555f41ecbecd09b34fd1f3e281119e2f8a211c31f810a94b4760436b63794a4e

Analysis

max time kernel
113s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

631937395f210abf12d4d72f0102d4f0N.exe
Size

448KB
MD5

631937395f210abf12d4d72f0102d4f0
SHA1

b70ca04894ba1138fb42be5e2365487b75486596
SHA256

555f41ecbecd09b34fd1f3e281119e2f8a211c31f810a94b4760436b63794a4e
SHA512

4792905ea9cab0596f3af534bde9e7fdc98bad175ce6e1736ce68d0a1cf3ddd8acc5d55eb7f1dd1d1ee76919cff92ca2bef342a29f91f19df150d1ac80ec27bd
SSDEEP

6144:vqQrSmx56s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAH9G:vq+7O705kWM/9J6gqGBf/sAHZHbgdhgi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	631937395f210abf12d4d72f0102d4f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	631937395f210abf12d4d72f0102d4f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe

Executes dropped EXE 27 IoCs

pid	Process
3028	Pcljmdmj.exe
2188	Qkfocaki.exe
2252	Qgmpibam.exe
2820	Qnghel32.exe
2152	Apgagg32.exe
3032	Alnalh32.exe
2552	Ahebaiac.exe
2992	Akcomepg.exe
1784	Adnpkjde.exe
540	Bccmmf32.exe
484	Bqgmfkhg.exe
1384	Bfdenafn.exe
2740	Bjbndpmd.exe
2388	Bieopm32.exe
956	Cbppnbhm.exe
2224	Ciihklpj.exe
372	Cgoelh32.exe
836	Cpfmmf32.exe
1532	Cnimiblo.exe
1536	Cebeem32.exe
1620	Cnkjnb32.exe
2480	Ceebklai.exe
536	Cgcnghpl.exe
876	Cegoqlof.exe
3012	Djdgic32.exe
1588	Dmbcen32.exe
3048	Dpapaj32.exe

Loads dropped DLL 57 IoCs

pid	Process
1768	631937395f210abf12d4d72f0102d4f0N.exe
1768	631937395f210abf12d4d72f0102d4f0N.exe
3028	Pcljmdmj.exe
3028	Pcljmdmj.exe
2188	Qkfocaki.exe
2188	Qkfocaki.exe
2252	Qgmpibam.exe
2252	Qgmpibam.exe
2820	Qnghel32.exe
2820	Qnghel32.exe
2152	Apgagg32.exe
2152	Apgagg32.exe
3032	Alnalh32.exe
3032	Alnalh32.exe
2552	Ahebaiac.exe
2552	Ahebaiac.exe
2992	Akcomepg.exe
2992	Akcomepg.exe
1784	Adnpkjde.exe
1784	Adnpkjde.exe
540	Bccmmf32.exe
540	Bccmmf32.exe
484	Bqgmfkhg.exe
484	Bqgmfkhg.exe
1384	Bfdenafn.exe
1384	Bfdenafn.exe
2740	Bjbndpmd.exe
2740	Bjbndpmd.exe
2388	Bieopm32.exe
2388	Bieopm32.exe
956	Cbppnbhm.exe
956	Cbppnbhm.exe
2224	Ciihklpj.exe
2224	Ciihklpj.exe
372	Cgoelh32.exe
372	Cgoelh32.exe
836	Cpfmmf32.exe
836	Cpfmmf32.exe
1532	Cnimiblo.exe
1532	Cnimiblo.exe
1536	Cebeem32.exe
1536	Cebeem32.exe
1620	Cnkjnb32.exe
1620	Cnkjnb32.exe
2480	Ceebklai.exe
2480	Ceebklai.exe
536	Cgcnghpl.exe
536	Cgcnghpl.exe
876	Cegoqlof.exe
876	Cegoqlof.exe
3012	Djdgic32.exe
3012	Djdgic32.exe
1588	Dmbcen32.exe
1588	Dmbcen32.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ameaio32.dll	631937395f210abf12d4d72f0102d4f0N.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pcljmdmj.exe	631937395f210abf12d4d72f0102d4f0N.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Pcljmdmj.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	631937395f210abf12d4d72f0102d4f0N.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Akcomepg.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Akcomepg.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Olbkdn32.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Alnalh32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Diidjpbe.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Diidjpbe.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2132	3048	WerFault.exe	57

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	631937395f210abf12d4d72f0102d4f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	631937395f210abf12d4d72f0102d4f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	631937395f210abf12d4d72f0102d4f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	631937395f210abf12d4d72f0102d4f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3028	1768	631937395f210abf12d4d72f0102d4f0N.exe	31
PID 1768 wrote to memory of 3028	1768	631937395f210abf12d4d72f0102d4f0N.exe	31
PID 1768 wrote to memory of 3028	1768	631937395f210abf12d4d72f0102d4f0N.exe	31
PID 1768 wrote to memory of 3028	1768	631937395f210abf12d4d72f0102d4f0N.exe	31
PID 3028 wrote to memory of 2188	3028	Pcljmdmj.exe	32
PID 3028 wrote to memory of 2188	3028	Pcljmdmj.exe	32
PID 3028 wrote to memory of 2188	3028	Pcljmdmj.exe	32
PID 3028 wrote to memory of 2188	3028	Pcljmdmj.exe	32
PID 2188 wrote to memory of 2252	2188	Qkfocaki.exe	33
PID 2188 wrote to memory of 2252	2188	Qkfocaki.exe	33
PID 2188 wrote to memory of 2252	2188	Qkfocaki.exe	33
PID 2188 wrote to memory of 2252	2188	Qkfocaki.exe	33
PID 2252 wrote to memory of 2820	2252	Qgmpibam.exe	34
PID 2252 wrote to memory of 2820	2252	Qgmpibam.exe	34
PID 2252 wrote to memory of 2820	2252	Qgmpibam.exe	34
PID 2252 wrote to memory of 2820	2252	Qgmpibam.exe	34
PID 2820 wrote to memory of 2152	2820	Qnghel32.exe	35
PID 2820 wrote to memory of 2152	2820	Qnghel32.exe	35
PID 2820 wrote to memory of 2152	2820	Qnghel32.exe	35
PID 2820 wrote to memory of 2152	2820	Qnghel32.exe	35
PID 2152 wrote to memory of 3032	2152	Apgagg32.exe	36
PID 2152 wrote to memory of 3032	2152	Apgagg32.exe	36
PID 2152 wrote to memory of 3032	2152	Apgagg32.exe	36
PID 2152 wrote to memory of 3032	2152	Apgagg32.exe	36
PID 3032 wrote to memory of 2552	3032	Alnalh32.exe	37
PID 3032 wrote to memory of 2552	3032	Alnalh32.exe	37
PID 3032 wrote to memory of 2552	3032	Alnalh32.exe	37
PID 3032 wrote to memory of 2552	3032	Alnalh32.exe	37
PID 2552 wrote to memory of 2992	2552	Ahebaiac.exe	38
PID 2552 wrote to memory of 2992	2552	Ahebaiac.exe	38
PID 2552 wrote to memory of 2992	2552	Ahebaiac.exe	38
PID 2552 wrote to memory of 2992	2552	Ahebaiac.exe	38
PID 2992 wrote to memory of 1784	2992	Akcomepg.exe	39
PID 2992 wrote to memory of 1784	2992	Akcomepg.exe	39
PID 2992 wrote to memory of 1784	2992	Akcomepg.exe	39
PID 2992 wrote to memory of 1784	2992	Akcomepg.exe	39
PID 1784 wrote to memory of 540	1784	Adnpkjde.exe	40
PID 1784 wrote to memory of 540	1784	Adnpkjde.exe	40
PID 1784 wrote to memory of 540	1784	Adnpkjde.exe	40
PID 1784 wrote to memory of 540	1784	Adnpkjde.exe	40
PID 540 wrote to memory of 484	540	Bccmmf32.exe	41
PID 540 wrote to memory of 484	540	Bccmmf32.exe	41
PID 540 wrote to memory of 484	540	Bccmmf32.exe	41
PID 540 wrote to memory of 484	540	Bccmmf32.exe	41
PID 484 wrote to memory of 1384	484	Bqgmfkhg.exe	42
PID 484 wrote to memory of 1384	484	Bqgmfkhg.exe	42
PID 484 wrote to memory of 1384	484	Bqgmfkhg.exe	42
PID 484 wrote to memory of 1384	484	Bqgmfkhg.exe	42
PID 1384 wrote to memory of 2740	1384	Bfdenafn.exe	43
PID 1384 wrote to memory of 2740	1384	Bfdenafn.exe	43
PID 1384 wrote to memory of 2740	1384	Bfdenafn.exe	43
PID 1384 wrote to memory of 2740	1384	Bfdenafn.exe	43
PID 2740 wrote to memory of 2388	2740	Bjbndpmd.exe	44
PID 2740 wrote to memory of 2388	2740	Bjbndpmd.exe	44
PID 2740 wrote to memory of 2388	2740	Bjbndpmd.exe	44
PID 2740 wrote to memory of 2388	2740	Bjbndpmd.exe	44
PID 2388 wrote to memory of 956	2388	Bieopm32.exe	45
PID 2388 wrote to memory of 956	2388	Bieopm32.exe	45
PID 2388 wrote to memory of 956	2388	Bieopm32.exe	45
PID 2388 wrote to memory of 956	2388	Bieopm32.exe	45
PID 956 wrote to memory of 2224	956	Cbppnbhm.exe	46
PID 956 wrote to memory of 2224	956	Cbppnbhm.exe	46
PID 956 wrote to memory of 2224	956	Cbppnbhm.exe	46
PID 956 wrote to memory of 2224	956	Cbppnbhm.exe	46

C:\Users\Admin\AppData\Local\Temp\631937395f210abf12d4d72f0102d4f0N.exe
"C:\Users\Admin\AppData\Local\Temp\631937395f210abf12d4d72f0102d4f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\Pcljmdmj.exe
  C:\Windows\system32\Pcljmdmj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Qkfocaki.exe
    C:\Windows\system32\Qkfocaki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\Qgmpibam.exe
      C:\Windows\system32\Qgmpibam.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 144
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akcomepg.exe

Filesize
448KB

MD5
c942d54057f950f8bdc68fa4ad5d4826

SHA1
7470e784ebf0c69f0b8e82447db05c64bfec0be8

SHA256
41f62093fd9774c96f4c7d4b8d55f43504a6c620f9309fc66e437621378ee198

SHA512
74bf2e1e1d6c9d83e777575a59d11b33ae07ad84fa6bea555ae2b7f39c1b6c01281b0cf1b1757577e43748468824420c4e4fab9e5029d8f76423deca7e578f68

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
448KB

MD5
360364bf3c1748a6cc5755d7280e984f

SHA1
45ef0666dbf2a6ce69c612573d1bd1a188627b1a

SHA256
eb8bec3309cb6c55e687e056d9321db5ba6be7470e76690ae55f1cbc5d4da16f

SHA512
b3cd6aca1358907a0e8ba00b708d0d0c544759e6c007635bfc322181d3405dedd7f10c677487c0e225c50fd55df32707d5124ae2cd5eafd71d165d1519ce4262

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
448KB

MD5
3f1f3453e144a97125117eb0a3af8fa3

SHA1
3aecb8d52cc4ba21a42e019154e3859cfc3a6a64

SHA256
cd5fb11965faf5cdafaa489665d795cf0e5950083eaec1f4bc6f6f61fa8a4ed8

SHA512
edc7b182b21977b61053b5cde3e5079790d1fa93963e9cee83b81fa0c9c2ffb7785adcf0c7e084d3ac47379ec1bf9ba9bc7212306ea9bc2205cd44f363a17453

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
448KB

MD5
c9c676d0960c594b543f24a9f3a203e9

SHA1
7308a2bceab46ceff3c3dfc4387a4fb4a0379456

SHA256
253b295641c8322af799e0bf8c4ca371fa4f5d9148ce1ed9c56144f4fb758ef7

SHA512
fd53b3825150819a8c28a0ae36e7051a23252a93cccbaa551a3403557ab512d89d30c12dbb10de7d9835b709677276b7b48d142f3389eb7b4910947a3dcf0b1e

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
448KB

MD5
9c06cfba41a0380e88bf78f4be7f7869

SHA1
ec041347b0457992eb86d7265680ce07959b20da

SHA256
ee4f04c310e7b366e07ade577c8e31dcad339e044acc3402c95d45afaa6a5f4e

SHA512
fe5a3c53ba7c3687bcff5c774624d930af3149816730834739c43bbf54c97a0b36f809f29c6051378bf4603fad079dbf3e3730e87f25dd1510672f33cb1d071c

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
448KB

MD5
e290ac9d51de50144b3c3262df6e8552

SHA1
b8b8539b7e54903ae7824b2b4026c94c8163abb6

SHA256
a6f6907306b184462c8909fe64a7a99240efce077ffa85e09e1bc12e1252bcef

SHA512
5317b1d71073f0ae81d902c5b3134854beebb8e567b374a63530f1cea4286ca1fe8d202a49822c5bc87ff1acebcfbb8f6da290fad663dae6475222754c9e7a79

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
448KB

MD5
1aa05e7963196c391e356241e6e0a7b6

SHA1
5340661dc01b9e9dbeb8dd26ec462f9cf42d9809

SHA256
252d4b382b8f43af6e6c2639ca98d8c3af1c9c03cab50390a54e1b61f954f1c2

SHA512
37413e8b9a44d29ffa9b626c0dac5c2f06ca14102daff91ce687bf74d82ca87264e05c0ce9256b9deca514fa4cb60cb872a68e43ed39bad544ae1c2d50a5acd8

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
448KB

MD5
562a5e6b13a7c52cd63314ba9ef7011e

SHA1
78da78a5bb0b5f67f12081428bd4f8b526fd58cb

SHA256
7db3959610878492da65e495c7f0de2b71085487415a03b86d5d0212914ec964

SHA512
44f28d0299d56442a9aae088c2ed41d0df68556658e784916b3d767a87c722b2a9c31b7d9aae07de4ddd344be243c72650fe26f869d0275ce9ad23989aadff10

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
448KB

MD5
8e7536d6ca0920d833864b30dcb5801a

SHA1
d3f5470a2655a31289cda1461bd24d1c3c6d6eff

SHA256
e13e5a584ee9b3ca5af49804a5dbb62774ede9c9b577ba6ad96a9e17b25db455

SHA512
3728046c4df3403a9777a361fbd4982fdc395e29b5223833b0cb41ba470416806de790705024283aec9a67e43eba7625c16fe8b6c582fde7bbf3dca126244e53

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
448KB

MD5
d9525710d8d8e61cc86f847708a77392

SHA1
be4b21826a7d09eed0b013766efe137173c52d50

SHA256
9e4f302380af83a9006eb3eba0913c231481a4017b5d60b80d5abc4ab5ae9987

SHA512
9de600c38d5674d2624a9bbed0a1903feafba6539e9e7e81039ff2764b6ea7bd3892ee96c4bc1a34b9550c116845000a5ae4f4db36e2cde88491eb9b1b26b45b

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
448KB

MD5
72fa5650b767e0d5283ffa524863e3df

SHA1
70d963620635fa8a307799237d7c5b0a44d7bf05

SHA256
96f6aaf1920380da004cab9f9c844da36b8d439098426ebd3aadf2dfc9153b79

SHA512
3f480340c8526175835d7c340993d4da006e54071782b97314fb3b750eb494f3e37b2ba38fb5a6bc6a366003d7ed9affd547b48b7fbb08af1028484a6cccba0d

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
448KB

MD5
35f20586baa0bb34c6ade771f9551abc

SHA1
697037ba163647ed9b0f8e37451197513a9feddf

SHA256
895306d0bcb2411757d6af76fb2cb4774fd1234564899c1bdb036d2abf56ce99

SHA512
304e1955284e3eea6d2a4f0abd0011346a11d6b02ee9d2a3ec406d4d6ce02623da5424cb4b18403def852e48a0af4bf6625b63d535a2049ef1d81dea78fd7161

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
448KB

MD5
fc97c6e37597b092340827b453747abd

SHA1
c20ddbe4ff53a35f77118a3dcacd4122ef207208

SHA256
d633a24387d199365ad35725f843408e04defbcac0c651cf121aed01ea560adc

SHA512
07e827ccd7fac5a36cfc860f4b159b206f1198ce3ddcb772c350888766269a8cb845c40e8611aad51d67463766142689f6843548025d3152a4143833cc4e4a53

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
448KB

MD5
77cb85817ff26dedf4efbb6f8406e647

SHA1
de0df1127a5749b23a384386f1168fc59a7a75dc

SHA256
e5170223e3ff9795bc8de5d0f5c9f52a62fd040185178a4f80a9ff5fcf9203ac

SHA512
4ee4edeb909378656073a5b186c08b7d94e0e62bfdf21190ea51bd17f4e24c3c6ca64ad1d54afba3229ee77be0e0684f5dc9a2bcf3a435b4f5f92dfd5097f2e3

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
448KB

MD5
05efe394a16bd365f53ce7bca0c72abe

SHA1
d797420db548c3729fa8481417068342b4b71d55

SHA256
13ddb362a5643bd4257b6590a2207dbafcbf0bf55d467cccef152ea5f082c534

SHA512
24b08fdf7187213c93c948de3ce1669d5557f656d4e60dd137100a0748e1bfc2639befd1680ed0c92d2973000b11e7413551a0391e23ba8b96d9ac9018160cd0

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
448KB

MD5
0ebeb575279c43d44badf5ffb2f6f566

SHA1
0e38e673ae05306c7b010a14daae849510600bb3

SHA256
3449454434a82e8cc93c3f0a51f5f0bdeb07566bc71946d3a846020bc86bfe62

SHA512
ac066fd0870ee4be69ff5f7cbcf3063b57ab1630df67164539573f1f8c1554e10a1b62af22a6d6c1acc6ba13d064212de0f822c05168034705f0032b668e5877

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
448KB

MD5
553366022c18cefb1ae5121f1895c6b9

SHA1
702336c42dcb298ba2452a55f14a17199c979655

SHA256
a8d4a677395ca8129865769e8392a3d5a09dcd0710125a81b54c8659d771060d

SHA512
4b3f6b4fdbdd06edda37f618e12f9c185b2da8f6da01731b81e5149255e526be0b590511119702d3962c813cb91755acf43fc663df053090cf0853cfb3ec6e72

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
448KB

MD5
227413c184cf1265cd15e3d80ac3b821

SHA1
3f26b389f503eda2900a877eb94375d18cfdd9dc

SHA256
22d74ebdae077fd796f8346ecdf4bf697749eb14dcd4b0d6682a3beb5f1bbef4

SHA512
0a32c27318a619ba7f8f23f89a2f81f6179e1d843594d50e1ca0726432d047178cb3a2de735606a983a494d16f3c2872afb454f607e9a4f42f8354c434e3db1d

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
448KB

MD5
4b96726e1aa58b540f87dd11e6791688

SHA1
b296939ef067ad03993d7f97042f766b23330c20

SHA256
552cd069708d62b77b09e05b73889321e59c44d4b046f3765756d45d80acb800

SHA512
4179e7f61a9706998887e021f4920b1802e7dbf7513dcf168f853ab5edfe33007699a6baee79302c3b72b332c150b761428290cb9c23908a8fb3801aa883da47

Download Submit
\Windows\SysWOW64\Bjbndpmd.exe

Filesize
448KB

MD5
89def071257808e36784da5cc7734763

SHA1
ff0597b732e6f56bd023c91fdd2c660a9dd70101

SHA256
3e11627b94808c0544e95b4d9c5eab9fc57a1edf0e5b7da15a880529d17cd4e4

SHA512
2658ed7af6919836e5be33fdc3ea40d1ce73622199deb14166631b2a0492a7fb3960798a3b09f8af5a30de22c637a353f013925d3bd4457182c9f061e2b9bdc4

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
448KB

MD5
44ec0fa9ee29cb129dee208a38d91bfd

SHA1
a485747e2e2c86ca7170390c552e1b12065e797d

SHA256
415a8025e4e7b436d4639f3dac8fb298f02a090e1bdb671b6668b54419a66b5e

SHA512
5f28d2613282953825e72580c6832926f14fc4fe397cb27285f5011a597d2fa4900f285cfcefdd77fd42276ed60479db8c9ba26745995fde58d5a5199c3820b3

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
448KB

MD5
e02f4e883e6e33b898989e26ba3bd7f6

SHA1
247e45c6b74c2ebbc883dd9ffe4b9077c9413603

SHA256
cd38a3c13ca20010860fcd9bf4b2ad36c459bd144611336147c2b84249c9f91d

SHA512
45d64f29a0fe89d86a2a38f47b6f7075065b794170b806f052351f40c5a52e62344903774353536bf9702ac6e12a9b1093231ff6a4589b16449d6b49339da585

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
448KB

MD5
667a46fde1ac151e1ebf98d4a57b05e1

SHA1
e1c9d765b49f70acdbd8a3aca91824bdbaa0e653

SHA256
2e1de8a483fdde35eb2fa2f7806bcc35c7de951a34935f6b00cec29b1db35404

SHA512
bc10c070c09ba82b1c44b690bff0d6106be171244f2fe4a1e5ffba001760b17cb894b8f6b6e955bb0bd2636ab4d9c06de88d00f8bcad507a2d0e404338f0abb9

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
448KB

MD5
7557fc79a00bea239aa0667267e4594c

SHA1
045b22e3665c8fd2e36e1a362912acacdf3b8610

SHA256
b9243627ee88ee8830302784f9f8833289a45ff4954f4db527831de80c076eb8

SHA512
a15cbb42c34b7b0c2490392af5a3d904b8e72833d0c5f60778d35f9f9f715435a580217bc49e1eca40721119b4cca5eee638ceb0bac1e55f0734e56964ed9fd5

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
448KB

MD5
8e4dfe46ef88e7ec7535c69e344d40dc

SHA1
5b9479853e1eeee51728ebbbc5c15f76249f1e48

SHA256
1cbee22a251567aab53464f5abd15edb2c90e73a04d26881d74ba9eef42645de

SHA512
588f6f9dbb08394334d9842d159fa047c31ba770f6d9a97f7e36113aa86688955a54a4dd5250fe7a7a96ac3d794a30cf5fe913ea1bd29cc87a0421ee99213571

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
448KB

MD5
8c2522c76c9ad4cfd396088522384921

SHA1
f5407ff9b5c662f8dd35261e9c7c5ce788e2034b

SHA256
086c6b978a412e755ed248a0c8ed6188469bf0682968639823278e4218ebb9e0

SHA512
6be721dd965d149aec1736248946e462120f0f1d69033141846e5f739cc630ac156c6d968e7072fed2c2931fa00bb9314db96e292ab4079aba5c460d751009aa

Download Submit
\Windows\SysWOW64\Qnghel32.exe

Filesize
448KB

MD5
dfd65670a300dfd8a76a9e5176b2d103

SHA1
7a971976e7daa65a2a4e28ae9a55a8b29de0baf9

SHA256
600d754a4ff7702d87b214e3deaae7da018685b9e65f5bf83db1aa17173685dc

SHA512
eae5853b664c39a29f755f0d99abc55310233a0a38752c5939f5c0529ea68485d34994c60bf0c7d9931c0999e07d7c19a1a7046e28b758a13d72de06ddcf534a

Download Submit
memory/372-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-234-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/372-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/484-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-146-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/836-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-302-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/876-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-306-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/876-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-216-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/956-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-172-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1532-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-257-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1532-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-253-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1536-267-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1536-263-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1536-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-326-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1588-327-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1588-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-276-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1620-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-332-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1768-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-11-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1768-12-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1784-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-81-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2152-374-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2152-366-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2152-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-36-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2188-364-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2188-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-227-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2224-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-198-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2388-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-283-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2480-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-397-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2740-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-64-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2820-365-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2992-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-118-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2992-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-398-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2992-123-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3012-316-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3012-315-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3012-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-27-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3028-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-334-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3028-26-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3032-91-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3032-96-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3032-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-396-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3032-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads