c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Size

59KB
MD5

d03a9107c648b1b3a308150773b6bcc2
SHA1

761c4df7e0ec6754356668a776185d6b9f1cd583
SHA256

c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d
SHA512

ba24b497ebaa9877976ea59a3f53d533486c4dcdee049cd8ff5178444da4fae0e68e20142f62b2ebb5b602ef9306ada23c90187df40327842de9482f27c86e02
SSDEEP

1536:9pTtah+y6tPzeFxS2foxYde3MqrQuHgJO6NCyVso:fwh+y6trsS2wHM2HIOBeso

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe

Executes dropped EXE 28 IoCs

pid	Process
2704	Pbnoliap.exe
2820	Pkfceo32.exe
2764	Qijdocfj.exe
2664	Qodlkm32.exe
2192	Qkkmqnck.exe
1632	Aecaidjl.exe
2328	Ajpjakhc.exe
2024	Aajbne32.exe
1708	Ajbggjfq.exe
1296	Apoooa32.exe
2652	Ajecmj32.exe
2076	Aaolidlk.exe
1152	Afkdakjb.exe
2476	Amelne32.exe
2156	Abbeflpf.exe
1480	Bmhideol.exe
944	Bnielm32.exe
1644	Bhajdblk.exe
1796	Bphbeplm.exe
468	Bbgnak32.exe
1636	Biafnecn.exe
1808	Bbikgk32.exe
1484	Bhfcpb32.exe
3000	Bjdplm32.exe
2236	Bkglameg.exe
2976	Baadng32.exe
2712	Cdoajb32.exe
2872	Cacacg32.exe

Loads dropped DLL 60 IoCs

pid	Process
2880	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
2880	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
2704	Pbnoliap.exe
2704	Pbnoliap.exe
2820	Pkfceo32.exe
2820	Pkfceo32.exe
2764	Qijdocfj.exe
2764	Qijdocfj.exe
2664	Qodlkm32.exe
2664	Qodlkm32.exe
2192	Qkkmqnck.exe
2192	Qkkmqnck.exe
1632	Aecaidjl.exe
1632	Aecaidjl.exe
2328	Ajpjakhc.exe
2328	Ajpjakhc.exe
2024	Aajbne32.exe
2024	Aajbne32.exe
1708	Ajbggjfq.exe
1708	Ajbggjfq.exe
1296	Apoooa32.exe
1296	Apoooa32.exe
2652	Ajecmj32.exe
2652	Ajecmj32.exe
2076	Aaolidlk.exe
2076	Aaolidlk.exe
1152	Afkdakjb.exe
1152	Afkdakjb.exe
2476	Amelne32.exe
2476	Amelne32.exe
2156	Abbeflpf.exe
2156	Abbeflpf.exe
1480	Bmhideol.exe
1480	Bmhideol.exe
944	Bnielm32.exe
944	Bnielm32.exe
1644	Bhajdblk.exe
1644	Bhajdblk.exe
1796	Bphbeplm.exe
1796	Bphbeplm.exe
468	Bbgnak32.exe
468	Bbgnak32.exe
1636	Biafnecn.exe
1636	Biafnecn.exe
1808	Bbikgk32.exe
1808	Bbikgk32.exe
1484	Bhfcpb32.exe
1484	Bhfcpb32.exe
3000	Bjdplm32.exe
3000	Bjdplm32.exe
2236	Bkglameg.exe
2236	Bkglameg.exe
2976	Baadng32.exe
2976	Baadng32.exe
2712	Cdoajb32.exe
2712	Cdoajb32.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bmhideol.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bbikgk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2872	WerFault.exe	57

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bbgnak32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2704	2880	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe	30
PID 2880 wrote to memory of 2704	2880	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe	30
PID 2880 wrote to memory of 2704	2880	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe	30
PID 2880 wrote to memory of 2704	2880	c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe	30
PID 2704 wrote to memory of 2820	2704	Pbnoliap.exe	31
PID 2704 wrote to memory of 2820	2704	Pbnoliap.exe	31
PID 2704 wrote to memory of 2820	2704	Pbnoliap.exe	31
PID 2704 wrote to memory of 2820	2704	Pbnoliap.exe	31
PID 2820 wrote to memory of 2764	2820	Pkfceo32.exe	32
PID 2820 wrote to memory of 2764	2820	Pkfceo32.exe	32
PID 2820 wrote to memory of 2764	2820	Pkfceo32.exe	32
PID 2820 wrote to memory of 2764	2820	Pkfceo32.exe	32
PID 2764 wrote to memory of 2664	2764	Qijdocfj.exe	33
PID 2764 wrote to memory of 2664	2764	Qijdocfj.exe	33
PID 2764 wrote to memory of 2664	2764	Qijdocfj.exe	33
PID 2764 wrote to memory of 2664	2764	Qijdocfj.exe	33
PID 2664 wrote to memory of 2192	2664	Qodlkm32.exe	34
PID 2664 wrote to memory of 2192	2664	Qodlkm32.exe	34
PID 2664 wrote to memory of 2192	2664	Qodlkm32.exe	34
PID 2664 wrote to memory of 2192	2664	Qodlkm32.exe	34
PID 2192 wrote to memory of 1632	2192	Qkkmqnck.exe	35
PID 2192 wrote to memory of 1632	2192	Qkkmqnck.exe	35
PID 2192 wrote to memory of 1632	2192	Qkkmqnck.exe	35
PID 2192 wrote to memory of 1632	2192	Qkkmqnck.exe	35
PID 1632 wrote to memory of 2328	1632	Aecaidjl.exe	36
PID 1632 wrote to memory of 2328	1632	Aecaidjl.exe	36
PID 1632 wrote to memory of 2328	1632	Aecaidjl.exe	36
PID 1632 wrote to memory of 2328	1632	Aecaidjl.exe	36
PID 2328 wrote to memory of 2024	2328	Ajpjakhc.exe	37
PID 2328 wrote to memory of 2024	2328	Ajpjakhc.exe	37
PID 2328 wrote to memory of 2024	2328	Ajpjakhc.exe	37
PID 2328 wrote to memory of 2024	2328	Ajpjakhc.exe	37
PID 2024 wrote to memory of 1708	2024	Aajbne32.exe	38
PID 2024 wrote to memory of 1708	2024	Aajbne32.exe	38
PID 2024 wrote to memory of 1708	2024	Aajbne32.exe	38
PID 2024 wrote to memory of 1708	2024	Aajbne32.exe	38
PID 1708 wrote to memory of 1296	1708	Ajbggjfq.exe	39
PID 1708 wrote to memory of 1296	1708	Ajbggjfq.exe	39
PID 1708 wrote to memory of 1296	1708	Ajbggjfq.exe	39
PID 1708 wrote to memory of 1296	1708	Ajbggjfq.exe	39
PID 1296 wrote to memory of 2652	1296	Apoooa32.exe	40
PID 1296 wrote to memory of 2652	1296	Apoooa32.exe	40
PID 1296 wrote to memory of 2652	1296	Apoooa32.exe	40
PID 1296 wrote to memory of 2652	1296	Apoooa32.exe	40
PID 2652 wrote to memory of 2076	2652	Ajecmj32.exe	41
PID 2652 wrote to memory of 2076	2652	Ajecmj32.exe	41
PID 2652 wrote to memory of 2076	2652	Ajecmj32.exe	41
PID 2652 wrote to memory of 2076	2652	Ajecmj32.exe	41
PID 2076 wrote to memory of 1152	2076	Aaolidlk.exe	42
PID 2076 wrote to memory of 1152	2076	Aaolidlk.exe	42
PID 2076 wrote to memory of 1152	2076	Aaolidlk.exe	42
PID 2076 wrote to memory of 1152	2076	Aaolidlk.exe	42
PID 1152 wrote to memory of 2476	1152	Afkdakjb.exe	43
PID 1152 wrote to memory of 2476	1152	Afkdakjb.exe	43
PID 1152 wrote to memory of 2476	1152	Afkdakjb.exe	43
PID 1152 wrote to memory of 2476	1152	Afkdakjb.exe	43
PID 2476 wrote to memory of 2156	2476	Amelne32.exe	44
PID 2476 wrote to memory of 2156	2476	Amelne32.exe	44
PID 2476 wrote to memory of 2156	2476	Amelne32.exe	44
PID 2476 wrote to memory of 2156	2476	Amelne32.exe	44
PID 2156 wrote to memory of 1480	2156	Abbeflpf.exe	45
PID 2156 wrote to memory of 1480	2156	Abbeflpf.exe	45
PID 2156 wrote to memory of 1480	2156	Abbeflpf.exe	45
PID 2156 wrote to memory of 1480	2156	Abbeflpf.exe	45

C:\Users\Admin\AppData\Local\Temp\c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe
"C:\Users\Admin\AppData\Local\Temp\c3e75fec421b274dfbdb6730e908b09c8ce12905afa14da9a940f8a31da92b2d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Pbnoliap.exe
  C:\Windows\system32\Pbnoliap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\Pkfceo32.exe
    C:\Windows\system32\Pkfceo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Qijdocfj.exe
      C:\Windows\system32\Qijdocfj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baadng32.exe

Filesize
59KB

MD5
a7d3b427c9a14db69b70b9b4cb23cb73

SHA1
1f18c75d92596bede5e35670f740173969dbf968

SHA256
a63dc93a427f468a6f68f7cfa03c381dc9be80d741e7c528bfc72b55eae08644

SHA512
f564a5d9ac94229c7137da1a24111a2de0f116bb8a61024d8cf9321763870ba03682ff5b4408d7f3e11b1ac68eadb0dc6babf1bfb3d11e50fce03a04b0fabb38

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
59KB

MD5
58cc7905f18feecd07d5a096453afb6a

SHA1
9dc8227e32752d5df2ebc31c3cecb701c7392eaf

SHA256
ac000633911592426cde21106b499e8fe3e9e765d91f9d29327a42bc285a3687

SHA512
fb9ace3574bbef9c877fc874007cb6a096f07fd19e8d03ec2d4e321add2183f1803277f7b91260ea9d5594cd579e5e21f89961a11f4fab8a5dcc7cc0922c0ec5

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
59KB

MD5
b52513597e6e0807f01cacbf920d2dfa

SHA1
a93d5bfb1bba16d05019ad59725272abdf154225

SHA256
c4134047be6b36ac195e91f13cba1b4452a4253e296074827b1800205add2a35

SHA512
f3c2746770e91f1409de2b05631a332c5bad8e951dd64211eb163e1ef820fb9a4ab6ad038d48732eb101086f088a8dfb123d89aefb814e6e9a830a49da75ce17

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
59KB

MD5
4312c5ae3537dbe4fb2c97654ee900cc

SHA1
cec5d0086801e0fe1177387322cd5fdc322f6250

SHA256
fb06026bce22e6c8bf7f9e7d3c74967ca61ac4ccb2d28b104c21c9386175d545

SHA512
0cfec45d425963c7ac88184d53aee2e452e745d627a9f5594de278a11edb1397a9d8e734cb8c7c50a33301f64ab56bde869750790ace950d8b9b75becbe9ce7d

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
59KB

MD5
208537165c57635fcc546ec96cd3f456

SHA1
588b695198e207a671fe18855cea4812f8b73287

SHA256
f3a9a43aa7ebbcb656feaa5b09667cb0598efcb1cb7d3c72f8153f156d841e9b

SHA512
ab3d6bbdfcc86c782c10d693dc394497ccc172e8d7024574558e1381c7c539a5929fc25a7fc69dc1a758f67309f59114c3b900a4f1d91806bfda286377e573b8

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
59KB

MD5
55e8f914f38f08b4e407bd033f5d0406

SHA1
3ab86594f7ac8c626856c0c9dd5833559d0645ee

SHA256
d575e9eaf83c2ecf9724862b3fda34d36dde122d1f8475f29bfef7035fbf7cda

SHA512
ae6afbc4ee0d055b40bed55a30df692ee9fdfb03f1c905894518f3948d3671014bee1705d61b53fe0593c872a5cb2c35a1082a79a84d0e1156658c700dac052d

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
59KB

MD5
2b99a48e6c7705ea7c2d95c08fbef595

SHA1
2a8093f48c0efaf1b7ffca8aae2109fcc64bc044

SHA256
b8b777ad26178903fea956f64b8b739048971bebcc941cca2092dc633835bde0

SHA512
dabecdb9543384946a5369071022b05a5ac20a802d831f64dcc1c6db8103ef2cc198e7b8136a036567bf06666161165bcbcb3feb00bf57096a8a3cd95fb6ef92

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
59KB

MD5
13158dc3e50353dd2a382d0d1c351e4d

SHA1
e964a4f7815cfca2642f7f1e2fa65f046845ca60

SHA256
76f7b8a32ae75cb5ea08471ed8d83b0a5f3992d239ffbd5ca1c80016f3117d4d

SHA512
378b9d2fa4efb8eccfc17dcfda935e9ff5a4eabd5c677d122d3a749cfd8d0e42d79e0708820402b8296def3576fce8337852079a5aea8934d8a00946baa50176

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
59KB

MD5
f3a3f8d43caeec305cb3d1cf48c80d16

SHA1
cc670e04e721c32976fb9a9c6deea6420857652c

SHA256
004aef1a758902d25b11812892506a47e7f82eb5164044ae88fddab362bbfcab

SHA512
9815bd0c53e01dfb8afe3df565a97a44d6e2b3e0e3dd08bd4ea1e7e4c63ffa781f56be7e016f8ea1f76492a60798c1bea8481248dc03cf767a587e633994d436

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
59KB

MD5
4f934d3c6f206f12cdb72dbab252fae6

SHA1
1f5b1119b4991bc83aa91e68387cc1ef4b692326

SHA256
a89e5409e365ed2ad4c128042d641b243395a2f7fb05cc15072abecc6251628d

SHA512
c0a9988d7e7fc3f8adfbb2796d17b3236d8bb21da25b97b10b230798b080c267d0e2258c3eb3748f308a2a056ef05d09543adb2567704a95d971419f1ce0fc54

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
59KB

MD5
7a691f128ff3fb1d06a7539252b6889c

SHA1
35e1ae4137ebbea1279e72fba069fffeb98c28ae

SHA256
49a21b40fc5807e00946dd77eacd8f9c1cc58c4719e9c47c70d1d301a7b62c7d

SHA512
968402d497884989e580b32843948d2b204157a39c3f00fb9d95bb854faa036ba39aff454f3ee259d6611c5c32caf62d03446a2ffe7379e73d61e3c7c0071fbd

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
59KB

MD5
c4bcc6f921941a58273a8d783ad4387e

SHA1
f7eefa534cdf673c586316c6eb9936bfc3526d20

SHA256
fd28f17aee3cc4886589548a6210f87c9c3c60135d3d705f00aeac6dfb831d41

SHA512
4aaeaa5fa008c8ff9e809eefa524d16064f53ad70fd1347fe1e6dfa23eeddb59dc97733767a1dbddbe878b3f64b5e06b644aeee5eb6a099ee18cc2f5ef3dcbb5

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
59KB

MD5
e16d29fe567276d475e759b37f5e9e6d

SHA1
ed4f916486eac9669b9793136907df2b367c1c78

SHA256
c8457abddd264fb88bdb4f7bf81b15dd33e142a42a1af645886a2a01f55fcd44

SHA512
244cd4efde9b29decb2b4e6eb5e198bd00d916a429cc9e182a17e538e577392dd594561fca06ee4bbce1fc45eaf47b3c282de6731cc96fc14b87fb5822619a0a

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
59KB

MD5
0568494ca288a2f059e9ddecfe4a849c

SHA1
e6f75a5aa00d559eb3350c7cbfd1634d25051a8c

SHA256
a2c9bb5abf56e0e3d953ec0991d4c7db56d4bdf53596149ae8c3bc419900c0aa

SHA512
99ad5a8a25a5b4ac0dc9bc1f7b5db8e17b3fb82464db5f7e67446ed12c0c8fe6760fcedea4a4a2dd985b6d2570aecc1fb4f4ef8d3c3b13a9ff2a5d28128d30fa

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
59KB

MD5
05c305863ea5b6b1371b95822187b888

SHA1
cc0164af32ae78fc62951f4a7a13cbfcc40c00cc

SHA256
df7c6de124c6372053fd46aae1fd307a0e47b2778cab25417e718298ce57e1b3

SHA512
bf164b6771977286b97d7d30a2bae55b76635ec0f42551d998529701a5eeed59c2278872e2c45c1730d834274865cb47923deba6fc834f0aa2917ccc89cc193b

Download Submit
\Windows\SysWOW64\Aaolidlk.exe

Filesize
59KB

MD5
2ac705213bcba336a5bb5b015b77644b

SHA1
c44482644f1fa006bf677b904da9b8f184ef0dbf

SHA256
1931ef606eb2828c935606b499af62558beea17b2630ec252d88cb51f5628c60

SHA512
564f7ef5904fb892acbe4337f8f4ae13d58ec120a90ea6e0b1d05620a4018fe62ef028e619370c21de1317efc0aee4ac4a6bdaa7c0d13460ae2586bfffe3f582

Download Submit
\Windows\SysWOW64\Abbeflpf.exe

Filesize
59KB

MD5
abe0655566d5187e619975a4dfbc25ea

SHA1
d117c7ca3b7ab17b1b7c62f14fc3b70852244a46

SHA256
41c8fc0ce5cb711d3115ca612faced2ad917212472f063896a00f52e1a4ff17e

SHA512
f8d905eed3de670843985112547f67ce80ee647a55b31a54c99ae5078c2d9683d3e42176cc9978962f3d03adcc4bc4e4d70a93ddbff2a29ad113d9976c8320e4

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
59KB

MD5
4e7b14aa81fb178615386ba28e6babd0

SHA1
e452bde6a1b2e59f380af30333324658916348ae

SHA256
5920d13275302e0aff876e83332bafb852e879fcc0d8dfab34d1d49c18627b4f

SHA512
f42fea60ee598ca5f3c72be53000d135954b99f45fe358bb225fdbe9fe8dc3d7115ece2adf3b657dcd73ea662ed962d34da33f3340a5c49f07e6495e74487eca

Download Submit
\Windows\SysWOW64\Afkdakjb.exe

Filesize
59KB

MD5
55385545ab6c16ed4bc2ca478312bb1c

SHA1
429306985e556baefd065b1f6e633e94acd29dcf

SHA256
71a5a8ee18c84aa2601710a3c40d60a9b0135989a79b7fd39e391167796ca685

SHA512
6936e100a92ae02f177c07dc4a441794c9f7c3b5a5fd2d659247c20b0883e09c1d47c3ea314856381e000eabb5874076816e571d4d931a95ce6334460a13c7b3

Download Submit
\Windows\SysWOW64\Ajbggjfq.exe

Filesize
59KB

MD5
6e38e8e30696c9557ba7cec4a3f80971

SHA1
768e09ec36f0082eda2eeff2cdd5c95227a17f9d

SHA256
e5d0705584e9f6de5956ca5309dd11b18fb75e86b81f2ef29fff9bf60a0e8b62

SHA512
323473337a2c94c56b130e36c3d54b99e14a2b2e6af4120419b94ca48c5627a1b678ad06fa3a2a9f2eac9b12e237cb8701811cd0d6df27cd0340a0625ab19f42

Download Submit
\Windows\SysWOW64\Ajecmj32.exe

Filesize
59KB

MD5
e9a12768e150e461e2e6e7908ed75b0d

SHA1
a0d6636db35738c37c41fae3e87c9a25bbeeae9a

SHA256
ea166e902a66f6bde09af43a85153165c68d8892bfcf28dce91422e45f15651c

SHA512
6cc987ec0ac11aa49a2979438b5c9f296ee26fdd5bfcbbfec37eceb5bbca103296d4c55d593753c778e4bf95c5e118800be5a65c286bb9444bdde00ad84296d2

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
59KB

MD5
b1e6b3eae7eef5346f854982fbc3d53d

SHA1
3e638e3c3565dea68eb16894f0509e42a9e9afa9

SHA256
8c59a1d8a90d201c7c146b52dafa34053bff5ecaff62a817c08fe9041679450d

SHA512
d52f36d5a914202b3afbf97fe13d22187e88e44dbfae9c66bc2bb95b05ae204a4c527dfdb328a9c6707b37ce5ee50088c593e0a75c36da8fccbb5c0194f9a353

Download Submit
\Windows\SysWOW64\Amelne32.exe

Filesize
59KB

MD5
4209919fe5586b385713c4304c07b8f7

SHA1
d85dd6bc86b88fc9a0e8757e0212d44a93128d5d

SHA256
12a54353dbacd000922d1b02dafcad202818d10fd522c8440cb543165eeca44e

SHA512
8f746e7d2e9ae1757985817a52409e1d244a5c5b045b0eac0c38fbcfb3d63ad1e32fe87a7ab8d07652b91a77df2808c999cce0fdf77ece7e50cd161edb437b3c

Download Submit
\Windows\SysWOW64\Apoooa32.exe

Filesize
59KB

MD5
9ccedb3a312c3a4223952766ebf7bddc

SHA1
f08cc5e262d0b7e2ee6ea1316d92d3e953a55488

SHA256
6e9d77034442c84c2412e18b471dd9ae92754ee1ef6c0751734db6d42eda84b6

SHA512
f3bd14ca6cdda31d00ee2748177f7163bd4c1d9fa8b4cd3912da656cc37785c9056bf397e1cfd422baab77de6ae293e0fbadfed8f0c7827c8ab3c6d62f8afabe

Download Submit
\Windows\SysWOW64\Bmhideol.exe

Filesize
59KB

MD5
6199df8d4d468241a2ff9008f51e6c9b

SHA1
a7653e6028a670d28f65956b3073d6f655505cc1

SHA256
f9b23d02743d7804c6730e2bf865f6aa8aa6fc23d8c74e92bea8c39a98174c0a

SHA512
762abb55aeb8471873e9fa55322da3f8b9f6c312b21b4af84cb8a5f85eb8d406c964c0f6da05c93ae9103b276c8b6cdb06cadbc4c4319077068039bc7db6d575

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
59KB

MD5
c1b644e8355f69960fcd712a56b76f0f

SHA1
3bff3935946ec5ab81aad4aeffbbc7b4dbd8a54d

SHA256
f41f8ebed5442eae2d66fccca96b498250d6724dd035a77dc1a7d0b4b9032187

SHA512
ae6a3289281f31b3f680ea6534c65d23cdf34d59ab4d71ec035f0549a8126adc7826c37e14f60e60415cc16e9e550421be47e879e31ac1fa98e40d5668bdd79f

Download Submit
\Windows\SysWOW64\Qkkmqnck.exe

Filesize
59KB

MD5
38d388afd9af92bfb5ff96350166f224

SHA1
fc2d59a36e5f293438abaaad18816177979940d0

SHA256
f283682179f90dbeb61633147a377b60ea7ca60b2a13328236165d20dfde04a1

SHA512
22a1484a27e7c06cd4ff95949c8ab6d80e80e878226885b1d9b1e64f961cf8d1a95e55e48c6e9225eabd329e1ac88fb1e6c8959193c0d649c1ba6747ef351311

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
59KB

MD5
b439c80ccde3eedde3a47a358ac00f6a

SHA1
a6e97fc6d4cd5a653fd9bf09258bed457575410b

SHA256
a6981990dab5f11f47e973990f6c44210e9ad8e6eae18b592a5448ee3788749b

SHA512
885405f98cfec0cb72a5b74e7723c9c46dad0888f970034857973a2b12a1b54acdc44012b7171eb3ab08b6cbb8bad71889a538445c0cdac4c660b5649b6272f6

Download Submit
memory/468-257-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/468-256-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/468-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/468-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/944-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1152-350-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1296-140-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1296-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1480-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1480-217-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1480-210-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-289-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1484-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1484-288-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1484-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1632-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1632-88-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1632-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1636-267-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1636-266-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1636-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-238-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1644-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-131-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1796-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-274-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1808-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-278-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1808-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2024-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2024-114-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2076-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-166-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2156-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-311-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2236-310-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2236-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2328-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2328-105-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2476-351-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-192-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2652-153-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/2652-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-61-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2664-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-21-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2712-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2712-333-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2712-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2712-332-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2764-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-336-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2820-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-33-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2872-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2872-365-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-17-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2880-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2880-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-318-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2976-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-322-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/3000-299-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/3000-300-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/3000-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3000-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads