fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Size

67KB
MD5

48ddf45b4a756056b009285518105995
SHA1

934cba0b11f298017c18329ad7b5eed469b71f40
SHA256

fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3
SHA512

682a1d6bdb6507b1c127bd80ea870255431efa98f55a793ae5b57c92edee5970d98b27745346aef581c9a705666dcda38308897e0139a73df69e2fc3b15e615d
SSDEEP

1536:WcTWrtO4L+97uwzciT2P9zImja1l8AOg7Sy6KRQvR/Rj:WcTWrtO4L+97uwgiaP9Ml1l8Ag/KevVx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Affikdfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Affikdfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabkbono.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdmoafdb.exe

Executes dropped EXE 44 IoCs

pid	Process
228	Qiiflaoo.exe
3384	Qcnjijoe.exe
1124	Qjhbfd32.exe
1756	Aabkbono.exe
1312	Afockelf.exe
4848	Amikgpcc.exe
4524	Acccdj32.exe
4228	Amkhmoap.exe
3356	Adepji32.exe
4748	Aibibp32.exe
1772	Aaiqcnhg.exe
4332	Affikdfn.exe
1064	Apnndj32.exe
2412	Abmjqe32.exe
4352	Bmbnnn32.exe
4704	Bpqjjjjl.exe
1432	Bjfogbjb.exe
2468	Bapgdm32.exe
3932	Bfmolc32.exe
2464	Babcil32.exe
2824	Bpedeiff.exe
4416	Bfolacnc.exe
4360	Bphqji32.exe
828	Bkmeha32.exe
4732	Bmladm32.exe
4776	Bpjmph32.exe
1376	Bbhildae.exe
1968	Ckpamabg.exe
4980	Cmnnimak.exe
2492	Cgfbbb32.exe
3944	Cmpjoloh.exe
4400	Ccmcgcmp.exe
3164	Cgiohbfi.exe
4276	Cmbgdl32.exe
3980	Cdmoafdb.exe
3048	Ckggnp32.exe
3460	Caqpkjcl.exe
4368	Cgmhcaac.exe
3492	Cmgqpkip.exe
448	Ccdihbgg.exe
2168	Dinael32.exe
4800	Dphiaffa.exe
1396	Dgbanq32.exe
1212	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Dinael32.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Amkhmoap.exe	Acccdj32.exe
File created	C:\Windows\SysWOW64\Dfbjkg32.dll	Abmjqe32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Amikgpcc.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	Bphqji32.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Bapgdm32.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Bfmolc32.exe	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Bphqji32.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Afockelf.exe	Aabkbono.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Mjaofnii.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Qjhbfd32.exe	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Bpqjjjjl.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmoafdb.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Bpedeiff.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Qiiflaoo.exe	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
File created	C:\Windows\SysWOW64\Aabkbono.exe	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Mmebednk.dll	Adepji32.exe
File created	C:\Windows\SysWOW64\Bjfogbjb.exe	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dinael32.exe
File created	C:\Windows\SysWOW64\Kbpkkeen.dll	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Aabkbono.exe
File opened for modification	C:\Windows\SysWOW64\Aaiqcnhg.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Abmjqe32.exe	Apnndj32.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Labnlj32.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Acccdj32.exe	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Glofjfnn.dll	Bmbnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Bpedeiff.exe
File opened for modification	C:\Windows\SysWOW64\Ckpamabg.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Adepji32.exe	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Bmbnnn32.exe	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Iponmakp.dll	Bmladm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2188	1212	WerFault.exe	136

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aibibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiiflaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjhbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Affikdfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amikgpcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkhmoap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabkbono.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfolacnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaiqcnhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afockelf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphqji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adepji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apnndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcnjijoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acccdj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Affikdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll"	Afockelf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqjha32.dll"	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apnndj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caaimlpo.dll"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afockelf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll"	Aaiqcnhg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 228	3332	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe	90
PID 3332 wrote to memory of 228	3332	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe	90
PID 3332 wrote to memory of 228	3332	fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe	90
PID 228 wrote to memory of 3384	228	Qiiflaoo.exe	91
PID 228 wrote to memory of 3384	228	Qiiflaoo.exe	91
PID 228 wrote to memory of 3384	228	Qiiflaoo.exe	91
PID 3384 wrote to memory of 1124	3384	Qcnjijoe.exe	92
PID 3384 wrote to memory of 1124	3384	Qcnjijoe.exe	92
PID 3384 wrote to memory of 1124	3384	Qcnjijoe.exe	92
PID 1124 wrote to memory of 1756	1124	Qjhbfd32.exe	93
PID 1124 wrote to memory of 1756	1124	Qjhbfd32.exe	93
PID 1124 wrote to memory of 1756	1124	Qjhbfd32.exe	93
PID 1756 wrote to memory of 1312	1756	Aabkbono.exe	94
PID 1756 wrote to memory of 1312	1756	Aabkbono.exe	94
PID 1756 wrote to memory of 1312	1756	Aabkbono.exe	94
PID 1312 wrote to memory of 4848	1312	Afockelf.exe	95
PID 1312 wrote to memory of 4848	1312	Afockelf.exe	95
PID 1312 wrote to memory of 4848	1312	Afockelf.exe	95
PID 4848 wrote to memory of 4524	4848	Amikgpcc.exe	97
PID 4848 wrote to memory of 4524	4848	Amikgpcc.exe	97
PID 4848 wrote to memory of 4524	4848	Amikgpcc.exe	97
PID 4524 wrote to memory of 4228	4524	Acccdj32.exe	98
PID 4524 wrote to memory of 4228	4524	Acccdj32.exe	98
PID 4524 wrote to memory of 4228	4524	Acccdj32.exe	98
PID 4228 wrote to memory of 3356	4228	Amkhmoap.exe	99
PID 4228 wrote to memory of 3356	4228	Amkhmoap.exe	99
PID 4228 wrote to memory of 3356	4228	Amkhmoap.exe	99
PID 3356 wrote to memory of 4748	3356	Adepji32.exe	100
PID 3356 wrote to memory of 4748	3356	Adepji32.exe	100
PID 3356 wrote to memory of 4748	3356	Adepji32.exe	100
PID 4748 wrote to memory of 1772	4748	Aibibp32.exe	101
PID 4748 wrote to memory of 1772	4748	Aibibp32.exe	101
PID 4748 wrote to memory of 1772	4748	Aibibp32.exe	101
PID 1772 wrote to memory of 4332	1772	Aaiqcnhg.exe	102
PID 1772 wrote to memory of 4332	1772	Aaiqcnhg.exe	102
PID 1772 wrote to memory of 4332	1772	Aaiqcnhg.exe	102
PID 4332 wrote to memory of 1064	4332	Affikdfn.exe	104
PID 4332 wrote to memory of 1064	4332	Affikdfn.exe	104
PID 4332 wrote to memory of 1064	4332	Affikdfn.exe	104
PID 1064 wrote to memory of 2412	1064	Apnndj32.exe	105
PID 1064 wrote to memory of 2412	1064	Apnndj32.exe	105
PID 1064 wrote to memory of 2412	1064	Apnndj32.exe	105
PID 2412 wrote to memory of 4352	2412	Abmjqe32.exe	106
PID 2412 wrote to memory of 4352	2412	Abmjqe32.exe	106
PID 2412 wrote to memory of 4352	2412	Abmjqe32.exe	106
PID 4352 wrote to memory of 4704	4352	Bmbnnn32.exe	107
PID 4352 wrote to memory of 4704	4352	Bmbnnn32.exe	107
PID 4352 wrote to memory of 4704	4352	Bmbnnn32.exe	107
PID 4704 wrote to memory of 1432	4704	Bpqjjjjl.exe	108
PID 4704 wrote to memory of 1432	4704	Bpqjjjjl.exe	108
PID 4704 wrote to memory of 1432	4704	Bpqjjjjl.exe	108
PID 1432 wrote to memory of 2468	1432	Bjfogbjb.exe	109
PID 1432 wrote to memory of 2468	1432	Bjfogbjb.exe	109
PID 1432 wrote to memory of 2468	1432	Bjfogbjb.exe	109
PID 2468 wrote to memory of 3932	2468	Bapgdm32.exe	110
PID 2468 wrote to memory of 3932	2468	Bapgdm32.exe	110
PID 2468 wrote to memory of 3932	2468	Bapgdm32.exe	110
PID 3932 wrote to memory of 2464	3932	Bfmolc32.exe	112
PID 3932 wrote to memory of 2464	3932	Bfmolc32.exe	112
PID 3932 wrote to memory of 2464	3932	Bfmolc32.exe	112
PID 2464 wrote to memory of 2824	2464	Babcil32.exe	113
PID 2464 wrote to memory of 2824	2464	Babcil32.exe	113
PID 2464 wrote to memory of 2824	2464	Babcil32.exe	113
PID 2824 wrote to memory of 4416	2824	Bpedeiff.exe	114

C:\Users\Admin\AppData\Local\Temp\fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe
"C:\Users\Admin\AppData\Local\Temp\fa7591639023c8fcd2c04a6f40653e3af7f815eef4e22f17daa7e21eaa1586f3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\Qiiflaoo.exe
  C:\Windows\system32\Qiiflaoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\Qcnjijoe.exe
    C:\Windows\system32\Qcnjijoe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\SysWOW64\Qjhbfd32.exe
      C:\Windows\system32\Qjhbfd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 412
        46⤵
        Program crash
        
        PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1212 -ip 1212
1⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabkbono.exe

Filesize
67KB

MD5
c1ed4366c9981bdc97529575553d0304

SHA1
d9eaa63a183ba21cf5f8d8b6379d097d837d6d29

SHA256
d8316c9045caa9b38710d08fbccd591a787128e8df7155381579f56969132e4d

SHA512
7b65fc8ceaadd8815a62f23d33f57c09447a9dd407d5919f536ae98f918a3f7be30b7e66fc9112b17887629279873d6e7bff5f107767554753e5914e6ead72eb

Download Submit
C:\Windows\SysWOW64\Aaiqcnhg.exe

Filesize
67KB

MD5
0614afafd2dd5da46e693084d0ed6606

SHA1
95c53dd9f6eb55d366415459ad549ec76199f615

SHA256
e2bfef447d57f04a997ba411e43d00177f3527988902aa3137c14e1344d705eb

SHA512
3e4bac198b3473bcbc5089758adc82a53a254020cf7998852ae5807f13643bf4aeba87b83dcc054c03cbec333f8ed918f9721eb9f0a2d024e3883f2a1adebb73

Download Submit
C:\Windows\SysWOW64\Abmjqe32.exe

Filesize
67KB

MD5
646e56e71544e8e38f8e2ee63b54a8dd

SHA1
0b276e0cea23b66e351589c4994ce02c7fa9475f

SHA256
81c45155ce62134eb0876b6ca343f98b58e10e66111771debc77ec9e2bca3e34

SHA512
3fe31c36ced4fd54f5789e474a7b318ad2adfd464462a502ef75b479872028c107230022bb3b5cbdbe138a284f7a9f9b16cc62c00c6bc9dfd0384ddacce3652f

Download Submit
C:\Windows\SysWOW64\Acccdj32.exe

Filesize
67KB

MD5
bd6b11cb98280ddf536adfb7fb407b5f

SHA1
0a72fe2ef989f00dd140e29d566a22bc11a876ed

SHA256
1a0567179a7eb95d4d5fad5786a9ce9dc964e9dc6ea8ab4fc5a9770b7c7e3df1

SHA512
133c489fdc04dfa9053e0a8587849e7a8b9668eafa4d8ff42e83d53d176d3c6cbce9d869a527bb977f6aae85482c8d4379dea1abd2c5a51928cacf05a4284fc2

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
67KB

MD5
1624694bde9748ae2c686fa107e0e08a

SHA1
526d05bd9ea9f9bf5e5bf758eda9f5a5575e9345

SHA256
05d0e31450092e8c76d3afe87f5f4a9e7507507a97abab1fdc9666ec17a8da97

SHA512
1e52db3585618401a1b6e4f70014119690e2597a9980fb79a85ed04c51fd80899badc4e7427c5986eff3b54240eb6661cd10fb33dcd6f2dffb7f7b7a87c6da9f

Download Submit
C:\Windows\SysWOW64\Affikdfn.exe

Filesize
67KB

MD5
fc70a943dc5705984d0966a9773f2529

SHA1
5c120703c5dc8832ad67f82a9fd6538811fa1050

SHA256
a0ad706583986e8790e3d169f069ab5643600b1f93caf945d58a4e2075078cf7

SHA512
e9bed35e7ab0747453737c4cc5cd3ef8c1e5c646ef03901a6e804e6f5e0ba7d4cb7d288b37ba06f9920aeabdc20401bdf3262b8489fe9bc184a4cbdaf5d63fe5

Download Submit
C:\Windows\SysWOW64\Afockelf.exe

Filesize
67KB

MD5
ca5447d6793f8231dd2b10533d21f92c

SHA1
83a2041dd2c250fe79b21def68de9c242c9f3816

SHA256
3ee39135da31e5dee1c18c6a7079d4fc3cdc3444a9fd7f86f6b2439dc0f5ea9d

SHA512
c15ccb4fdb4a41ea9e0dadc810a6c06df8695e0ccf5425acc7343ed57ec06823f6547e0808a6c90ad252bce313dbdd2e4fed01bb39e295d5895e513e87009669

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
67KB

MD5
016641e2b21b76272ec7ffb1225f6df2

SHA1
765c4df5f127301a2f34649cd95c0791599cf0e4

SHA256
831cc0ffea94d4959b75affaadcb0c4e447e8cee25dfb077cd1e79a226a02732

SHA512
adb1fb7e88889fb96ef18f492bfde95e428685f28bb08f1b5aeea6b4b8fd4609c04b04eb44647ac99db1d8425279ee8b2d80e18baeebddce074e02fd1f7dc252

Download Submit
C:\Windows\SysWOW64\Amikgpcc.exe

Filesize
67KB

MD5
1456e432f64309873fa3df652675e792

SHA1
eb1c4752360fcbb1962462753631bccae566c70f

SHA256
21e2ef623f1de4198029c35b4bd4559ff6d334cab839f060163588a6dcee9648

SHA512
ef36f3f7eb929d9bea75be9f35de5a653443fcc860b1edf157364db99801b2e91b7e79c5e2a504be9a774f9e7e4f0e11e247199a1bc0328f0cc87ee3eb1dfa66

Download Submit
C:\Windows\SysWOW64\Amkhmoap.exe

Filesize
67KB

MD5
a238d5045d915c79be0347a0e74c03c4

SHA1
91afb956c1c89cc7f0320b79ac4526b1d1005143

SHA256
870e432a03ce3390928e68ffaff365eef2ae4a0d073a97a334b3df5e37388734

SHA512
a5eaa2919a8b51b78d37780179f2a590cc5af369cd619b9c4265625725f4caf0aef2e66c99d6000063f258e66c0bb19a072936d751e5b8a75295c06df0915701

Download Submit
C:\Windows\SysWOW64\Apnndj32.exe

Filesize
67KB

MD5
3f2ce7414f2fd4f21da1b58b5390c5b2

SHA1
a51147e256556d0db6803777051fbc0a7a87f2fa

SHA256
6dd879835f08f25f5a3084cf176059e7a72e7e990c52e4801969ba0348ce6d12

SHA512
fdfb3e18ade8fbcdd3c07859865c10d078c0a2b2f09c0768f12e24ba9d8b4dbf530620bcd807cfd902ea9039ed36e668e2184c92f48d5bdd2d8de0153b48d9f1

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
67KB

MD5
55f6f1f02c69e79eac2eab3b649995b0

SHA1
b927c346822743fe220be2649306d91688eaf70c

SHA256
1360c6dffad17062e794c68033086adb49971006088153a3a4120b894935e8dc

SHA512
6a95aab6a3839a800646a929971414b8710c2dfdc1fcee17e84c4e45323ad0d694eac2c2da92e14f2939f63ca64b276b4ba0e3b4ae632527a30ffc72d17ad212

Download Submit
C:\Windows\SysWOW64\Bapgdm32.exe

Filesize
67KB

MD5
e50b61f3966057706bfc5480ddec7f17

SHA1
0c7d5d80795afbb7c256fde2401d0cca26531c15

SHA256
fb0cadea0148e36db2c5ca0404b56422873267cb74cd993d0fc61615b4495f3f

SHA512
859571347887c29a463a6b34047e23bea03a724742b2bf4311744cfb966adb7564df23ac939303f114687436efea7e46be1b770d5a45d90d52860618f85a9826

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
67KB

MD5
03e81cce91f0ff55c57afe8bb90d0bf4

SHA1
1bd2c45e57825ade6feddfb9861842fc6850bf43

SHA256
b7e41b12843fc1b27500aa0960d7f4aa1687a60edfe7e69f10eff69f018ccde2

SHA512
9b7e8de5214d9e94b6ada90a0f94191254227c1d0422e5be1c47afba17569f8ee1a6084d68f6fcfb49bc1cd44eccdfbca4b7b0637bf4c5408c89472149436add

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
67KB

MD5
7b332e33481b4dad065b4b4a1250b7c5

SHA1
1d785ae05f6610712fb8fafff873ba230a57d14a

SHA256
b9206ea14b88bbf9ad528f2ab541bdce977bc51695372aac136439bbb008a193

SHA512
3e61df17c8f884beb4e13f3cc4e05ba5fa0cf897fcd246385b78b6f968be9f8c01739c90d6c775b67be55fef562294a771a7712530b642705f1b187c41e6acbf

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
67KB

MD5
c41d70626561082f924f1f74daf3468a

SHA1
c495c313d757fab8cdc161e660847af64f6197e9

SHA256
1da112800fa9094e203cb8c58d7bd8f1220b5cdce10f7649d38ce1de5f4c244e

SHA512
afc70e9e9ddef5634cb619ef940ec980fa2680a4ef03659b9b9bf26d80f2befe8471a8ae82ebbe5560cb18cc3b1cc83aa7bb6004f6f2ec0a15bfcd31e5cc4b6e

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
67KB

MD5
6e13c897321729a46cf192b9099cb70a

SHA1
eae3080509c4b53110f1a9e8321ea1f57773bf28

SHA256
9b9bf6d426e72f2ec4e69a2930c04ffb0949560fd2647f2bfb98324c9d59f026

SHA512
970ac0bb16c94da4eab9847b38d5f155150a7663ba3ba23e05772f86cb2e201da9e6cc17087c2d3faaca7f04d771a3c520f9cc8fa82bac42e762a123365e7e6e

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
67KB

MD5
0abe79ea68dfbda1f0d3eeb635fe345e

SHA1
21776fbdb75c7cb045e8fb7b7f1c2d690106a8d3

SHA256
0b57663554d0fb92c81fd1ecfa27aaaecde898a6e731e7ac403cdb0ea73c4434

SHA512
2247adf2b38a4ac4d3776ce27140f8d21bb9fbc2a46eaacc321e352dfb8513ca4f8e740706cedd70ac423ce093c70a1bf634dfc16a7507629239039c0329a196

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
67KB

MD5
a0997dda3c0845cbb44a562f6bd537cf

SHA1
a741d5135c5e224dc04d8326a35c356c0ce8ff06

SHA256
6cd428871bcc5036a3c44ca4213f66bf44b90a1d5f60faf017267ff9c79c9241

SHA512
ee947235def96756802e67bf0b1588ec127b0f2f7a7ea5bc71d7055e657a88bc045e94af2d383dd26b1125ac11a907da68224561a7b39029e17ea400f7a4174f

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
67KB

MD5
d143e9dc507d7576ff2b780ac10e4f48

SHA1
2995567e1107dfebc68bd91343993d703c6a8cea

SHA256
5b13b70a8b140dc27c0edbc46fdbc385aefb02391ad97fb62c666c8f28ca76b0

SHA512
eb962a9abaca0419e7d8e5fc38ca38024c23f7154cf967df84856a2b95c06ab1b659ed7ab2cad84b4889fc58a9e7b9e623be225133a9615b052d3e291dc4dbc6

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
67KB

MD5
7e71813c94f663280d85c3e40409caf8

SHA1
6be344cd0cea5b15b39c3bb0b1c9d77e0e36a60d

SHA256
5ffde3c714d919e61123f577bb8934eacbd87638dab998db9fce152d58a63c37

SHA512
9136f1025693d1733001b9c81f24aa355aeb4c7b00710252ad4465b0cb721f3e6866e31b66d09a167cfcf776a473bfe41a6e5fe5e249673b92d1db5ba7ff62a8

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
67KB

MD5
c58649ab9ffd75594ffd82bc652d7145

SHA1
335b555d3cf2b3a6f62977ba7724a65eca522340

SHA256
014890f6151bda83044825da0f140c730c2ba94b8aab4c1dd2ff0019a8fdd6ee

SHA512
cdcd39586296e3f39f982625a03d6ade2c0187fcb5b4e803ea08ade5d9234989054818936bf37c965e358e62346d9bb9e80777ecdb7657eca7a0bcd2ea32ccae

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
67KB

MD5
df37bd107210faa6878a8ad760c4da70

SHA1
a10ca829afa701663c18134c285308c418ff153c

SHA256
c8c012c1d33cca181bf90f565052a2f91d91eaac5b232bbc9d311a0725980116

SHA512
5507d190e13ed1f4064357807bcbdd6bbbef823be94d0e5ceedd76d68d5d67dcef4bb6da54b29a5f2a9bbb1710a82e0d5463d7ab90212fb12df35aa8522a96b3

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
67KB

MD5
ca8493503bff96f5b9be3342fb580e90

SHA1
d01fbbab6a3414834292e17fb1f7583b051600e7

SHA256
6ed0dea9adf1df8232b6484d05e31b51a852a84b112462680fbd31e991cc71bf

SHA512
904dfd1ec91daee0f5d23ad5ccd3bd75b12895307dea8f550a94972c9c6dfa70c3549623e1eccb87b6315c02599924321f581048a59362192d80f9a698afa888

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
67KB

MD5
9636d1e47e30347f0e1b1c3ec0ce8d62

SHA1
82545b91762f001fdc2743def34754259cf36479

SHA256
d8616dff4cac0af64e3bb33f73a9fc929f607a336c6a8bc36107ac661e8917dd

SHA512
c7c023666ba1f7793b8ec6db81bcfb4baa08a3beaae82471cf1e425debe4c597705feea1389472a6a272718c9812eac7d0577238e8c7b5a90c5a89afc83e2fde

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
67KB

MD5
4983c3319e6441e085c78cd321c94c73

SHA1
51d32fedaa178cf0422cbdf24249daefe9c149ed

SHA256
3fcf3b27cb634576fcd6c81619b216ac4cab389b5ba9ea40d188255f077102bd

SHA512
dd60b52f22bb144b867493cace46e603d64076cfdf97b87f20f22d23cd03078c1df69dfb45069e8502934a1a3ec77fb8f78a901103525f83c69ecf2a4af0bd0b

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
67KB

MD5
24ea0e12bfd3fe8ce6017ae623c489ba

SHA1
aca925102188d08452bc25a7164becafaf6f402f

SHA256
067d026efe024a240b65aa67e64a51c174e228862a6138fd8ed87600ded7ea92

SHA512
d4c896348f11023b8313f395c36fb21e677a31330c2c8546399df7d6f78db03023457153f07e267b8b715098027ddb01334a57bb8b1e2c06389e4bdffad6e72b

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
67KB

MD5
da9be12b58b55e679fbd4e1bbf3d7b11

SHA1
8e588b37d0fc3f5e02a0baba1d7820406dd89dcc

SHA256
435b14424be288197a1ae171f712b8cadb5cff8f257a568b1a0ba156a1ff7e99

SHA512
cd79b9ac0fb9683e76362d0e8f7af107a8f6fafe335a6fc3d1ca558390c528e09fa261b385ca24ab194bd06b8bbcfacff0b05971c9b378292b575e5adabdf76d

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
67KB

MD5
60d402b22d83266a99968a986ef06f1a

SHA1
61f8bad058e4dc557031afcadf3349fb0dac64f9

SHA256
9dc2caacef037fdad778465f8c1c33c328ba8917c7520d35f1b52a75e306d037

SHA512
5a02fa1093d3ac94209afc110ab81d0741da6a60d4a478fe2eaf581bd06fef8590e81f0e25ba4cec99673a68a55927324c18c29e0d3660b5ed15810f709e6d4f

Download Submit
C:\Windows\SysWOW64\Jdnoeb32.dll

Filesize
7KB

MD5
65a7690753f17441ffe3ecb11e55f789

SHA1
a5fe8420c9d06d573bd36153b0f975b488292b14

SHA256
a1f9a88583a6a55c70428ed784cf0a30629c1b1b93fc5e31ca2d773176f9a4bc

SHA512
e020127a109cd4cf53ee25b288788b488b97cc6d1e23363ae37d3715697596ceb4ed9b02b64e4c1471c6eae1237c6baf17beb729a0d2256d90210806032e5525

Download Submit
C:\Windows\SysWOW64\Qcnjijoe.exe

Filesize
67KB

MD5
90de8338ab0199d2f1ae4060ad48165a

SHA1
d7db2a6c0edf93a5c705d08a2a346e1a998b999c

SHA256
99661d8e851358337454b07d7c2298f887dca7029e60cd761e538f33db16f769

SHA512
9b82701a1e2dadd6b46b5aa3df954d71badaa3dc95f7a3f4840d4c74f44204532d3a1dbbb39ae2d2bbd5a25281ecdd9ca6594b0afc57f34a16d886470222254b

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
67KB

MD5
985e00bafc28d06839bfb8fcd23e7cb4

SHA1
15803c218fe837ef684d8cd6dd4108609118afbd

SHA256
d08315ddb9109642c0818de13dc33cb4b738cd41ede94f8b37cebd2a3966b131

SHA512
6ae4c3c1d4453a4b6d3c58b0ece9334ffd4aeed4a74b8e84a1477515831a538aabf3e8feda01842935e7a1a10a0b5996db303af3a084edb9e0c30ffcad3cd510

Download Submit
C:\Windows\SysWOW64\Qjhbfd32.exe

Filesize
67KB

MD5
4ba9460540326529d0d533ee562fbfa2

SHA1
cbe57136255efb4226ccde3f270f0dada80c2a44

SHA256
cd0d46ed89d1bf6afd44ec5a1bcb62f2b7535a6465f56eb2c0ae4d023fe08245

SHA512
0611f9dc36acb7bab67cc6025dc017749c5bd97caa03596c806a1a18021eb1a2af6a6df7bf9d79be9477c9a73aa08a8963ceb27cdb0be63ec6633c137d81e269

Download Submit
memory/228-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/228-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/828-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/828-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads