea37350570e3806892bca83e09a9cb23d57e89e7c31b

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
96KB

MD5
626f9377f02d2821636b2fb5af4a85a5

SHA1
45b447c10e5d287d0458a870041bb89c3b81dacf

SHA256
4d4cdd3b03daadc1e765c03a4877f092595ee635adcff2be39406eaa4e57b7cd

SHA512
52683906e80df1cbc2b08da7c2977aba4ae5eada7ca08a169b49b9be331d983ccc14858e1e0fbf75d33aef6ff4c434fbe0988d8fa7887b99300ec04ba6468b20

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
96KB

MD5
f96d023688362c0631695b3474f0be57

SHA1
75646a082636ae28cb3c1a6bdbf3ad886858e6b7

SHA256
b2a48e38b7bd216ccbdbbc28c2b6585070ee4aa91d2a285c7dc66a64760186e7

SHA512
e47d91e0e8423889e0ffe7f829bfc8f9e35a5b1ad4e8323c9c9f25d4e54b6c69db7e90f47273d2d4da5af592eb7663f6de98d689f1c2a17eb63000c6668248c4

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
96KB

MD5
cc7e19e877ff39606b900a26a7d383eb

SHA1
2291491f2a2419e1bcdfd0ff7def966a257726d6

SHA256
d57d5b0640e31b36479afc6b0440196ee7aa3cdbb35cb38369dedba9c7e733ae

SHA512
ad628ae22537c5b2e673a0fac6946ad5ab0fcd63ddc5b7ab4dd00bb93d0e75a6db4f44918ebb91b2a2fc32e7e4445fb659068374759e9c62f1b7647d7302b7e4

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
96KB

MD5
22ebf5217ccfef3b2eeb10fdd3a888d4

SHA1
522ab8d13830db016c54870f22989adf4010fd81

SHA256
e3ca1a99e8f90d14f9d32b0daf72bd0e1f0b181a03ef48b3bf77f82959886bc1

SHA512
0385f4c8d4f0a81e7ff672a47190a01e0102d311d5f16a5ad83cb4f92ae9fd0de5f914f04d4543782638a9e4be5090d0a648304aa2255ddbb58d0f77b25ea2d0

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
96KB

MD5
34ac6e98b6fe8f9d96cb3fbf1cac7448

SHA1
f525f1d20b6fde12de11346f47706fe74c2cb74c

SHA256
0dcbb998782401d186e61f7267de80bbf91eb2a0ea4a00dbd2aab4b5773e1627

SHA512
bfe15480c6dd7f79f38831c8d95f07469ae0105711d3d49dd5f4da93613b7fbc8e948d066c6b0c1aa4227b6801de9e793bca241b322400ada17dce60fb79483f

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
96KB

MD5
f378b9347edcef6d3ad417cd40a896c7

SHA1
d90c8da094731c8111808af2576b70bb722da0e5

SHA256
a7a9a6280aa71d4ddf36f0959b5c3dec70f74db4bda357a02154f9140b341bfb

SHA512
bc3d85968cd7e02baf31adf46fc4c9f6fbce37a6d1373387043d15d8fd5c74b1ee141b8e0ba02d9c8522bb95848c310941737b6cfebd88269ca75987878d7f29

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
96KB

MD5
e3030e74b11d94d1f9ffb23964022c12

SHA1
1e5a3f2309e3c9e0728ea1f2b4273afc0d91a8f7

SHA256
f952f67e0a74c2950c2f56009aa9a8a689a4085213f30826dec3bc66bec39630

SHA512
6b07f90957d63fbc498f86165abc5ada088c8530e97bf6e4d58f1ffba616bda4a4f2b4bee17984eba48f9e9093a1318ddfad132430d4265bd2cb39b39b53d45d

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
96KB

MD5
611a3bd9b98d66f1f3dc005191f12f91

SHA1
eb624919fb1d9675063b5abcee56805ee681d29d

SHA256
da8e43d7118f7ef1380dac87a64c7cfcee8743d8a16901620b8b12a8510bdff0

SHA512
48e24bc8d8b5cb22e2c6bf8e3eccd3fe49df0a6ed76ac9b7a9bb6082fbbb836905509168ef0e7efc0a362d4bbe92d20f85c1481cfd9ffed23d01d022a7da670f

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
96KB

MD5
174b9c52c9d5671da81384f78124ee91

SHA1
f08c00fabbd5a815d0a70078858499118d2fc139

SHA256
d71e30496ccd3df4e806d1559d09c597c4baaebc38eb85d444a290104bbdc4ae

SHA512
4ee2868d3e4b8480ba3af37dafa5206f12c2543d68f235faddc60d8e0aad760ffb5e9b5114de1d0720610d0c6d3928a5f52f5ebfb0380ef29b6c632651f0c3ca

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
96KB

MD5
d1c72fe1fa4de2c93c29632da77790bc

SHA1
0db7ab9d3c9698052fe0d7d11716a3c7c57cadda

SHA256
b6f1a3c68ea658b49befb13a88a7d33b9b9437e87d5065e5ddf89eec0505559f

SHA512
c0c5a8a2bc4f95847e0cbbff512d026225a7378fdd9c55be3d03dfc93fb2764e133704c96753751c8a10b55854a894856a8163d79b85f0ce1ff56f19d16d50a7

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
96KB

MD5
5c5105b40ed918ad7903e5af41952b22

SHA1
84c99d0272dfd82d0018da13913d1b36f1de36a9

SHA256
a5dc31e3b8d98bdf3ff5895740ad6380d54a99d609383a162aa86ec5c279ac9e

SHA512
c77a6a0f932d32a982a9d2b3aa074bef3b8cb5ff605b035f852c2fba473470847f076c26ebbb28955e8287e58ccc245176f34c82ed23bcf87d0a3b75118b3e7c

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
96KB

MD5
60a8deb2c13b33a17c82c2e3de0a7327

SHA1
eb52c98c1b7bc87649b3eb8e0f35c41cfcfb9398

SHA256
c2f78afa1df5dbf565ffea592c069307e29657568de2bd66445dd0bd7dd39e2c

SHA512
67cd504a4d6a1c5d48416e63d1b1e97eec3d3508e1b5b33ac734396f8a9122680c71578b11a789e69380872b7178fb2b0e7b9cd80963603ca303d520ab62db14

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
96KB

MD5
c033123f4db883b59bf0264aff56fae5

SHA1
dbd8d334027114e4cafe6c8e913c7021c20eb6e6

SHA256
23560aa274e4d999811d18d405dc1c60cb184af742528677ed9b365ac8bd0bb0

SHA512
f0e424b15c57057d65839e4b4ca7679c6ba68fa0166a177fa2f0a0e97008d03ee5ea12fcbb53bba6986c7ee0dd9bf7a9ca9462cb98c49f16d27c90dc610bb82b

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
96KB

MD5
74cdb73682ebac9806dc8625441f7272

SHA1
1ecee0eebde1cd8c34d44fbc50aac5e792e0122e

SHA256
afa85777b4771952d43ff82a0054aa4061138f197120cb4e37e3dcf299c20a13

SHA512
02ecc8b76269505c6440fc08d2f1754f96053cd70f62936e7d34521ffa8ab271572e767ca664c4e2f1ed90617ca7a0ede11f5fefe5221e1feb6f69ae7e657eee

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
96KB

MD5
9560f7da0e4a47abb475109dcc5db5ef

SHA1
7562635719c5e93c15cb98d0b6a6fa2efbf54580

SHA256
34c1c32a427f59cadda85a0eb341c3ff0e8301455da430eb09adb7a4cd41aa21

SHA512
57e435fc16fd31d3e4c3097004fc0e84a282f06bfdd60483a015197c599a4060c93ee879b639bda00a7e2f34624ac2d30b0910aaac3e0962a6d55600ba8d1ead

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
96KB

MD5
a62f8dc1354f55e283203c6279a7d288

SHA1
a107e70c4535f54fa8683a4b2dda4fb99193dd2a

SHA256
95a9600c67845a9816ad067e2faa611686b766b7a341b6cdd4c26b03e46b8e4e

SHA512
2879b9acc776672aeeaa101238b5221af25f74d38356ba0983b6ef90f555ed7183498928b1e84716075e0f1c904c156f5ad4b8f9fca6a8f899f1d7b302a74a9a

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
96KB

MD5
85f255805b35cbb25d01025ca55d9108

SHA1
3b15b2283a7818a2837e48da7ede7703a3a72b1e

SHA256
6df03cb8c4a31ddfe4ce6ddde90fd40295b605bc4dce291070130d6c0d839351

SHA512
085763fa04fe43161f443a3ef537ec9b4820d588ce20bca87ae959790d0d5010a119927e23ffa9a5c8a6b09e6730bf474d3db6a6daf8fe958393612f4b187a58

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
96KB

MD5
47ec2a6d6bde83337ffb05e9f645830d

SHA1
0be2008a78949042698945aa4b3b448ee30c061d

SHA256
eaec522fe56a86c161143bef0fc76b11fb4b552da4f068b2d5c9a25f481dc58f

SHA512
c14b57833f05eb051a895585dbc900a177621aa8a78744974fd25b51142d65bff70bdd18afbdaf922b949fe3db45c519a2c39174b909f7dd474df25e5d36bda7

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
96KB

MD5
31992dea13cd31457e1952bebeda3d11

SHA1
5b334aaf7a20d7eee9e0ec91c2fd29854fcf49e7

SHA256
ae5927dce77424e449ce325d71f279776b389416b6fe94b62b537c1ee0c1e575

SHA512
9b247b77dae84f2e2172f767aaae5fa1293554e5248653b4c9711090382aa12f965b8483f336c85cf7da9d2690ed4a2410c704b594652d714788e180b7a5aba6

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
96KB

MD5
653f9e62bc79b57dd9069d494e7c92d3

SHA1
446521fbc1876e8261032b16bfabab7e38974c94

SHA256
033b83005de86d138f62808078f2dbf071d3f48d209f9ce8b314110efb9a6cc4

SHA512
dd437a9ae56a2a5193a18d6783fd57e67fd1f800458261b471ba937208dfdf6ac6938c6d7379334bdeee1529c502b5edcb7d431374850f30285a64bc3a1c3049

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
96KB

MD5
dbb153e63c069eabc462a672c315dca7

SHA1
9b93fc8f6598e9825d548f8f1edb56e4662af357

SHA256
906692099f467070f18f0fb5c3402cb6935afbbc513184d4797c8c906b6a7c61

SHA512
f9d2f84e8cef521f21ce763910b5ea9c96aa77d9cca950e59555c5a7c6e9a0c481fe8ac055a8dbf7dacf06df7c461e734746f840a88116b148bfb851c7c0529f

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
96KB

MD5
67bce8642dfad495cb8e2db35ddb50db

SHA1
b671ef16750c10dc8df0b0e88b89e87010e293bd

SHA256
7475613830d7f9fff87195f4e855cd0326fb79efce3443644c81fc2b4027a394

SHA512
d4704ff356a9b3dd0d4762cb83996c226afa32ea5a32b492858692e9746dbcbd9f9f0c759c4feb2fddb4f92d1e987cda7549b9148e3132c440e8603f4856566c

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
96KB

MD5
ef0b258b67588512718f00297cd27b2f

SHA1
498de9acbccae37a8c154dde4c13fd09ce7aa603

SHA256
6c53505210c8e533f5e9613a2120083cd936d2600affa2e5eb50614d93db7080

SHA512
ae81a840beb1170dae0bbc1c2394d7bafba98251e148a8e00356c0d5b17a3c861f1622e720a2c1b451c87b46982f1c6817ffee8a87c7862021c2432ec0c27a3b

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
96KB

MD5
b47c7528e60cf029f486ab779eead24b

SHA1
4779444acf072393f60b368f507b213c758f2ff5

SHA256
97641ee7b4ba4c5f5ed0890416dfc3954bd92dbbd925c70d96b7711dfb485a29

SHA512
079b8f74af43c22fb96e6e09da593fcb3783956e372a468b8e7f60e370510719a315a1eb2d9281e17734e00efd7094ac0718914565f4b3b98220cf1324127833

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
96KB

MD5
57df4d68de2ca9c53b9607ba8c8dbe83

SHA1
e51392ec4caee77854f43c301383b8aaf37316be

SHA256
a7b9c05f4987b24afa27ff15643942862b81ffe42856175efa3f4347ba4bd598

SHA512
62d01d93d281f23850618cb4c5f2dd62d0b1018d46ac0cdc62c13eb1b97ac178d62e903bd3d191372d5e7bf3b7fc1c5fc3d27952402a1c2f3696b51ca1ea4f18

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
96KB

MD5
234aabdd295f3c0da7e6dd4efd33ec5b

SHA1
d23ebefa05b093966a750a2057f9b8b686ea6531

SHA256
e058e97eacce09209f73bde7f29446b734a7987c920e2b9e0dab95c45df42b1b

SHA512
67e78661aadbc067b3725bc70923df36b26d0719ca6e6a5b7a0867694895b23365295e13bf8e573123fcdad3ed58098457ca84f9ce3e0339cdbb23c337995fd6

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
96KB

MD5
fa975a02093d609eff423a77455cd566

SHA1
3d9d58bbba3e4f2a8552446de95eba4b8b15e8a0

SHA256
ece6df3fa8faea585b0a12c39789c7de9f24721a75c4d8aaa0038246b9d95ef9

SHA512
8334129450b1012cf7d4434c7033fe325de44265fadb10d10882ecbafb003aa492bb656ee4a851584038473d127d29ee18e80f68d81bf12fbfade855716fec4a

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
96KB

MD5
79ed53622ee2bf41efcea108cd33ab93

SHA1
ee8f027391e11d6a74d3b258028bdbf8a8f6f182

SHA256
1153c1d1a2cc4867a2afa6062ad8685ad014840f01b4e6ccc4d6fbae3125a872

SHA512
8514fee7ddd5fa9ecd1ccecef160260e9843f4a79cd4c176cb64226b3f60a5f052b3b7050a02c1793fb5ceee8de5f8de06d30f793ac6214e37cc48ad37cc1f2f

Download Submit
C:\Windows\SysWOW64\Pjpnbg32.exe

Filesize
96KB

MD5
94256a209b736fc6c361c6eace3ee19e

SHA1
fc4c4c5304d9a0e5ee8271582bf263be0f00c069

SHA256
67c3b1bfa8da577b73fcb38f27fb3d4f530f8258c87a0b0c07c5477d89f6552a

SHA512
34605ab211643be99dd34345653c438729f7af2301105d6aeb78c75c827893127db597614f6cc0423539d7fcc72674bbcd0e08c6ba11abcbe7188e2acd96d456

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
96KB

MD5
daedac9c92b36887e7362a53e1af3362

SHA1
648e9701232b506fe93fa7a19bab3c5d6f018b0b

SHA256
dd9199b1eb0c9015322474e62ddcfebbe39e1e44802787c1b629bdc1d2b80c9e

SHA512
6a95f6e5b8e88013af0571173168012c0dcab201cbc3caf968cbc7bdaaedd9873c0c460543468fd2972ea6a3fea7284fd8de6d61bd562df0d2edc297366ae08b

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
96KB

MD5
3029fa472f3b3ca5edc05e8276d4855e

SHA1
3b801b2b3820b29de29aa5733e2c7018fcc21128

SHA256
efb56458347f2048aad72f3971aae65f5e52cc8a3fe86f366b9ca5bdf1b8f8b2

SHA512
d04ffc00cf48b734cd858965061532b02c9a49b4c4530b5d83318f7b90979d28b03209b5c02c44592d8b4397928e5b131394cd3c2e4fb6589e7c6a68f7f2b15c

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
96KB

MD5
f853d3d8d794c2ecfb50590d30f86fd6

SHA1
0c9388624b3c4057ef59bf29fec165e0e48551a0

SHA256
28767472cd10f8b57c39ca399c5f8b620d918ae0179bb7411f00ca16a06b4fa6

SHA512
74692030ce649bdd3988c22b29aa4a4544ab479232f912bfd71323253eeb0a80f2e64239d934855ebce177d6ca859e059fcc846b01b247fa8abfcab2311e12e5

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
96KB

MD5
69e95551b13a0c168eeee1d8d97273cd

SHA1
e879e338c7c60fe7b03d34f77cce84fef5fcd1e2

SHA256
974d4a4cce76701ed810a7b0bbeedcdc7cbe46dfc2431c851647ab562366eaa7

SHA512
af520bf07d6b8701b1e698e057df5f04ff2f8593c7564b0f4aba4ddd3c3c338c171cf8a269bb23ebe8dedcf1ff796c026a0acf3831d39adf4fa493b3daa40409

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
96KB

MD5
3bdf71aeaab14c67225fce7ca97f3587

SHA1
e2a441f818667f0b62552f96c58bbd34e806fab8

SHA256
6b8f2dc5d03d26f87cdafc83afad4a0863bc074c16f0410273f01e4f31540efd

SHA512
672b9fbbe22e91558f8fc4e77e5f9831c40d48818e5a08ab45af8bf931e3d9b97a7ed1b25f3a89963180eecb959ffe7d6b037771626e0714e01e66cfcb9a78f4

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
96KB

MD5
43008ea5883a93fa3ff4ae8cf520a3b2

SHA1
ee933ff3ba92fb64afb3e46fabb758501b712524

SHA256
225409cfda593974269ebd065a992391fadd095cd9e89cc29edca6b84cfb6bc0

SHA512
869299631a1ae81865c721a237545b7616bf0d582d644463d54dea2c260310e0d7b8c829686e6b40cb5096459327488dfd8799bbda158816b34a8e8d4370ca2b

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
96KB

MD5
90f3eee3bf9164e42d88b6bfa429ed88

SHA1
78004ea2b313b6f29af7581aec40d106039cf1b2

SHA256
9712072dd8d7ae2ca0302b63d0eb09b57e8dba245bcab356eb3927b1f58e595e

SHA512
d9c14b99bdb7b5f465278cc3dfe5394a8521345defdfce8b28f522920b8ef707dc50ef3d7986c3d2643772fefc2ffa37871bcbcc6e4c2bca1e9ccb7b18750a5b

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
96KB

MD5
ffc3a882fde58c71fb96ba76dea26286

SHA1
866375e9ff9a941829351c85df7b65d32b4dd692

SHA256
be582506c128523487e6fb50613f0f7f68ab84f70b914f98cabf1cd8c2411842

SHA512
21ad8504b6c99ccbf3872deb04d32801134fc32764bd3f97ea25c14ef3c9847969f55399c2ed6d9c8025466b9450815d33e6cab3519bcf1d93b63271e115397f

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
96KB

MD5
d98ff66140c61356bde538c794e8344d

SHA1
4bd518bf66478a0d46047f702c404037bef4ccc3

SHA256
b9d90de2b553a87c7c0ba910902e5fe446a96e5d69c544befb4879b53312ca76

SHA512
a8328b3b4f0754e8482d07c45b8167b60e59e8aed401c0d58a79a7fb00218956b5751d710503fc7e734b860f30e279074d921a3383d27296dbb3ac7f573d0b37

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
96KB

MD5
b16b8cfd9e7cf8a94dbd53fa6616aca5

SHA1
7944702ee9bf78f2ee7f220b8679fd5a61dce92f

SHA256
5291cff885bb5b13cc29083aeeece90626842c4a37750301c81f2348df6dce99

SHA512
edc8acc18bab50066338c88f8a76b7857ace2d2635a41d150cd71f08ece936df7e0f8c9ecf80035adfb21ba8cd92f4719cc7d813a3155054a1f218f1bef76c26

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
96KB

MD5
5201c7de42b4da821de9948c74fb2ade

SHA1
77094a647230a5eb3518956c166ad0be0f0c71ed

SHA256
7dc083ffb1e5ddbdc26a074de40ffa41cd21085948e7d7135625d8cd350d6f98

SHA512
18b31e9967ebf3834d6a8ce715dabeb2ae5224ebd04d440684ad5c51591680b2f5fc312232dfc85a53f59c72b07b048b2ab5b2c323026bdd7fb86a5294a107ed

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
96KB

MD5
5b3c48be3c1facff32822a45bfd49a34

SHA1
fa881cf240c9de5fa4c68cd022f5ca68f8a06b76

SHA256
e17f252d8549b450c9bb0af80d370571ac069831b943f51ac53c55e4e7faf67e

SHA512
d9d2f2a550ea7c0575e7a57ced1a1125c07fa2d15b4b1670e80026400a8685accdcf316e4f9568b106b7c3f61b7ca6db1db27c6176c510caf1a24990dd25879d

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
96KB

MD5
697b8907af817fe45e148317f01dac83

SHA1
b3803198c3d72571aef08339f242cd26b288665b

SHA256
278ab982dacce811977832eb8dbcf80b485677e63b54385d33d2f753e7ff291f

SHA512
6402aa7383470389f32f2ce6a2013f08dfedaae196832e9bc04a07a7a111f3da9e31a252a6fd662eb3dfa60c445166ca07bc5ae4d888f7b49f6d12f9689124f7

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
96KB

MD5
27c4451b2175a2c8c42cf7a4209b8496

SHA1
577bca5ba224bc700b14d82f0af637f8562ca7d1

SHA256
74eed16312c976c70180e13d1a70d17521199d8e6373aae2039622a157a49f0f

SHA512
d5bce834495731e22ee174f6cd4c9834df5f59bf5180fee7f8d7b870ef2af83511ad85fe3ecfe2fc982e25a6fec5fda8ea8c24aa6379854d6cafa27ed897e224

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
96KB

MD5
364cf8a81140b0454971c58862d21fb0

SHA1
234559187f10c82e4c4c9377d80250203b31331f

SHA256
ef3b5e32d30bc1c8f016d39485f71fce7775519274d2c4cb83ac2c7a0f0f0183

SHA512
480dfd800e629b6316b66a4bae4561e44b27cbb053c767328ffef9ac3224ef45795cbbdcd0e51802dd21226627bdea80b2fc2ce33d935453b1890d24ec607bdb

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
96KB

MD5
9d2731dba80d29497bbf2152080f5a8a

SHA1
49b2350223486e1d7f2b47ab7296f1aa07e5fa9d

SHA256
833ee7c1601729addb73184f59e6b9c94c23429dcedd977118ab89f254d53507

SHA512
604ad289722802b238df3343936a0a5f7da721b263ba3f46db11aad87086a19860a83e08225c434135a9608e367d07e71fe56b006947be4fb6f84617385e1944

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
96KB

MD5
b5407612976a73613e3427f7f023a5d3

SHA1
95623b895177c8de04e1f1ab1f5db84671201dd0

SHA256
ae69b73b269ae1b4d225c4240062af01967098c7a5c367eb7819b0f050279145

SHA512
790dfbe686c229f201de8c8bec25b6da3895b8327ef5587e44499e79324a59b7bd104515696ec2f91952ec4599313b7fd4c2c6676b055145726d17044baec566

Download Submit
\Windows\SysWOW64\Qeohnd32.exe

Filesize
96KB

MD5
50bc5c192a9d0579698decf1f0dd0916

SHA1
2d5ce058f5a7e2c5baa5ae7843c6583275424d74

SHA256
8fa6193488490303ee57a312f597c5c9d6f635565069173073916859f7f62320

SHA512
6b15b55d2fd8bf755ad1f211d8745557162860603cdedbd7c6ed6e61f6cbe17185a303b056085a4c1eb46f6cca0c6fe51e036f53ee1aa4dab08e8d26c23e114c

Download Submit
\Windows\SysWOW64\Qgmdjp32.exe

Filesize
96KB

MD5
6f2a7c0bbfee603736a212780449b303

SHA1
d77763640ab18bd2f5418c7619f2326d5e2120c4

SHA256
1a871894b283c156540d24fcd789c70b519e54b8efae552ede7acf295f354bc5

SHA512
855a1370b1eabd32241f0cbc24b21b6bf426c21d00b38948c77c1230460af53a6923a95b56a4d53a070562a4af34791a567d236268523e1b1ae51579d3be1be3

Download Submit
memory/476-82-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/476-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/476-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-286-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/868-287-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/880-454-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/880-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-455-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1080-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-376-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1188-171-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1240-251-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1240-254-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1248-223-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1248-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-316-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1288-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-325-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1484-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-266-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1540-262-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1540-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-420-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1680-245-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1680-241-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1680-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-409-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1756-442-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1756-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-441-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1852-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-443-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2080-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-467-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2084-465-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2084-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-386-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2188-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-158-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2308-273-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2308-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-277-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2352-132-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2352-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-387-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2440-39-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2440-40-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2440-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-478-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2448-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-297-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2476-298-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2508-310-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2508-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-308-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2564-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-337-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2628-342-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2656-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-54-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2656-398-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2668-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-118-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2668-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-354-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2708-25-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2708-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-366-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2708-24-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2856-344-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2856-7-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2856-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-331-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2920-330-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2920-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-68-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/3008-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-419-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads