c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52

Analysis

max time kernel
141s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Size

91KB
MD5

61dc87978cd5bd1ee53e7f535f1dd68d
SHA1

2a2dca869445232852ac6fedda1abfd6624b1eeb
SHA256

c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52
SHA512

ecf04799b1fbaf6c1c5c96d4819a1df97ddf6911c2db340fce696c1339b400d16afccb820bf2a9f2fe454375514f1a7389b92fc67fad33ca07c01665f373ae9c
SSDEEP

1536:p/Pe0Prxo1fVVtihTwhpp+1ghnqObmVy9Zt9cx0XBQZFo:p/Pe0PreVe4MCkEux0XBQZu

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckalamk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abiqcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokdga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abiqcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qoaaqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpjga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbglq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmahog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeghmmn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ankhmncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmahog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablmilgf.exe

Executes dropped EXE 22 IoCs

pid	Process
2372	Qmahog32.exe
2792	Qckalamk.exe
2692	Qfimhmlo.exe
296	Qoaaqb32.exe
2228	Ajgfnk32.exe
2936	Amebjgai.exe
2728	Acpjga32.exe
1136	Ailboh32.exe
2552	Acbglq32.exe
2516	Abeghmmn.exe
2352	Aoihaa32.exe
2996	Ankhmncb.exe
2116	Agdlfd32.exe
316	Aokdga32.exe
1660	Abiqcm32.exe
2500	Aicipgqe.exe
2096	Akbelbpi.exe
2296	Ablmilgf.exe
968	Aaondi32.exe
1300	Bcmjpd32.exe
1960	Bnbnnm32.exe
2344	Bmenijcd.exe

Loads dropped DLL 48 IoCs

pid	Process
3068	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
3068	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
2372	Qmahog32.exe
2372	Qmahog32.exe
2792	Qckalamk.exe
2792	Qckalamk.exe
2692	Qfimhmlo.exe
2692	Qfimhmlo.exe
296	Qoaaqb32.exe
296	Qoaaqb32.exe
2228	Ajgfnk32.exe
2228	Ajgfnk32.exe
2936	Amebjgai.exe
2936	Amebjgai.exe
2728	Acpjga32.exe
2728	Acpjga32.exe
1136	Ailboh32.exe
1136	Ailboh32.exe
2552	Acbglq32.exe
2552	Acbglq32.exe
2516	Abeghmmn.exe
2516	Abeghmmn.exe
2352	Aoihaa32.exe
2352	Aoihaa32.exe
2996	Ankhmncb.exe
2996	Ankhmncb.exe
2116	Agdlfd32.exe
2116	Agdlfd32.exe
316	Aokdga32.exe
316	Aokdga32.exe
1660	Abiqcm32.exe
1660	Abiqcm32.exe
2500	Aicipgqe.exe
2500	Aicipgqe.exe
2096	Akbelbpi.exe
2096	Akbelbpi.exe
2296	Ablmilgf.exe
2296	Ablmilgf.exe
968	Aaondi32.exe
968	Aaondi32.exe
1300	Bcmjpd32.exe
1300	Bcmjpd32.exe
1960	Bnbnnm32.exe
1960	Bnbnnm32.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoihaa32.exe	Abeghmmn.exe
File opened for modification	C:\Windows\SysWOW64\Bcmjpd32.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Qckalamk.exe	Qmahog32.exe
File created	C:\Windows\SysWOW64\Kjcbpigl.dll	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Abeghmmn.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Agdlfd32.exe	Ankhmncb.exe
File opened for modification	C:\Windows\SysWOW64\Akbelbpi.exe	Aicipgqe.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Qmahog32.exe	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
File opened for modification	C:\Windows\SysWOW64\Ajgfnk32.exe	Qoaaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Ailboh32.exe	Acpjga32.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Abeghmmn.exe
File opened for modification	C:\Windows\SysWOW64\Aokdga32.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Naagof32.dll	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Amncmd32.dll	Qoaaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Amebjgai.exe	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Bcmjpd32.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Qfimhmlo.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Ppqolemj.dll	Acpjga32.exe
File opened for modification	C:\Windows\SysWOW64\Ablmilgf.exe	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Hgeahj32.dll	Qckalamk.exe
File created	C:\Windows\SysWOW64\Ailboh32.exe	Acpjga32.exe
File created	C:\Windows\SysWOW64\Aicipgqe.exe	Abiqcm32.exe
File opened for modification	C:\Windows\SysWOW64\Qfimhmlo.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Bdinjj32.dll	Acbglq32.exe
File created	C:\Windows\SysWOW64\Lbdcfl32.dll	Amebjgai.exe
File created	C:\Windows\SysWOW64\Ejbmjalg.dll	Abeghmmn.exe
File created	C:\Windows\SysWOW64\Jichkb32.dll	Ankhmncb.exe
File created	C:\Windows\SysWOW64\Akbelbpi.exe	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Ablmilgf.exe	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Bnbnnm32.exe	Bcmjpd32.exe
File opened for modification	C:\Windows\SysWOW64\Qckalamk.exe	Qmahog32.exe
File created	C:\Windows\SysWOW64\Jpobja32.dll	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Polhjf32.dll	Aokdga32.exe
File created	C:\Windows\SysWOW64\Inceepmo.dll	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Bnbnnm32.exe
File opened for modification	C:\Windows\SysWOW64\Ankhmncb.exe	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Abiqcm32.exe	Aokdga32.exe
File created	C:\Windows\SysWOW64\Amebjgai.exe	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Jgcfpd32.dll	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Abeghmmn.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Abiqcm32.exe	Aokdga32.exe
File created	C:\Windows\SysWOW64\Olfclj32.dll	Bcmjpd32.exe
File opened for modification	C:\Windows\SysWOW64\Qmahog32.exe	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
File created	C:\Windows\SysWOW64\Ddgoncih.dll	Qmahog32.exe
File opened for modification	C:\Windows\SysWOW64\Aicipgqe.exe	Abiqcm32.exe
File opened for modification	C:\Windows\SysWOW64\Aaondi32.exe	Ablmilgf.exe
File opened for modification	C:\Windows\SysWOW64\Bnbnnm32.exe	Bcmjpd32.exe
File opened for modification	C:\Windows\SysWOW64\Acpjga32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Ankhmncb.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Acpjga32.exe	Amebjgai.exe
File opened for modification	C:\Windows\SysWOW64\Acbglq32.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Glkimi32.dll	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Oedqakci.dll	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Lelhjebf.dll	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
File created	C:\Windows\SysWOW64\Qoaaqb32.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Aaondi32.exe	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Acbglq32.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Iibjbgbg.dll	Akbelbpi.exe
File opened for modification	C:\Windows\SysWOW64\Agdlfd32.exe	Ankhmncb.exe
File created	C:\Windows\SysWOW64\Ajgfnk32.exe	Qoaaqb32.exe
File created	C:\Windows\SysWOW64\Pjmgop32.dll	Ailboh32.exe
File created	C:\Windows\SysWOW64\Bjakil32.dll	Aaondi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1200	2344	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckalamk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbglq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmahog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailboh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicipgqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablmilgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcmjpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaondi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amebjgai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeghmmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankhmncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdlfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abiqcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbelbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbnnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfimhmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qoaaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgfnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpjga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokdga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcfpd32.dll"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagof32.dll"	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inceepmo.dll"	Abiqcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfclj32.dll"	Bcmjpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abiqcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ailboh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjakil32.dll"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcbpigl.dll"	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jichkb32.dll"	Ankhmncb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amncmd32.dll"	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcfl32.dll"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll"	Acbglq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaondi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkimi32.dll"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmahog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmahog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll"	Ajgfnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polhjf32.dll"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelhjebf.dll"	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgoncih.dll"	Qmahog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll"	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeghmmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpjga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaondi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2372	3068	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe	30
PID 3068 wrote to memory of 2372	3068	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe	30
PID 3068 wrote to memory of 2372	3068	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe	30
PID 3068 wrote to memory of 2372	3068	c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe	30
PID 2372 wrote to memory of 2792	2372	Qmahog32.exe	31
PID 2372 wrote to memory of 2792	2372	Qmahog32.exe	31
PID 2372 wrote to memory of 2792	2372	Qmahog32.exe	31
PID 2372 wrote to memory of 2792	2372	Qmahog32.exe	31
PID 2792 wrote to memory of 2692	2792	Qckalamk.exe	32
PID 2792 wrote to memory of 2692	2792	Qckalamk.exe	32
PID 2792 wrote to memory of 2692	2792	Qckalamk.exe	32
PID 2792 wrote to memory of 2692	2792	Qckalamk.exe	32
PID 2692 wrote to memory of 296	2692	Qfimhmlo.exe	33
PID 2692 wrote to memory of 296	2692	Qfimhmlo.exe	33
PID 2692 wrote to memory of 296	2692	Qfimhmlo.exe	33
PID 2692 wrote to memory of 296	2692	Qfimhmlo.exe	33
PID 296 wrote to memory of 2228	296	Qoaaqb32.exe	34
PID 296 wrote to memory of 2228	296	Qoaaqb32.exe	34
PID 296 wrote to memory of 2228	296	Qoaaqb32.exe	34
PID 296 wrote to memory of 2228	296	Qoaaqb32.exe	34
PID 2228 wrote to memory of 2936	2228	Ajgfnk32.exe	35
PID 2228 wrote to memory of 2936	2228	Ajgfnk32.exe	35
PID 2228 wrote to memory of 2936	2228	Ajgfnk32.exe	35
PID 2228 wrote to memory of 2936	2228	Ajgfnk32.exe	35
PID 2936 wrote to memory of 2728	2936	Amebjgai.exe	36
PID 2936 wrote to memory of 2728	2936	Amebjgai.exe	36
PID 2936 wrote to memory of 2728	2936	Amebjgai.exe	36
PID 2936 wrote to memory of 2728	2936	Amebjgai.exe	36
PID 2728 wrote to memory of 1136	2728	Acpjga32.exe	37
PID 2728 wrote to memory of 1136	2728	Acpjga32.exe	37
PID 2728 wrote to memory of 1136	2728	Acpjga32.exe	37
PID 2728 wrote to memory of 1136	2728	Acpjga32.exe	37
PID 1136 wrote to memory of 2552	1136	Ailboh32.exe	38
PID 1136 wrote to memory of 2552	1136	Ailboh32.exe	38
PID 1136 wrote to memory of 2552	1136	Ailboh32.exe	38
PID 1136 wrote to memory of 2552	1136	Ailboh32.exe	38
PID 2552 wrote to memory of 2516	2552	Acbglq32.exe	39
PID 2552 wrote to memory of 2516	2552	Acbglq32.exe	39
PID 2552 wrote to memory of 2516	2552	Acbglq32.exe	39
PID 2552 wrote to memory of 2516	2552	Acbglq32.exe	39
PID 2516 wrote to memory of 2352	2516	Abeghmmn.exe	40
PID 2516 wrote to memory of 2352	2516	Abeghmmn.exe	40
PID 2516 wrote to memory of 2352	2516	Abeghmmn.exe	40
PID 2516 wrote to memory of 2352	2516	Abeghmmn.exe	40
PID 2352 wrote to memory of 2996	2352	Aoihaa32.exe	41
PID 2352 wrote to memory of 2996	2352	Aoihaa32.exe	41
PID 2352 wrote to memory of 2996	2352	Aoihaa32.exe	41
PID 2352 wrote to memory of 2996	2352	Aoihaa32.exe	41
PID 2996 wrote to memory of 2116	2996	Ankhmncb.exe	42
PID 2996 wrote to memory of 2116	2996	Ankhmncb.exe	42
PID 2996 wrote to memory of 2116	2996	Ankhmncb.exe	42
PID 2996 wrote to memory of 2116	2996	Ankhmncb.exe	42
PID 2116 wrote to memory of 316	2116	Agdlfd32.exe	43
PID 2116 wrote to memory of 316	2116	Agdlfd32.exe	43
PID 2116 wrote to memory of 316	2116	Agdlfd32.exe	43
PID 2116 wrote to memory of 316	2116	Agdlfd32.exe	43
PID 316 wrote to memory of 1660	316	Aokdga32.exe	44
PID 316 wrote to memory of 1660	316	Aokdga32.exe	44
PID 316 wrote to memory of 1660	316	Aokdga32.exe	44
PID 316 wrote to memory of 1660	316	Aokdga32.exe	44
PID 1660 wrote to memory of 2500	1660	Abiqcm32.exe	45
PID 1660 wrote to memory of 2500	1660	Abiqcm32.exe	45
PID 1660 wrote to memory of 2500	1660	Abiqcm32.exe	45
PID 1660 wrote to memory of 2500	1660	Abiqcm32.exe	45

C:\Users\Admin\AppData\Local\Temp\c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe
"C:\Users\Admin\AppData\Local\Temp\c736bdc1753a2a51169874303792b4156df363e0d358801838b53c088b73ec52.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\Qmahog32.exe
  C:\Windows\system32\Qmahog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Qckalamk.exe
    C:\Windows\system32\Qckalamk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Qfimhmlo.exe
      C:\Windows\system32\Qfimhmlo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Qoaaqb32.exe
        
        C:\Windows\system32\Qoaaqb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:296
      - C:\Windows\SysWOW64\Ajgfnk32.exe
        
        C:\Windows\system32\Ajgfnk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Amebjgai.exe
        
        C:\Windows\system32\Amebjgai.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Acpjga32.exe
        
        C:\Windows\system32\Acpjga32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ailboh32.exe
        
        C:\Windows\system32\Ailboh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Acbglq32.exe
        
        C:\Windows\system32\Acbglq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Abeghmmn.exe
        
        C:\Windows\system32\Abeghmmn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ankhmncb.exe
        
        C:\Windows\system32\Ankhmncb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Agdlfd32.exe
        
        C:\Windows\system32\Agdlfd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Aokdga32.exe
        
        C:\Windows\system32\Aokdga32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Abiqcm32.exe
        
        C:\Windows\system32\Abiqcm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Aicipgqe.exe
        
        C:\Windows\system32\Aicipgqe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Akbelbpi.exe
        
        C:\Windows\system32\Akbelbpi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ablmilgf.exe
        
        C:\Windows\system32\Ablmilgf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Aaondi32.exe
        
        C:\Windows\system32\Aaondi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Bcmjpd32.exe
        
        C:\Windows\system32\Bcmjpd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Bnbnnm32.exe
        
        C:\Windows\system32\Bnbnnm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaondi32.exe

Filesize
91KB

MD5
42dfdae6ba1103a6bc93b82d99a2e128

SHA1
4cb97e3102643d2a6c29ac37877a1d5b788855aa

SHA256
0e87830139eca0f927bcb381573b4b9a8eb0751e83ef0cc1c3b263202b7b7c8c

SHA512
9c24d243fab2c974c84745d5852e71dc29e9d4aa0387800c5a6f4b758dae58327781fa6b9910b9e2731bff16f4141c238b4c0a453260ea5dcf8c5216b8fd39be

Download Submit
C:\Windows\SysWOW64\Ablmilgf.exe

Filesize
91KB

MD5
74f2cafc9768bcb793f9d6fee10d8d06

SHA1
45ad3418da3ffa5523b10dd445be0030c5c59c94

SHA256
87145d51bfa92f79ed1b0706fc7dbab09c368aaeb85c771d2fe0d08c01e1022a

SHA512
301e858b7cb6084334e7a318f2c21490b53e5dfb43ced48f833bb67b611d524e42fe2d2f4a30e7fad7893ac8fbe8b7469d99bb4ab19af6d9d6df681cc3dff074

Download Submit
C:\Windows\SysWOW64\Ailboh32.exe

Filesize
91KB

MD5
52cb369535886c9aff4d68fb3ae76e04

SHA1
0445e16edfb1467576e8c82ea8208636a3394eb1

SHA256
6823fb283f81e1476f52d21a74879a971e626300bcc2b3369849eec08a37aa55

SHA512
1276480b427a90414c7cbe6bf7da3b8b531a7c4a62b3ce0c36faca3e0c363f2f6eb4596a018846f59976329b70af9c9c8bcfa00cd8d2e9fa61bb71c36b49c6b3

Download Submit
C:\Windows\SysWOW64\Akbelbpi.exe

Filesize
91KB

MD5
2320105fac68794c3fe9ca83b48985d9

SHA1
c8f81fdf683c0f1a0dc71289890730dc873082bf

SHA256
9d0705f5ae16a26fd686dc845925b6e483b84f2bc1a0780d0fe3c7e3e9e9796c

SHA512
4db06bd1f0dd3f3dee856005a5508bb0bb02086e91891886ac97d5155bac088654231324ec02bd7d541c914e280425aab791506d8c600707aaf19084f0bfabb3

Download Submit
C:\Windows\SysWOW64\Ankhmncb.exe

Filesize
91KB

MD5
bdf6d2a04173dfcb904aa612bfffc789

SHA1
60da5c39ea5e0da42d4a2d66d5c8717251097d95

SHA256
7c50b91e631fff58615997cefcf5bf5c22ce1ecfebb64898bb3fed9394995886

SHA512
2a274204692c8a787ddeabd4e88916559b0f0a1fced3dfb96e489ca2d045fc2a064645340bc5e0a1ebe88c6b0ce014644d2bc1f06bddbf8fc8d4aecdfd0214b2

Download Submit
C:\Windows\SysWOW64\Aoihaa32.exe

Filesize
91KB

MD5
af90779d261a12764f50d675e4e328be

SHA1
20be04b9e90190ef2c133d4bbdbb927d9e60d79f

SHA256
8b91dad9d744959ce854144d0b39ac24481d71881eaf1af90fb45e1d626f03b5

SHA512
54cfc9549e9158bc658391c147fd41a3bd908eefcb8534b4c69704bf673a36f708bdbdd98ea6359773e3bffc9399af419842ef681d31d9106af9122b1b4e973a

Download Submit
C:\Windows\SysWOW64\Bcmjpd32.exe

Filesize
91KB

MD5
68cf7a3a6cce65caec09da2d8f134621

SHA1
0dcc0fe25412199aff53231d7c3f1fe2be93b7bc

SHA256
85388c34fcf9894af5e071b794c0675032f0aba03bf906693b86a51092e482bf

SHA512
9aa45a3cd3437f7a79e0289c4bf520d24a7de6a4aa8bb659714dcf261b65289b2da7fcdfd73719a2b6885a3593708a03c7bf3676a116f69b37e9c3db2dbac448

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
91KB

MD5
07785992241d215592127a169626cfab

SHA1
a7251ec145ba8d347d37498bef301e41bc780100

SHA256
222f8b77cf49885fba73f49c1af802b60368018489034b19bebb771c522a00e1

SHA512
5d7a9366bec4cd6a1700d39b54751fb25ffd46c6ae0bb65885ff94696c7d31957a4a0a3f4c5d43a0766ccfb2b18626628ac24659263941239a61f75a3d128a57

Download Submit
C:\Windows\SysWOW64\Bnbnnm32.exe

Filesize
91KB

MD5
ebc09d280bfe736cf0eff7640621ee58

SHA1
aa72c64dfd8fab6717cf9716a2aba90e7e3f0cd6

SHA256
89dd43a42d24e28cadcc699f51bd3f121cbdc3ea3eec31ba75bec9931a5653d2

SHA512
40f82cbf5e6ae8f524f288cde1514578c784d6e02433d2ca956ef6096ddc0f82d26c2f7cae5a9abfca86b1449cc7846a211a8e65739e01359e7cc730b2292803

Download Submit
C:\Windows\SysWOW64\Qfimhmlo.exe

Filesize
91KB

MD5
808c3e29a85aa3481abb9eca71f6ccbe

SHA1
6c9c880dddda9ea5efb95dd22c9964635a9caa3d

SHA256
f6b716f616506aa788473e6a9d4603667dfdb49717a3c8ce643adfc50edd5ba5

SHA512
53809063fee7ab2895056e7bc8534ee69837f3477ab58be511f42e8a9014ed3eeecb4cd06106e5919e0a97743b1cce3d32fcdef084868db92856ea18dd056bbd

Download Submit
\Windows\SysWOW64\Abeghmmn.exe

Filesize
91KB

MD5
fa6f6f36b2c9f3d145e29a9622620de4

SHA1
f71c38652ac1349e959598859ee2ffa2c4e7ceed

SHA256
fbdee9848a604565d3937f0e193bff70b505b8c300a570c8f239012e1dca2dcf

SHA512
8b47d43cf3f968059c860b259d9d89fe5b55b34720549889614be48107defc59642b497e9dfa5a9f2881632afb99a4e53aa4278d74f4f2d4fcbb24f2d3da6087

Download Submit
\Windows\SysWOW64\Abiqcm32.exe

Filesize
91KB

MD5
7d305051d5751a9f5930c94bb8c1dc4a

SHA1
923b3587a12d3eed07fdca8ae2d3943184f9a009

SHA256
a1db01b3f1ad699ec564c862cc9231862ccb7b03b08619f7249bc5df2b835102

SHA512
0ec8aa2cd5acaf0c5aeea6d4db7795e754ffb129f9f8eda362f63a6f625789bf76f5668b5ee63a6b84a2ac8c7c45c9533c779ad45c908c4a86fe8e63673c1819

Download Submit
\Windows\SysWOW64\Acbglq32.exe

Filesize
91KB

MD5
919b613345fa79450a15a10ff92cd80a

SHA1
20292ccfe4e4c8e204cfe60f03cfe549b4a4efb8

SHA256
33fe42c985cd44f814ad5f5fb1154e4c2ebaae7d824a2ea127fe7a0c67bbe598

SHA512
430922afdc748eeac7b99e1219662245cec6edab90e1ae9718c8c0323cda233a294ce4a41f0ec482b7c99433f7848f2bcdf0c707ed0bab6c9b63b2f64af2d18b

Download Submit
\Windows\SysWOW64\Acpjga32.exe

Filesize
91KB

MD5
e1c4efa6fb1d2d4e7e88cf43e7fe4b54

SHA1
a4c8b54db2e9fb00ae6d128e6d82d4d782b4cbcb

SHA256
3d8648a197ab3d97c96a9302d42d7562b92ace8cdd89605a72bab942312b008f

SHA512
304b41063dddd9ea1679ee26d59961cd88d7c5999251d6fa3a39b51e217b7db48dffb746ebacff4d4f364394b745943c03ec5d990d0d25624a75a7647e5f8394

Download Submit
\Windows\SysWOW64\Agdlfd32.exe

Filesize
91KB

MD5
6aeed82605a9d8e3bd5a276934f62b88

SHA1
a5013deec40f1595766b45b900674755f77e79f3

SHA256
03881d22e7ebde5f98d8ccb054e2294f2e70807ee0f965972270562f0507dcb5

SHA512
5888d46da32f2d2c50f6cdbca32838891e4e5eb48722d33a2d191a000931ccd0b322b80e1dc5ae6b8af64a645a6dd657f450ce609ba9311b0276bc5c8356934a

Download Submit
\Windows\SysWOW64\Aicipgqe.exe

Filesize
91KB

MD5
50cb536c198903aa361df35a9c9b0ded

SHA1
ef9cb628a14c5c12cd777d7a4bff12880f270de6

SHA256
42d0c69129a2061d571b040f58fa433673b45763b5b4b43c4949476a59d0787d

SHA512
ca32e7001fc9e0ec8e4546e4c0d8dca7fa8450a60cb5084f9cc735f0e9406de897729731d315f9cd8aa3a5341c7a308e091324f92bffa471466bca2cd2199ec8

Download Submit
\Windows\SysWOW64\Ajgfnk32.exe

Filesize
91KB

MD5
1f8864d6cbfcada8b3581e8ec4e41d06

SHA1
3fa8005fa11d97604dc65112bd253ab595d0515a

SHA256
ad166a86b59a5860aa567507dfc8fde2713e385d519e648a23b9e3ad5a60deb1

SHA512
8a644e8bfd2b8035019c83cf4bf672de363bc1ccfa1b049d57501165a66d269c6ade17e46aa5bf8065b0088c8b7ac4d5556e305073c0d80ec80726bdbfeaf154

Download Submit
\Windows\SysWOW64\Amebjgai.exe

Filesize
91KB

MD5
586f58bd20fb05b1ab9d0316ef51585b

SHA1
816ff343eb3d02edd1ae20a5a861399ebdb744c7

SHA256
3fc71b157cc408ca2165d973f7f4dbbdfef3b7fb77ec10e0909bb4eee9bcb4ab

SHA512
b9f776e5fbb5f81bf6213ba558cf5d14cedfd35770e2aee5c3bde92f34e740624429a11f47d37eeca6a7533bc6819660ed68a921aee8e4218a9e82215563c8b8

Download Submit
\Windows\SysWOW64\Aokdga32.exe

Filesize
91KB

MD5
1bee94d07804d96485c82dfbd5a6dcf8

SHA1
099f8e2719defc3cc54082561418d554d9d2c28a

SHA256
6eae13bc834ed809462d990e3e41b31906acc86c59cd669796c73b08f47b912a

SHA512
bb10b0e9cb4acd2d787ec48ccf5e3ce061f2521f3fff751709cd911152a2f1b36234269dca36553d34e70affaa999a6b3ec4119a4773787c206e5fb0d4d0f40a

Download Submit
\Windows\SysWOW64\Qckalamk.exe

Filesize
91KB

MD5
428e1b38856dd976a4be244e03379cf0

SHA1
d4b163688ed03bf227f99161eb83c7e80ceab7a3

SHA256
47c5734c2189487237157c00adce26758dbb7cb4af772128ff060b85315e1b38

SHA512
854848f7ed948c81557b97abc868d6404aaf12af081d86982e608b58883a9d84038990f916e235e5488280b208af07407d63023aa65d52f5f9e8edb2cc4b35e6

Download Submit
\Windows\SysWOW64\Qmahog32.exe

Filesize
91KB

MD5
5c4c0e6d0610f315e057bd6874a84a6e

SHA1
75cdf6ba0a63941ea09fe679ea37fec5317bdf67

SHA256
1a69ba03b7defcc18e7b3abd7025cfb4464c601af57b46dcc6d690eb4cca31f7

SHA512
73abc5d0b383423d1dd79d90bf5a5ed49cb562e7ae99033c205e47e445cfd41c478e6fd9fbbf04d495ddad75781f7c200537461cb79335e7f2d26e4223082687

Download Submit
\Windows\SysWOW64\Qoaaqb32.exe

Filesize
91KB

MD5
8718b97f569d946485bf992856b4f92e

SHA1
3342da46ff0852dc85fe0ec6a0412f48e8b1f696

SHA256
f9863244d28546bfa38a67f1d687bff8c38410ca4506e8fd07ed37847f7f5759

SHA512
6fa918c156b905da31bc7e4c9f7891d5e36574360363028e75f6f07c658b9bc69254f3a91cfec381727e378fa6945008e85f410f3210e5136cc72cebf81124d0

Download Submit
memory/296-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/296-61-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/296-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-192-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/968-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-207-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1960-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-240-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2344-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-144-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2552-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-87-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2936-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-11-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/3068-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads