b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
Size

71KB
MD5

a6fe43baab3028e429d335598f7b68fd
SHA1

59a6d6438d1a9c4398dc54097d78db13bad249f0
SHA256

b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4
SHA512

1aeded069f97e2765945e363fde82802e981114f0711a4ef510bad03a8b061ca2eb4968fe94ad84d7e83ec462c8fa46bce65418a61baeffa7b1b3a7d4996b1c2
SSDEEP

1536:nYTodt0xI4wTkhjVbmfBhc2jFi8eZ/y9KrTRQEK1P+ATT:Ycd5Ybm7c0i8y/yMrTeXP+A3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Achojp32.exe

Executes dropped EXE 58 IoCs

pid	Process
2776	Pndpajgd.exe
2768	Qijdocfj.exe
2404	Qodlkm32.exe
2636	Qbbhgi32.exe
2108	Qqeicede.exe
868	Qgoapp32.exe
2876	Qkkmqnck.exe
2460	Aniimjbo.exe
1976	Aaheie32.exe
1952	Acfaeq32.exe
1276	Aganeoip.exe
812	Ajpjakhc.exe
1448	Amnfnfgg.exe
2844	Aajbne32.exe
2308	Achojp32.exe
2444	Afgkfl32.exe
964	Annbhi32.exe
3024	Aaloddnn.exe
860	Apoooa32.exe
1608	Agfgqo32.exe
1296	Afiglkle.exe
924	Aigchgkh.exe
1064	Amcpie32.exe
1720	Aaolidlk.exe
548	Acmhepko.exe
2896	Abphal32.exe
2596	Amelne32.exe
1632	Acpdko32.exe
2684	Abbeflpf.exe
2320	Aeqabgoj.exe
1040	Blkioa32.exe
484	Bfpnmj32.exe
2848	Becnhgmg.exe
2880	Blmfea32.exe
1624	Bnkbam32.exe
316	Bbgnak32.exe
2288	Beejng32.exe
1752	Bhdgjb32.exe
1280	Blobjaba.exe
3016	Bonoflae.exe
1404	Bbikgk32.exe
1380	Balkchpi.exe
2152	Bhfcpb32.exe
1484	Bjdplm32.exe
888	Boplllob.exe
1684	Baohhgnf.exe
2908	Bejdiffp.exe
2672	Bhhpeafc.exe
1728	Bfkpqn32.exe
2156	Bkglameg.exe
1560	Bmeimhdj.exe
1584	Baadng32.exe
2004	Cpceidcn.exe
1240	Chkmkacq.exe
2184	Cfnmfn32.exe
1488	Ckiigmcd.exe
1112	Cmgechbh.exe
1524	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2772	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
2772	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
2776	Pndpajgd.exe
2776	Pndpajgd.exe
2768	Qijdocfj.exe
2768	Qijdocfj.exe
2404	Qodlkm32.exe
2404	Qodlkm32.exe
2636	Qbbhgi32.exe
2636	Qbbhgi32.exe
2108	Qqeicede.exe
2108	Qqeicede.exe
868	Qgoapp32.exe
868	Qgoapp32.exe
2876	Qkkmqnck.exe
2876	Qkkmqnck.exe
2460	Aniimjbo.exe
2460	Aniimjbo.exe
1976	Aaheie32.exe
1976	Aaheie32.exe
1952	Acfaeq32.exe
1952	Acfaeq32.exe
1276	Aganeoip.exe
1276	Aganeoip.exe
812	Ajpjakhc.exe
812	Ajpjakhc.exe
1448	Amnfnfgg.exe
1448	Amnfnfgg.exe
2844	Aajbne32.exe
2844	Aajbne32.exe
2308	Achojp32.exe
2308	Achojp32.exe
2444	Afgkfl32.exe
2444	Afgkfl32.exe
964	Annbhi32.exe
964	Annbhi32.exe
3024	Aaloddnn.exe
3024	Aaloddnn.exe
860	Apoooa32.exe
860	Apoooa32.exe
1608	Agfgqo32.exe
1608	Agfgqo32.exe
1296	Afiglkle.exe
1296	Afiglkle.exe
924	Aigchgkh.exe
924	Aigchgkh.exe
1064	Amcpie32.exe
1064	Amcpie32.exe
1720	Aaolidlk.exe
1720	Aaolidlk.exe
548	Acmhepko.exe
548	Acmhepko.exe
2896	Abphal32.exe
2896	Abphal32.exe
2596	Amelne32.exe
2596	Amelne32.exe
1632	Acpdko32.exe
1632	Acpdko32.exe
2684	Abbeflpf.exe
2684	Abbeflpf.exe
2320	Aeqabgoj.exe
2320	Aeqabgoj.exe
1040	Blkioa32.exe
1040	Blkioa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aobcmana.dll	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Aniimjbo.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qbbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe

Program crash 1 IoCs

pid	pid_target	Process
2044	1524	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bejdiffp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2776	2772	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe	30
PID 2772 wrote to memory of 2776	2772	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe	30
PID 2772 wrote to memory of 2776	2772	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe	30
PID 2772 wrote to memory of 2776	2772	b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe	30
PID 2776 wrote to memory of 2768	2776	Pndpajgd.exe	31
PID 2776 wrote to memory of 2768	2776	Pndpajgd.exe	31
PID 2776 wrote to memory of 2768	2776	Pndpajgd.exe	31
PID 2776 wrote to memory of 2768	2776	Pndpajgd.exe	31
PID 2768 wrote to memory of 2404	2768	Qijdocfj.exe	32
PID 2768 wrote to memory of 2404	2768	Qijdocfj.exe	32
PID 2768 wrote to memory of 2404	2768	Qijdocfj.exe	32
PID 2768 wrote to memory of 2404	2768	Qijdocfj.exe	32
PID 2404 wrote to memory of 2636	2404	Qodlkm32.exe	33
PID 2404 wrote to memory of 2636	2404	Qodlkm32.exe	33
PID 2404 wrote to memory of 2636	2404	Qodlkm32.exe	33
PID 2404 wrote to memory of 2636	2404	Qodlkm32.exe	33
PID 2636 wrote to memory of 2108	2636	Qbbhgi32.exe	34
PID 2636 wrote to memory of 2108	2636	Qbbhgi32.exe	34
PID 2636 wrote to memory of 2108	2636	Qbbhgi32.exe	34
PID 2636 wrote to memory of 2108	2636	Qbbhgi32.exe	34
PID 2108 wrote to memory of 868	2108	Qqeicede.exe	35
PID 2108 wrote to memory of 868	2108	Qqeicede.exe	35
PID 2108 wrote to memory of 868	2108	Qqeicede.exe	35
PID 2108 wrote to memory of 868	2108	Qqeicede.exe	35
PID 868 wrote to memory of 2876	868	Qgoapp32.exe	36
PID 868 wrote to memory of 2876	868	Qgoapp32.exe	36
PID 868 wrote to memory of 2876	868	Qgoapp32.exe	36
PID 868 wrote to memory of 2876	868	Qgoapp32.exe	36
PID 2876 wrote to memory of 2460	2876	Qkkmqnck.exe	37
PID 2876 wrote to memory of 2460	2876	Qkkmqnck.exe	37
PID 2876 wrote to memory of 2460	2876	Qkkmqnck.exe	37
PID 2876 wrote to memory of 2460	2876	Qkkmqnck.exe	37
PID 2460 wrote to memory of 1976	2460	Aniimjbo.exe	38
PID 2460 wrote to memory of 1976	2460	Aniimjbo.exe	38
PID 2460 wrote to memory of 1976	2460	Aniimjbo.exe	38
PID 2460 wrote to memory of 1976	2460	Aniimjbo.exe	38
PID 1976 wrote to memory of 1952	1976	Aaheie32.exe	39
PID 1976 wrote to memory of 1952	1976	Aaheie32.exe	39
PID 1976 wrote to memory of 1952	1976	Aaheie32.exe	39
PID 1976 wrote to memory of 1952	1976	Aaheie32.exe	39
PID 1952 wrote to memory of 1276	1952	Acfaeq32.exe	40
PID 1952 wrote to memory of 1276	1952	Acfaeq32.exe	40
PID 1952 wrote to memory of 1276	1952	Acfaeq32.exe	40
PID 1952 wrote to memory of 1276	1952	Acfaeq32.exe	40
PID 1276 wrote to memory of 812	1276	Aganeoip.exe	41
PID 1276 wrote to memory of 812	1276	Aganeoip.exe	41
PID 1276 wrote to memory of 812	1276	Aganeoip.exe	41
PID 1276 wrote to memory of 812	1276	Aganeoip.exe	41
PID 812 wrote to memory of 1448	812	Ajpjakhc.exe	42
PID 812 wrote to memory of 1448	812	Ajpjakhc.exe	42
PID 812 wrote to memory of 1448	812	Ajpjakhc.exe	42
PID 812 wrote to memory of 1448	812	Ajpjakhc.exe	42
PID 1448 wrote to memory of 2844	1448	Amnfnfgg.exe	43
PID 1448 wrote to memory of 2844	1448	Amnfnfgg.exe	43
PID 1448 wrote to memory of 2844	1448	Amnfnfgg.exe	43
PID 1448 wrote to memory of 2844	1448	Amnfnfgg.exe	43
PID 2844 wrote to memory of 2308	2844	Aajbne32.exe	44
PID 2844 wrote to memory of 2308	2844	Aajbne32.exe	44
PID 2844 wrote to memory of 2308	2844	Aajbne32.exe	44
PID 2844 wrote to memory of 2308	2844	Aajbne32.exe	44
PID 2308 wrote to memory of 2444	2308	Achojp32.exe	45
PID 2308 wrote to memory of 2444	2308	Achojp32.exe	45
PID 2308 wrote to memory of 2444	2308	Achojp32.exe	45
PID 2308 wrote to memory of 2444	2308	Achojp32.exe	45

C:\Users\Admin\AppData\Local\Temp\b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe
"C:\Users\Admin\AppData\Local\Temp\b5901e7384db0497da04458532b6f60033dc88dfc033b951eefcb802356c29e4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\Pndpajgd.exe
  C:\Windows\system32\Pndpajgd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Qijdocfj.exe
    C:\Windows\system32\Qijdocfj.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\Qodlkm32.exe
      C:\Windows\system32\Qodlkm32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 140
        60⤵
        Program crash
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
71KB

MD5
4860eec1bc58b240346e4aeac8784734

SHA1
18c0b1dce5fe3e64d1c3469b2866a0b18166a306

SHA256
226221ea1e0544307e90a4a1305cfd84483a28c8ac59150693f2ce7312003b86

SHA512
455b4984fd29e8f3a529012265f72a3e64e1dce02bcba8166fd6296f3eed52fd9172e6afecc00d386e2962eb6b852e8769dbfdff293d29bfba43e3dd90be3ec9

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
71KB

MD5
eaab99bed4b49a02f2b9b99e33656541

SHA1
cf577c6720bcfd1b69d54a750db80920abaef441

SHA256
da3386e3d9505f6e8fc9262bdeb9c4bcdb9195795bd3b3e23db41f2559fa75fd

SHA512
517c5e3a8b3abed5c6488a0b708d7ce33b0d963aaa882f49db137570506566f2a0789b0d98d7305ce8a851da1c908268b3d05fef98a9a37a5f270df2ddf5a067

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
71KB

MD5
5ce11afe82011f3e98c231fd19370c64

SHA1
ea737dcfe2cc6c745fdbd1a9e6371507f136d04c

SHA256
ec934e364f7f9a649ea18f16d52b668fe64355d7521614c4f1ea90ad0c7cc36d

SHA512
06e64b5af3d288ff8876c253e7393f0e8764c88f6245f1dab843557018c9fa844b58bca5a9ae73acc281ad965c59e0ae4eb27ab35f9b0476a61e11aa5356b93c

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
71KB

MD5
502e0963455af770e99c57da36435d0c

SHA1
046e82bb0da2475ef5a3f8e747402afd50440808

SHA256
3729b36250198a5c10f9e6af2cb93bdfb4f4295404b70c7fb4e22bb22026bfc7

SHA512
71ab1061ca6347eb3034696ec24cfc78719a3ecf9ca99e7b754f6a3b2f0e3190f114be6cacc8c3f0739fb2d58667afd2d06f470d2a08647a911cca5228694c4c

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
71KB

MD5
1faaaf97287d4f4c0a5cca2f4ef66cc2

SHA1
94364029680181f0f92ba0d09f85e58e36da4369

SHA256
6307f5738b47928e635b32071c88a52e841ceb0631bc7a2e947bbbcef13bdfa1

SHA512
e28557bceae58e89afe1ba0dbb1c0c31d9a134ba34ef64566dc92e4a487cfbb67e661fa9c7befaaf4be37d9a5346aa6bc037e2f47cd99877f11fa25d3c5a0f41

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
71KB

MD5
405e5392f1151ec1cb54f37586131222

SHA1
83e0eebfb6900f825eedfaadf5939ff5db8a53d8

SHA256
1b7a526a154f61db36282c6f82e4e01a3d7faf3035c9bceffdda2a64aedefbb6

SHA512
5cf8bcee04aa4315aba4a2d5f648fa1b3ad6e727f4950055a3eb7891db8e1631d54186504c2c7d19dde676d169fda0b1464f04b6d5c2ed94c83b90bb047766f2

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
71KB

MD5
482dd3519af5ccb8238e80795842b0ed

SHA1
8c44043eba1ccfab19c7ec96012d60c61f890905

SHA256
216f560ef718813d81ed85fd9a4580a7bcf60b6637aaaec69fd56c7bf1f3534b

SHA512
d71d0526f240d517558f226098c5e2b49fee0936fe923fbbe942e3dd652571d20b544ea3850b8cda8990134ffa04f408954f74242a9e1c9410c7d9ca2377900e

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
71KB

MD5
70673ac0e97f896e0cd4828d41146b8a

SHA1
754eee7d5031565f72179214139869bcee23123a

SHA256
a0c05e063000e7e1dc690619fd613d4f50918862bcd673220504bf9e29c71c4f

SHA512
be8dba9c2f7077d7fbcf911298aafad0de45537a2b763800296d0d0edea573b5092861243f7a67e30caba17e6b50a5739b9f301925a464e215380f4071860b38

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
71KB

MD5
e95246cc138b7b2da24f0c46dc4bc22b

SHA1
e4bd30c24e5ab269262851cd2600a5c41e43dbb5

SHA256
0f7cbe12273263689f5d050d9238bac6a8963b185e39ec4692d1120e9da43eac

SHA512
cc7b597b611743ae0a5ac6bff3ef57bbf6293e7b5b60bc9b88f5a96a879a84cc63ff3904ff300c4ef47d07f6a48f7173e76e7d26dc5bc3bfb5e82364e199bd6a

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
71KB

MD5
14564668fe6ec12221d31b5aa034b31a

SHA1
2fb91dde7bf888dfb3368fc873d561d4a19de7ef

SHA256
a953dbb9526a07410a17f47192c902d8a9968c5458d3c7fc6fa74b60b96db41c

SHA512
32b0771377a501f57e2c7b14de4f254bd32e2ac5aea29003e5d40bb155d2a1a9b14cf1ee93ec6ecd27b6eb50661a8b6429520ffabf07a9a40488cd45519cb946

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
71KB

MD5
3d1875e5b6d6e6d30027bfc39ba37a9e

SHA1
6209941b8db7fc4a84b6ddd3805a76bf2a4d6006

SHA256
58a601aae3c913de0f57cb167702175f078777a93e9da494c44abf2b0075e745

SHA512
27f6d31e12d51153694d49ff547081496291e95e8846e4c97c0df1f51fd154b1258bd240dc4fe83cbfe9d9400e24726c7391056951e032ad4b3b08272a01a591

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
71KB

MD5
c6df8cff17c2297889c2f5639fa17195

SHA1
22c128b8087006cd8719fdf2343614a6a5d3f2ab

SHA256
4b1f0ac6c507e71109188dc21785213bcc03750ac9a4a405a66ac09f129b3b52

SHA512
589982ee90952cf700f02f145dd43fda95f8f72c471608dbf565dddc062383d7af59c11d1369cf342aa3d360a2da8113a289154ac592915b3b308418f033837f

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
71KB

MD5
69346ac2778087f9cd6898436addab30

SHA1
f7f71e0d2db4c90ca644c157ed0dc17de6bd95b4

SHA256
1ec8bc0c907895a4b857aa46673f9d23fd28707115525378e791dac71c594eb3

SHA512
4b3826f4837d13058995c005f99c0d8fad9ed5a1456bd0ccbcc5e99e3d70e740aef851d87c9bcb8846f070decc5f77f5c109dc981fbb31d68730dda13b1bac43

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
71KB

MD5
11c5ec352a4f388cda67375a09422551

SHA1
f31db9b0508b69909ee316ea5ec7d89e3eb3531a

SHA256
943cf3d6fca8e5e45bc0906ea03685a99bc032c7db70f33a9e1dd914203b9727

SHA512
d402ead4f30460583edb587419caaeee0b46e41e216a90b836112bc28ac0c97ad3d0e020fc1904029cf9bd7d9a3ebcf18cae2f4496fb4c0f3fa1c768a03277e3

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
71KB

MD5
8ace5c1b461b447ca730870edf415994

SHA1
59319c67ab5f7df07cefea4abcd2e1b8d3c06e00

SHA256
fa9ed111427696d36a67118b5ecc527b9aa936e9be312cb74210d272e92d908f

SHA512
905e26a1090c5544b292fc2eb7291fc02c0434449632de77e693a798e3584183004925494252efae37bba3d0af7cca04fce89e5be6b15837ae5ad0629a3dabd5

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
71KB

MD5
4d83effc6abb836db6eed0149ce8a172

SHA1
0468089d2a298be2367c904ea9a1e49ab7d75c85

SHA256
35cf519d58a5e1b06c4f6db84ba17416d28f9a2c4e6db9fe4eb36533dfdd8e97

SHA512
7000779f699aa2de6a0da218af6ae50f3d5a6b50c50ea936c03decbb0440ec8654638f25266e5071718bc59c628b8a8fa05bfb08a949b8cf0284df63cea9b522

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
71KB

MD5
0f11a7fe9ee75ede0d555825a3c99161

SHA1
49b0569217be5ab6887567f27092045b10329570

SHA256
8fd905759e655db732fa2d9c89ce29676cb4b50dd9ad8b166f79156ac866dc56

SHA512
b708b3e62e9cca2f0126946bed00c18a46c1369a5b4f1ae3b93f2d1466fcd32b8f599c1d4705e1d8d15f32da509351051436103e743c26235cc40a58647f3275

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
71KB

MD5
32a27845cd86fb7b7890546f6f58e22f

SHA1
cb09579958242d726fb24a1f24b6b4f784136c9c

SHA256
8b806315248d39eebd6d4f9ffe0dce575f1b46048d1c9301bf6f5081959980de

SHA512
c22229da8fb23cb1322e99ac4d73f68da6d8fb598b82336f548b3b538be03d2f9d0f192192ac358df3c8a1b3ac096257e3ecd273a7e3057cc16a062f8ffe5e94

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
71KB

MD5
f27a1085809158e1e2f0ab59c2d94989

SHA1
b92de8b2ed3316431a56bad0db705898bf0a9a38

SHA256
139c19933b711eef035b6be6796a4f558630e113ecee1dd06ff45b09d3ce1d2c

SHA512
8a3c86661ca4d02a3d6356d7aba513cc775b3c5f992f51b9abd014aec29f12efedb28bef64c10138253eea8ea946640f3cbf3df716d261807ced099e85f83ce1

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
71KB

MD5
468f98f0b128bdb15551385d00be0a83

SHA1
b7be6acb925950c62aea0a0cf7999b44b1de0d5c

SHA256
ad80d7b97ffb925b98e3ef53321eff55b3c3f605bf352661704308b645ca9de8

SHA512
887f497aa9d19e0f9ed22a5735b2b6dd3af02fcc0fd220157cd1d523346471338553ce2b611842e60e39db4566d28c5a65331d26fcd856f5398aee6ad09f2ee2

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
71KB

MD5
b7d6a3cd4229e6398a16e4d7988ed276

SHA1
3a96c2a7ceced0a1199e14a2caef919639bcdf21

SHA256
52186f7665f7c85460ab8ac7688e48e32e0667232c0b15b7e374c619941007e0

SHA512
5e32f2c59cc9cddba3da02f479e6dbef96c57c6621f361d9ff4e79d2db7a32fe33acaed043a3814c40e12a20b21010c0e1848c071b5e5de23991e105df461abc

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
71KB

MD5
ff7685fa1391308ad0c2ecc8572b0c7f

SHA1
438e0df5c7aa1adb6cd148b8c601e171d83472b0

SHA256
222d197562a42895b99f0918b6a6e559f0cca05b8111f29cdb92392eba93e5c7

SHA512
be5e31dd54bac9db0038c3283026577c1fc807f612d84ad2d663992d6a78ef1b7a494ebccc2b8ac3e3bf2e3c0124fd4f4a2624cf5823da92e16cad6de6b71e00

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
71KB

MD5
442f81dc30bb2f46def60470d2463356

SHA1
e2e9c018a76be0caa6e46e969290440b5d02ded9

SHA256
5ffc18799e09840a35451757e30e7a45f2174d571537c7946fad6ebd98a14d5f

SHA512
972a07e4813ed76c85d2e06a9b26f3dfbc2f4963f1e2ef7e551737c9013dc05a6fec1c1da487c5dbfe3f0e56e5e8e1268b4fe07d8e704b50e50e2277dabec83c

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
71KB

MD5
9fdc3d0da8b6b0500676e0e1aacb52be

SHA1
460f38fb2bff29f22c8463d6ce37da08e480446c

SHA256
c96f59154ba147829cc5b24e50169e377f4fe7833afe81d06c2793bc53d58c03

SHA512
f5694a3771d957239a5c9801c58b0468518389f3397f6f74cec6e39bdc841efd16e55711e03bd5ddd5872e36e53c73507901672213af2193ebf646f95f1d1f5e

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
71KB

MD5
4303df7e410bacf0ef6580fbe92ec442

SHA1
1445c4207ab4f41b1738c0e90603775087a9b755

SHA256
8974dab8173dab1bdf5e5fda435a5bd3027c9f9a748ced65b839ec35de369def

SHA512
60802dfc57e9c63fb085701f7e6a6e6d12388d27b5608b5924949ad8f4f9a58fe5858b6e6780fae679757b22b715f14756300e78a77d648e15b13dd6f696bfc8

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
71KB

MD5
055f363b025383321009ec508f28761a

SHA1
d5895ac92a626824f5e5ec60d9c3b02d58ad0d0d

SHA256
0762e41f1063c0d9270cdc1c9f9252ac843ebb14027e7ffa89a7441a9ea05c08

SHA512
04d1c87c82add56ff0c0ed2d06136fa9c23bc30cda49c78e88ebbfba0c7ad6a9ec6674f10d577d17ce09934f36e2ab3fad550ad65df3db0054c8e059a9417c0e

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
71KB

MD5
37d667c6a7fb6f5888d406888e4637ce

SHA1
2216a83fb845e8186809fcf831c7b14b8e3e59c9

SHA256
850c45da2d5d1b0b8c0c160cbbb56c91221d66b874c0774b512cee3e5515ffb9

SHA512
fd9711a2affd3278f2c058cb9dd9a6b2b0b77b0c46b64d848060c4ac345a4e0899642dd3ad4efbc5cd3254b08acd487456e34f1a078a1d0304de7187b3c7aeec

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
71KB

MD5
cda6b8dc30d2463cb57ff5c0eb637258

SHA1
0e62149b1946fb5c84da537c54f3b3292ef1efd8

SHA256
69676c1fed440723ae4a8b62d22eeddd430ed5abd8124891f60bc68fc59da592

SHA512
0faf040254e8c74ac9706c6d2cabc56f5347a3b42400cd1a4e1482695b408997a89d975361d09e976adef3cb7e4c1696ce378d9a2835e6ac256ff4f109a45211

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
71KB

MD5
e06d5ff7c8a2281a221c2675b4dc41ac

SHA1
6665725ca570194e52aebed02ddbf0e609de3d9c

SHA256
00e281539a51cc66b7b2519de4f63f61dd3e17e4a44ede60bd5464d39eace9cd

SHA512
f5902fdf16d3ff8817265b53d4455cedb1fe35e8140e261934a62f01f27273054f7846382f953abcd378db40f49b5eb280852d7f1b9a43479d283b1482d4d109

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
71KB

MD5
17707a21fddc080a95ac30a109644c9b

SHA1
c57cd002edafde0e8b06f1c02fb1709e0b42d870

SHA256
40b458b384762c86775f710dc27a2166b51d5c131e9fba6ba911eec6e8923a19

SHA512
cdf47148655b4ed67c35044c111892a5206e5b048e0dd94b062d422f6ea22bd0a203a60074c86decf6b2b502d68dfddd091e4f4fdf6091075eef75f7c0c0f139

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
71KB

MD5
3942f33688f0aca428485bcdb7511751

SHA1
297517f88348cf2588cc20d1b3430651e784a7cd

SHA256
3f4ded6fe28f55350b979ee25bc0f687981e1c588c93766194e26ebe776e587d

SHA512
1f9ac2ffcc9812bf01785606d1aaa414e2e6c0ded6442256daecede20848928b207194ad29d1828f913ed59695bafe3fe17be5cc86212ffe9ba8bbc4918774dc

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
71KB

MD5
6b3a19620894c96097221c14ebbac03c

SHA1
dfef17ee288f9d703e78dcfc33d1f9901f429660

SHA256
b8ab2c626dbe18a8e5d40535988ad8cca29f94872b0d73926098d821add72f7e

SHA512
4fb06d359d8efbc2aaa08f4cd2dbed090d51707afa2a5e46476d6d0ed59a4259e727baa687c09db5d4845b3fdce48e30616208b3ac9bd000a72f53bb72bb36e7

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
71KB

MD5
b9074dbd39b33012c9e8d48f5cee20aa

SHA1
4c6e213eb9e7c3b56c00d1abbe1fd74ee595ed5d

SHA256
a5e50f6fc6df3b5b57fa9496d657c008aaf5cd877e6dff60675230df4bb75e87

SHA512
1cebabad4f37cfa9f6bedbf73ad7ec3e2b7c47562f2c4baeb6ef191216e25bb3e270fceff4e6824b86b258d94229f408df29f75397edb181954d26d5abb82eeb

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
71KB

MD5
c7644fea70b12fcf3d520a0d9fbc66fd

SHA1
98915cf83589e281bd55643539d8682b35bc9cf5

SHA256
39f90b80d0f8f650fb55c3653a22d7c18814c3328c98257f967cf689b45e2f83

SHA512
61e6290a595bdf2e327b7df1263d5f79c7c633944677e4ac43d40758e925a55e36aefca8be01c68dfcfee914cab40a0815a94325c077c59c68bd12198a9f4b08

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
71KB

MD5
d133c1f8dca730f1943f37129ea27cf8

SHA1
e22ea57affe235d515ca29d3544ea749a1fbc6cd

SHA256
3d8ad13be6e8d5ad84f11c091768cf241e1e64f23c6789c39725b4ed26379809

SHA512
f0044caf4e5e9d2664e29f6a7734c3b6a7d22eb7fa5dccb006c787fafafb90a0c30803dae71d571f76729eba0a503950c221289bdf2d3e679934c87b8c5c4bdb

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
71KB

MD5
9516baee06ac87fc6bd73329760e62f9

SHA1
16d97bc392011fa04bde07a29a70731e310b07ef

SHA256
ef184a9faaa3269587ecb535c14cf89a95c950cdf68e732fc17b16d19e5f387c

SHA512
fbee4c4b48e032fa5cb7e3c2d50a6e1f65b082ec91b87bee6ae54a491a16facc10f942827df57cd6450e3ee1a46256b38d72658366538e1c904088ceb5a9e969

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
71KB

MD5
d6daf4a4b8952a2a08fab5e2cee28070

SHA1
e6fbb3c1466364eb09735171b46cbcb3eb2d0236

SHA256
ce7f78928b04b249434c482a3b93a3428ed9807cb6ff53acae5b53fc9cf4f866

SHA512
fe58ff04622633ff744cebc0bf113e4dedd53316b3799eb1a3d6235e4f8ad161a0e8b74e637fd262fe396b0c487cfb8207a9f862ba433bd71f16ff081e359e08

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
71KB

MD5
d3a505ae2f4c56240f9fab121dc29a9c

SHA1
0200f7d5bbaa145b8bcb113ed2dc5e9fe022843d

SHA256
93b15387c97a723ce0a627202f000f63004ac1f7d35152d60318b20b83da5f46

SHA512
df9c719d70d2f3fcf70697b6f10c3a8de7a2a48223c3fd2dfef7519a32658a6c10b2f05a2a8610c8ee689cefe5352f2ffd8ff4af1901a48a5dbd27024ef279b7

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
71KB

MD5
fec310b03138c0251accaedf6c551912

SHA1
62a0d0cdbac7a6b147f6e89f39f82a8d130a7a29

SHA256
3f1a0c368f46771ef36e7eb17cf3fd787ca01524acef3f9fa38c52d92a9617d9

SHA512
eb8eaf32c64a792c4f642cf197f280f3bf4ff1b1bedde5c7a71d48fdfc36dbeaa20f21ea47e775d7c6a29bd3b09090c4af6c6c7b646143dc2b56e7891d1a5222

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
71KB

MD5
0ad016d9240b0f604112d684dc216dfe

SHA1
dd7127bf555ea44ca6587d1cab6fa3388ee5fde8

SHA256
d1031c159f845cfd7d3dcea6d32b30096a0d7cee7522cf181b2ae28c2667e921

SHA512
eb623083b66452e529194dfd79777e03e201782a5223715b8ee626bba8b2c45e8a908f5fd1aa21003adf07a36b24d677b0bb8043aa2598ef2378d7bc9bd8e5bf

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
71KB

MD5
0b3e7c352aa7b2db026eee57c9ae5330

SHA1
54d521be24722fd901725cfce2d31c86d6558eed

SHA256
36604cb5c758ed59919ca3185b7744de1348a9528d00f4f4d31d901dac5cb130

SHA512
8190153baf52905cc9c7aae7f56460b1506dd7e90e70c26ecb8ff7af5c546e7a9e83cb58400c94ce31b1ce0055c4cd63dfe1a2cbad851be4d11431dc1125c052

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
71KB

MD5
6b3856bddf856cc22dd5e3f86d65926a

SHA1
231c7f821a17407d32adf0b7bc70e3e35c25badc

SHA256
6642d37bd20a0c89fcaea3e2a8b4676b63631463a5a6dc70f332bd5f42d68aeb

SHA512
d1c4b62e82afe86e67f72bc51655043666a06b8c433888db5cdfd957fe30b5f93872041a5c319ff02f2f9d2994ccf318d44e90c45786487c9b7af2a9f352644a

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
71KB

MD5
212cbaa9385d6512dc8b67efcd2fba0b

SHA1
a4619173a512cc556f4b047103f9bf3ed8f74f1f

SHA256
1517f24d0accd693cd4dd79d383a91e85ca2e0193322f0d2d5ef26f843c5d92d

SHA512
dc0953b4b01bd1cedf675be457c8b4292d628b34008b1d1715abca3ece14ef3c1de4bbe6347071ce532402bfdb10a18fcc5548517bc6969c09dd2d465880357f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
71KB

MD5
c1d84602ea2203a2710c9e7664b12864

SHA1
6c58604bba332c9148300a1c6ca8ee38c4a815d9

SHA256
73ada579f29a118ccfe2d581b67ef0604eaec0e35d05eb2f0b893d33e9bf6d02

SHA512
0432e9037148f9e232e5717dea35e3a4b4f220e9ba2a56038bcd620c865b3151e5762f0514c687a8d755bb60a86e603a46aa2347dede2ec7abf28d616bd4c33c

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
71KB

MD5
e523daf2f92f75aa990eb66fac4ba915

SHA1
77335b9bb1948fed1d3dd2c259e0317f9b36d0d5

SHA256
29a431423fa8002aa8a0e47ae473dec1e8868356d7cca6546d731f35257f2d26

SHA512
28b5d7f12ccdf054bdf91e4a94d691f59b75ed3ad390aa38ec45d077e9a90d1d0799a65919f2aeb643f03d93bc37dcc62d9685277e8c9223c59b2095c08a87cf

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
71KB

MD5
a1e0f43da98631127e7395a244bb2ed8

SHA1
c3ae5673e651a29e06eb0c36c70ca90490becdff

SHA256
2c57e2f12c2dcb3f49494feeeeaed49b73b23c540ac67a04aafd972bc7aef7c7

SHA512
f29b342bc70971a7f9ff35aaafb398cf70da091adda58d7075e5612b6cafc0783f3c1df0a09c1a92a272eab898a1b3457912585926d867808f4333abfc99ff83

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
71KB

MD5
beac1ddaed8e04c7589c5076754c6ffc

SHA1
7280ee189e85cd7ce98388a0530b053c94cbc1ff

SHA256
cfe6d709fddd2f3850ed3a07194f8c29144409a673de87618bf34d45f22427c7

SHA512
40c4de1c198eef12631b8e1ea72f4c07a49125cdb03c699a0f23f673ee1ad7777f2433c494e58295c6f4ab73085805f89ad4f179616b59052014ed9e8a4eba0e

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
71KB

MD5
b5bb251b61bfa02fb1ad0a568361bd6c

SHA1
a0c4735950188e408518b94e21ddff7c93fd478b

SHA256
ae05b752f909d72f4cc01eea567d4fc7e0f0ed2c3f9d94aa0c0c745eaec3cf10

SHA512
aa7570631c52c2d18bb6f1499ef3c505c5a400256ec034ceaa64a600ee6cfb472af2fcfd6785957d6faeaecbc02017a78d6ab2e9da8c2af2d950fab4b8dce114

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
71KB

MD5
e18558e3e8eafc13d26c9570ae97d057

SHA1
ed48238d9a7ee2d05f1006056938aaca3e4c0913

SHA256
ba631cecf5d501446e4e07a9383df12f8bd6e9710196fabd731751e7c90617df

SHA512
41e199f8db955c17d603a677c71da63e1efb3ec3fce8e9c55011bceda70ce3f59680d79fbbfdf6d94df705c796091c7b92fa29412c9da1320d299975c2f78e9d

Download Submit
C:\Windows\SysWOW64\Imjcfnhk.dll

Filesize
7KB

MD5
37a96ccd8a7c4bace2fe2f6a7cd2e899

SHA1
08736fa6b6230f0d6fdf1f171b71484e08cf5862

SHA256
04d90118d3288c5ce6157b26b55d7093f2ac4d85229dc150eced1ec8f8be56a2

SHA512
f0d7aebc1e3e720e63defc8d313fa1f7216b4491531d6b68f21e5c1ab7594acb5f96377adc8382022f6c61bf9eecdcb9d7e4419916822f328f6b99b461ff1da3

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
71KB

MD5
6bf690df866e0c5c99e49492244fde93

SHA1
3106cb49400108d0677f164590ec3cedacc686cf

SHA256
b3a619aa49954d8b3288740c5cbd81129b8078aeb09785e08e9250bdaba5b5b1

SHA512
dac16f076ce8df92e7ae794d1e68e22b680d9f616dbf3bf829d3f7e4e5c617ed82ad00caceb8527d68154235205e87f5cfd1ce8dc78be810e297ee4cdbadd469

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
71KB

MD5
7309b3864df021a69ccb8f73b0447aa6

SHA1
28a96bbea3c63c9d8cefe8812cc0b4f718d28296

SHA256
e043634dbec3537dcaef275ea920ac92080d4287c0bdd868bb75f172d773772c

SHA512
07ec1074e8afecccbd588db874517a40d642aab3f0fbe1e0684613cdc5e76566311434e1e63c6937b15c38b169ae988d9c74713fd39faebd20879bbb00054b2b

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
71KB

MD5
7dab21d4d8143f166734bef92a4628ad

SHA1
977b0a59680a966bc5b602f7c273319f1c9a824d

SHA256
12cdb06f0857dfc73ce2c2546db9fafea8cfaf81574ce3bfd829dc2b9bfa27aa

SHA512
701e0b0d8e22f278f80aead60f39de87f5a29911642ca3248d6a18879ebe8bcf14f781674f495b87616859cfe98a36dc035c29e92c2c26579f1bf3178c29a305

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
71KB

MD5
ea803840cda09aa6b30c01d544f2157e

SHA1
18aa3e367b0d0cce2d8fd11bd70205ae56d8f2aa

SHA256
03953be06526b12c90cf3a2d9bd92c3403bce0aaf151a129afb427f341fcd15c

SHA512
e7d268ecd49bd1a98221444638363d02933a9b220618e2e545585ed696e9203730c86435017cc8ebbbfa8bdc3baffcd34ba750efeff647d7a5df28365d3efc66

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
71KB

MD5
f52f2d8d799e2d5ec1b06db57b4c5f02

SHA1
a04bfd5d00f282b825665eff45c89a0d5620f0ce

SHA256
974ed0249091daf6d2ae71477a04fae76f96f229e2ec720074bbaa2602d2c89e

SHA512
b0239388e9241dde95cadd7bda7c62cc3403c135d1516989a3d6f969400676236cb703f195bb9273aedd31c594b545c254687cb26e696ebb5d81b7eecd37e325

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
71KB

MD5
a90e8503f4316da9a15532237128cbcc

SHA1
536d387d6d2d118d1f1817e900c321c209867c0d

SHA256
09283ce296c9738761b65b2f7ca9d5cb63c4d4df4cede08e3f7f55141f2d8ff6

SHA512
26c3a5ac4cd36666d451dab926512446ce6b85ae42aef63a0ae546ca0c47a114cf7b2956c595ed48e20bdee9a13164c87f8abdfe588eaa8dfc78373a72a3e2c5

Download Submit
\Windows\SysWOW64\Qbbhgi32.exe

Filesize
71KB

MD5
523df7d072e8d4e167bc881c1cf303c7

SHA1
c6f7ea9b364106244bf5f209ee7caee1e59ee86c

SHA256
6bb8f7f17e84b7ed3ee962dc7f56a4238789f29bc4f63b2706d8073aa28b273c

SHA512
a2e0cadd0f4d6ee2fda5a277f81b757731b4bfd252c54eac0150a286ba2bf6ed68c2ee29bf9eb4e7d8ce1d714f3174db5afca8db426ab155da44bf39025e15b5

Download Submit
\Windows\SysWOW64\Qgoapp32.exe

Filesize
71KB

MD5
b3cf4ffa685090c5317232c0016bb06c

SHA1
2adc448739d86cd86bc9821ce307e2ebd1647086

SHA256
f968922b1b96f939c364d1e8dbe93844eeb432f9039360844bee1297ffc13d7e

SHA512
6b18ead1a3c0c110c09757be8ff3ef6981cfaedddab150ca2879e2cd297ed68527ca32cda04b05acc3e2bef210430a6de6845ea77101e2f49f3c9cc5614411fc

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
71KB

MD5
19f3d5b7cee0008d1dc0e1c0e9cf93d6

SHA1
ff3a9e96e769b8a068e7410660c9ec2ac790af7e

SHA256
70c696ef39135dd5687764214548c8eece2e3e31b7accf93270f882f7f62e386

SHA512
5aae02400c3c750a2b05145fccda3246b8c90670bb51346aba2d6f284f19b6d477160e19c7b94a91b22ddee02e3a9f930ed5016cf492967be6560751444753bf

Download Submit
memory/316-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-395-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/484-391-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/484-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/812-474-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/812-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-169-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/860-253-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/860-249-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/860-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-90-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/924-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-286-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/924-285-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/964-231-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1040-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-296-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1064-292-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1276-472-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1276-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-156-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1280-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-471-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1296-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-275-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1296-271-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1404-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-183-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1448-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-263-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1608-264-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1624-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-348-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1632-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-347-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1720-311-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1720-306-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1720-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-461-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1752-459-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1952-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-147-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1976-130-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1976-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-76-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2108-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-444-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2308-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-209-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2320-372-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2320-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-371-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2404-49-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2404-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-222-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2444-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2596-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-337-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2636-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-62-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2684-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-373-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2768-35-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2768-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-355-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-27-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/2848-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-104-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-417-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2880-416-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2896-326-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3016-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-484-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3016-485-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads