a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Size

482KB
MD5

6a6405a6bc63cbe2fc970fb3017d138b
SHA1

3d8717657f557f58b53dfd862300bb828ec485cc
SHA256

a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4
SHA512

7a8f1367f0c18700901a05e70987ecca8b419ab9bcc9154aab3a719fbb8eb45bca1816aee370ce26d70ed1676b9bdd32a8c7ca47f5cea6d7f2b4f7a396e36d7e
SSDEEP

6144:0csqD9LLl+wGXAF2PbgKLVGFM6234lKm3mo8Yvi4KsLTFM6234lKm3:prxLMwGXAF5KLVGFB24lwR45FB24l

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkfceo32.exe

Executes dropped EXE 28 IoCs

pid	Process
2876	Ohcaoajg.exe
2752	Okanklik.exe
2648	Ohhkjp32.exe
1796	Onecbg32.exe
1268	Pqemdbaj.exe
1864	Pcdipnqn.exe
2404	Pjpnbg32.exe
2832	Pomfkndo.exe
3024	Pdlkiepd.exe
2448	Pkfceo32.exe
1740	Qjnmlk32.exe
2248	Acfaeq32.exe
3020	Amqccfed.exe
1952	Agfgqo32.exe
2584	Amcpie32.exe
2580	Aijpnfif.exe
708	Biojif32.exe
1652	Bphbeplm.exe
908	Bhdgjb32.exe
2416	Bjbcfn32.exe
2592	Boplllob.exe
1924	Baohhgnf.exe
1028	Bfkpqn32.exe
3064	Cpceidcn.exe
2640	Cmgechbh.exe
2672	Cpfaocal.exe
2636	Cbgjqo32.exe
536	Ceegmj32.exe

Loads dropped DLL 60 IoCs

pid	Process
2748	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
2748	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
2876	Ohcaoajg.exe
2876	Ohcaoajg.exe
2752	Okanklik.exe
2752	Okanklik.exe
2648	Ohhkjp32.exe
2648	Ohhkjp32.exe
1796	Onecbg32.exe
1796	Onecbg32.exe
1268	Pqemdbaj.exe
1268	Pqemdbaj.exe
1864	Pcdipnqn.exe
1864	Pcdipnqn.exe
2404	Pjpnbg32.exe
2404	Pjpnbg32.exe
2832	Pomfkndo.exe
2832	Pomfkndo.exe
3024	Pdlkiepd.exe
3024	Pdlkiepd.exe
2448	Pkfceo32.exe
2448	Pkfceo32.exe
1740	Qjnmlk32.exe
1740	Qjnmlk32.exe
2248	Acfaeq32.exe
2248	Acfaeq32.exe
3020	Amqccfed.exe
3020	Amqccfed.exe
1952	Agfgqo32.exe
1952	Agfgqo32.exe
2584	Amcpie32.exe
2584	Amcpie32.exe
2580	Aijpnfif.exe
2580	Aijpnfif.exe
708	Biojif32.exe
708	Biojif32.exe
1652	Bphbeplm.exe
1652	Bphbeplm.exe
908	Bhdgjb32.exe
908	Bhdgjb32.exe
2416	Bjbcfn32.exe
2416	Bjbcfn32.exe
2592	Boplllob.exe
2592	Boplllob.exe
1924	Baohhgnf.exe
1924	Baohhgnf.exe
1028	Bfkpqn32.exe
1028	Bfkpqn32.exe
3064	Cpceidcn.exe
3064	Cpceidcn.exe
2640	Cmgechbh.exe
2640	Cmgechbh.exe
2672	Cpfaocal.exe
2672	Cpfaocal.exe
2636	Cbgjqo32.exe
2636	Cbgjqo32.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Onecbg32.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Onecbg32.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Okanklik.exe	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Jbhihkig.dll	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cdepma32.dll	Ohcaoajg.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Okanklik.exe
File created	C:\Windows\SysWOW64\Ikhkppkn.dll	Okanklik.exe
File opened for modification	C:\Windows\SysWOW64\Onecbg32.exe	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Okanklik.exe	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Ohcaoajg.exe	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe

Program crash 1 IoCs

pid	pid_target	Process
896	536	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcaoajg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onecbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll"	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amqccfed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2876	2748	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe	30
PID 2748 wrote to memory of 2876	2748	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe	30
PID 2748 wrote to memory of 2876	2748	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe	30
PID 2748 wrote to memory of 2876	2748	a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe	30
PID 2876 wrote to memory of 2752	2876	Ohcaoajg.exe	31
PID 2876 wrote to memory of 2752	2876	Ohcaoajg.exe	31
PID 2876 wrote to memory of 2752	2876	Ohcaoajg.exe	31
PID 2876 wrote to memory of 2752	2876	Ohcaoajg.exe	31
PID 2752 wrote to memory of 2648	2752	Okanklik.exe	32
PID 2752 wrote to memory of 2648	2752	Okanklik.exe	32
PID 2752 wrote to memory of 2648	2752	Okanklik.exe	32
PID 2752 wrote to memory of 2648	2752	Okanklik.exe	32
PID 2648 wrote to memory of 1796	2648	Ohhkjp32.exe	33
PID 2648 wrote to memory of 1796	2648	Ohhkjp32.exe	33
PID 2648 wrote to memory of 1796	2648	Ohhkjp32.exe	33
PID 2648 wrote to memory of 1796	2648	Ohhkjp32.exe	33
PID 1796 wrote to memory of 1268	1796	Onecbg32.exe	34
PID 1796 wrote to memory of 1268	1796	Onecbg32.exe	34
PID 1796 wrote to memory of 1268	1796	Onecbg32.exe	34
PID 1796 wrote to memory of 1268	1796	Onecbg32.exe	34
PID 1268 wrote to memory of 1864	1268	Pqemdbaj.exe	35
PID 1268 wrote to memory of 1864	1268	Pqemdbaj.exe	35
PID 1268 wrote to memory of 1864	1268	Pqemdbaj.exe	35
PID 1268 wrote to memory of 1864	1268	Pqemdbaj.exe	35
PID 1864 wrote to memory of 2404	1864	Pcdipnqn.exe	36
PID 1864 wrote to memory of 2404	1864	Pcdipnqn.exe	36
PID 1864 wrote to memory of 2404	1864	Pcdipnqn.exe	36
PID 1864 wrote to memory of 2404	1864	Pcdipnqn.exe	36
PID 2404 wrote to memory of 2832	2404	Pjpnbg32.exe	37
PID 2404 wrote to memory of 2832	2404	Pjpnbg32.exe	37
PID 2404 wrote to memory of 2832	2404	Pjpnbg32.exe	37
PID 2404 wrote to memory of 2832	2404	Pjpnbg32.exe	37
PID 2832 wrote to memory of 3024	2832	Pomfkndo.exe	38
PID 2832 wrote to memory of 3024	2832	Pomfkndo.exe	38
PID 2832 wrote to memory of 3024	2832	Pomfkndo.exe	38
PID 2832 wrote to memory of 3024	2832	Pomfkndo.exe	38
PID 3024 wrote to memory of 2448	3024	Pdlkiepd.exe	39
PID 3024 wrote to memory of 2448	3024	Pdlkiepd.exe	39
PID 3024 wrote to memory of 2448	3024	Pdlkiepd.exe	39
PID 3024 wrote to memory of 2448	3024	Pdlkiepd.exe	39
PID 2448 wrote to memory of 1740	2448	Pkfceo32.exe	40
PID 2448 wrote to memory of 1740	2448	Pkfceo32.exe	40
PID 2448 wrote to memory of 1740	2448	Pkfceo32.exe	40
PID 2448 wrote to memory of 1740	2448	Pkfceo32.exe	40
PID 1740 wrote to memory of 2248	1740	Qjnmlk32.exe	41
PID 1740 wrote to memory of 2248	1740	Qjnmlk32.exe	41
PID 1740 wrote to memory of 2248	1740	Qjnmlk32.exe	41
PID 1740 wrote to memory of 2248	1740	Qjnmlk32.exe	41
PID 2248 wrote to memory of 3020	2248	Acfaeq32.exe	42
PID 2248 wrote to memory of 3020	2248	Acfaeq32.exe	42
PID 2248 wrote to memory of 3020	2248	Acfaeq32.exe	42
PID 2248 wrote to memory of 3020	2248	Acfaeq32.exe	42
PID 3020 wrote to memory of 1952	3020	Amqccfed.exe	43
PID 3020 wrote to memory of 1952	3020	Amqccfed.exe	43
PID 3020 wrote to memory of 1952	3020	Amqccfed.exe	43
PID 3020 wrote to memory of 1952	3020	Amqccfed.exe	43
PID 1952 wrote to memory of 2584	1952	Agfgqo32.exe	44
PID 1952 wrote to memory of 2584	1952	Agfgqo32.exe	44
PID 1952 wrote to memory of 2584	1952	Agfgqo32.exe	44
PID 1952 wrote to memory of 2584	1952	Agfgqo32.exe	44
PID 2584 wrote to memory of 2580	2584	Amcpie32.exe	45
PID 2584 wrote to memory of 2580	2584	Amcpie32.exe	45
PID 2584 wrote to memory of 2580	2584	Amcpie32.exe	45
PID 2584 wrote to memory of 2580	2584	Amcpie32.exe	45

C:\Users\Admin\AppData\Local\Temp\a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe
"C:\Users\Admin\AppData\Local\Temp\a53b03c539746370092056aa0407130bbb60bf4c1af6d92fa27e9a6415d8f4b4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Ohcaoajg.exe
  C:\Windows\system32\Ohcaoajg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\Okanklik.exe
    C:\Windows\system32\Okanklik.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Ohhkjp32.exe
      C:\Windows\system32\Ohhkjp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
482KB

MD5
8a4524cc0433ae4deb9bb2f8395c1eea

SHA1
a4aa65c57dcf642593d601452b3ba00fbcda0c2f

SHA256
c7aca2fa0149f26a4cba2a80ce6b5b05754978dea727a302bd5472cb7f7a491d

SHA512
c23d9c63d82e3bc145e57b06520a7b070b76ee70fbb3b4bb42752b390fa60d60efacca80c43e9fd08ccf30c8c591ff11912fe1f75acae33444885417619b1e1b

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
482KB

MD5
292f7903524f834cc487a0e58f9e29ab

SHA1
a3f9620315f44ead9e1ec131d23d965aa4b36fce

SHA256
6d1ad9815dc945935f8f1cf76bf2858ee08fba033b21cdd4ad46d224811e1499

SHA512
28cabf353829c1a651795866e044e6290d3c790782117c43341ea4dacfd33f885d030793208bfb3cdddcac81cfcdf3a7d676c9b9a48cfdaf1edd231eb375ee59

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
482KB

MD5
538c9f738915e147880ed27a2c61ae18

SHA1
8268cac31463212bbd98a88d52d9ee06bf8375bf

SHA256
ded4626b52cdc17061b965b13ab4a022d9a8c0b63b96aa0c4d30e1c6261ab7d8

SHA512
c03798da1965177d84b6c631f5785c10620d3705aaa144ef8f136293efdeebf9d8a9dbc1fd0ceae4c1d34f0ccd1585255ff19c2cf9584d66411d86db66cbf541

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
482KB

MD5
ac76741ee82fc84e7a4129fa11680f6e

SHA1
cade901c3f0c57f30e820bf4609ce090690e7c28

SHA256
1d502f1b42f683ea74f57cb606f989dd2e40fc53adca111bf788067fe511fd82

SHA512
743faa30af85ee243b100460cb1b58f278d5a26e30efd919e8f8c1f9c21708bf735cbbef2a6408ae410ea56b2b54d8630b8c1236e031c8c372be9ca092d55a08

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
482KB

MD5
72a59746a7cde9a21aacb3ed439fde1e

SHA1
d8ce104787ddbf9171b6c9cec9c5bd851898508b

SHA256
6cfc6fcf4e3afa9a1234f990c7d404b9dc9a890619a52db6918c0ee15e695bcb

SHA512
394944d2f5f65829ed80c2178a40c9b5923d440bd27b7142885528df307e24a0db568da4fba6e815a73ea99f0b5794bd8ca684184c304663956a1f4429242229

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
482KB

MD5
982deaef23a4358daaab5edc7d68789d

SHA1
3bdcd0705197bdf3b883ffd03a45b1e9b2afd711

SHA256
d8353352cf616b08d0f166307e1547575df0a39345d7db6e1c45b98c5c5f21fa

SHA512
5256901b4f3abbb48be66b644027640d6c6cf289c83130f8dd3f26aee5c0d421768be96eddfd4a268c2b6152c3db57a315cec336fbd22e388cedc48ce5e0da40

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
482KB

MD5
d6b4e9a431492233b4984f1e0a46a461

SHA1
5f7c491f10c19d7189a454a2b6775f97f59394e0

SHA256
8d3f256b7c50616255e23af30eb9e51a589e9ef24882b213d489925270e563bb

SHA512
755d928d0deab89f81633b75704e4454c2ae5c90a8c9c0c18963142fffaa41a303f0468f7b805791a4b421a5fe0e8ca35a1bf306f243a3294f1d543874144411

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
482KB

MD5
c032996bcbfaca116dafe7a4062c301b

SHA1
63f0d1894b5b046ecb20726f3f45c67910f09ea5

SHA256
04806a6eb43882b09f115443d6d426aba94d691712c527f8011869f63c3cfb66

SHA512
2071a88777f824121122d5b1d35b841530e2fbc2d136b0747bd8e4ef40453e3497432ef19e77120c52f8c5aae8d466a8be1fa61a098e649a190f3ec33f6ec99d

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
482KB

MD5
b6cb43e857471d40f132c78545a3bc70

SHA1
9bdf6b39eb939806ed35acdbd5da6d8b883073ff

SHA256
33efef5c54d48614ff291db815fa9c520f1f047b6cf460b40dcb657db59e639a

SHA512
b7bdcbe495417ccba99ab6099313f68d5ec1385f1067434f4956a44239cb63a4a36e9d672ba09b3f1820b1a5d1d365ae7e7e12486f3866300e4090adba069500

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
482KB

MD5
39076f4bef3e634f026c0c4d9a6c7c47

SHA1
e033f5bf35ed6b7a3289220f8262c11e4fd34124

SHA256
fe5953aa7640207f3190800f8fb2b1e41be9f9cd12d6c1c334de8ce29b559f27

SHA512
2b91042b4d0d5774b70c5f56fb9ade84af8a46b88b24c81c86beac7e578b283b9890adaa44ea11fea7b24369b5315a4c4e5963b688fed98d1b44dc823966d5c4

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
482KB

MD5
2e8bd2914de97a7b15e776d59202a436

SHA1
e7c43324d8c0e3f71b3d064caa99f80fb944c707

SHA256
06ac6a348b2a4661a300ae10c3875fdf28eada4b0a562c9871c27c26fbd0ac56

SHA512
4a5846623fc59f19fc6c8894773c2f161831f4824aba0216ce63cd9c6dbd32f667cb5fa1924df2d26cdeee6c474ad9c306bb78b1eb47cf287b6a2db7238403ef

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
482KB

MD5
12979e7fd5345a80d9d5dc59311975a1

SHA1
b163d1fe26e928ccd1cb9b0051d3c423f7983c9d

SHA256
a6a87a867cd47ccf55c6de4927c7f664b725be0fc30e4cb8d3a1983d420d75f2

SHA512
8d9004ced35c15f26384f4a2539187b2dd778832a47a01ef2d8fce376901b105eb319fbbb4e38266fcae08a72de67f2904b3554c2bcdb0d86dc3c2b3c6f401c2

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
482KB

MD5
7bfb02e7b1312ec09fb2266e93cbd47b

SHA1
b315aa4f3724f198a44e90dcf179542f6bcdc139

SHA256
2b5eb3e88b5d03c6b2e98b3a5f76fea577c929ad7447626aa65c001a6fe01767

SHA512
dc74621f473fe6177e1bca559b854c9149d75c387ad31ac38f73ee77cb015149afd3c5c8a0a0632cbe70f45692d21c5f028094846ceab764bc786a12251aa147

Download Submit
C:\Windows\SysWOW64\Jcbemfmf.dll

Filesize
7KB

MD5
b20754115228e4e4789d029528de5701

SHA1
b76b876cb986528a58af9381f744aa16d758cadb

SHA256
12f670ed1eff27eef5c8f9d36ac7960a54d7d6bfcee4db1190b53d2580d1846c

SHA512
564992d18d7138befc71c7478966664142016aa90c59cb7998871067372d0681f3df9ad93240397544a6def9130bd64c037ab7ffc1fda6079ec2c88151715ddf

Download Submit
C:\Windows\SysWOW64\Ohcaoajg.exe

Filesize
482KB

MD5
271fc63611b23bc23fac4356d382b267

SHA1
2a136f6ac2374def4a59f444bd595b5684b8eb16

SHA256
ef4d583d47c828225bbc0a7f671aee0097a3a0e534340520370eade181a606e8

SHA512
6ffb6c5a93c6a7c616b611f754a2736e92c2c4c205ede00acc49721e00525d73052f0963dfd62dc307f915161fda6f3157e776e95b6adef1bac7f233e07d2c8e

Download Submit
C:\Windows\SysWOW64\Okanklik.exe

Filesize
482KB

MD5
feb25ed718b88e32cdff8f7e399c1cc3

SHA1
57ccc19a02c142be85c2862502af12495a72a26d

SHA256
09356e5957004aa5ee49455c8e0d3e72f64a22bc0044d41e271853b5dc53080b

SHA512
6aa2550f2979a4ff8a980df18746847ecd51fb29898692e8da7d723507074911dd0cfdcf83b376b20ff884eff2d01d5be3b7648e4af28031f047899ef19b43c6

Download Submit
C:\Windows\SysWOW64\Onecbg32.exe

Filesize
482KB

MD5
64d8061fc0002cd55306066c6c63be19

SHA1
2372cca114f37b77c969b2fd71da873384bf4195

SHA256
ee7023273dd44f93cb398d3b21a38a8045134b8f38bb3a328cb66deaaea3a4df

SHA512
14a99f4f5294327da58017f3cfc4db2aa39daeade0e2431a1c94ea1a9197e224ba442559f21a34f9b5ce1079a35e8b50693ee76128b35bc104bb2de21a630c3e

Download Submit
C:\Windows\SysWOW64\Pcdipnqn.exe

Filesize
482KB

MD5
b8500cecba3891970f8a434facfb4a70

SHA1
7140f302c3df2b3e4f3e837c6c4df7d2cc4cac98

SHA256
2763f0593177de8dd43f4c9afacc0678c13a2f85c8ac12647676da6965bec9b5

SHA512
27c3cd852d6c00a8e0b1956494c87ef6c33e8dd8161d21ed14f783c58e664979429642d975605c09ddf6af3c576161e24aebf24f6c7c1ad9ac9237e820e4ff83

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
482KB

MD5
f29a362d9d8c24f27db7f5129a10fa4c

SHA1
5ce14d5b6786a2f1283fc0ebf7b97672161dbcda

SHA256
dd3af5fdea0262ee055d1c898a76b1005547f64a4b0a76a50433d918b3e34d9a

SHA512
8f0353f3487b8dd576fde8027df3cde47551ea24e525d53f835e50c5cf549d04a4f1dd88671fb3455bff54ca06c48f93e8bc6ede795e8d987e4c118551245cf6

Download Submit
C:\Windows\SysWOW64\Pqemdbaj.exe

Filesize
482KB

MD5
6d04bdb7b16658db5854895ca1054834

SHA1
43d70a79eb3d48690bf589efc198dbeb0b859286

SHA256
c956414c4909b0f1f0be6e08a5b834c2395aaf337eb981f002b59006934cb5b6

SHA512
f7910e742f03be3cc3ceb7090ac8c77b3936f469173c03f8d00f3ba4cb7f055638b3636b626587891afa89fd5d70208185cd97d9c0ab1b36003e759e0f2446ac

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
482KB

MD5
ea6dc8a1016070017d141eadf1f73b5f

SHA1
6d78f50be02981bf86c0c9c0189d2b76cc036cf2

SHA256
6ca27d502b0f94c6cf69d801f5b4016964d4f5a496699dfd6440815d5febef96

SHA512
bf6608ae9f65a82828c25fec4b7d0538239a1dec8e7497f83d6d9e8df19176148ab179f72ee8a5d58d010b5dbbf6d86e4dd5239068bb3252fac5a902af6dc9a3

Download Submit
\Windows\SysWOW64\Aijpnfif.exe

Filesize
482KB

MD5
4ea96e1df1b3834bc673c788766ad572

SHA1
153b37a14c711bb325adbb13932e76bdabbc48f6

SHA256
ad049a2f7cae3144736a2e3298d479d6068732b16d29b1d4e04757496ccc537d

SHA512
c0e0722c229fb81e230d0d3967016385682c3daf434e302b0db82c3f121c220fb5d31815e22005e42765bc2ee2745328e1bab51055ff55337e53312a5652c605

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
482KB

MD5
78e2c67a78b7c6440dc68d8262b846c4

SHA1
d5c4727f3df2fde64c5a88c536ef6e2ae82d1d7b

SHA256
6639e2ab9093864fcb44549ddfc8b6ef95af5d99b75c03273c1d0ad20f8c73e3

SHA512
2a663df2ed7c99b4d46c7dafbb8c1a4c04dc49cedf55a897481c787959e591752f8f0a43de8a20683b952d7929f1ddbb9786f517863771f93092a29ede5b8780

Download Submit
\Windows\SysWOW64\Amqccfed.exe

Filesize
482KB

MD5
34b59dbd95e0a50cdd158363d4c672c6

SHA1
91091750472a78b47e260edc759b91a60b82241f

SHA256
a1aba8bef59df063e9cf68a5cc7ddbab721322982973637ba0a268d2b4568938

SHA512
540eb15ee7d7579ecea48919b362f52a8de25ee8b5a9a245f727e4ef498456cbdd7bd786f0c33920aa5231eb4394dbe2ab014f59ddbc21be18094b6a7f1cdacd

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
482KB

MD5
5baf68e80955022b28744591f03d264c

SHA1
e398d147ca13f7a31066444ffcfa7b6919824a6b

SHA256
0520cc9eceee24910fae8d6c578ca0c72d9bc80e180a65792ca4782ea9a93c46

SHA512
328dbd13700eb254a1d7072bc00be2c2c2c165d204cb3d56f15366c022de14038586db1d4d5018c0b414106ab70de99a309839ec7edc0594a316fbb1267b2924

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
482KB

MD5
018ed5d750cbdeda72f0cd31bd4e33d1

SHA1
477b90edaac8b0ce29ece2bd3aa472637f4cbf93

SHA256
45bab32dcb8ee97b2088b97969be1acfc7b3518c2d09e03383b513f69b65db4f

SHA512
2018e4c13bb8f8c25c959366a9f1ac83f9296d2e8fa2088c1c8f6df9df952bec105f1868645f486b14725b007eec6b9618fc7422af5f871eebc775f2182a4652

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
482KB

MD5
f06b488e91901e968d21ce0a881cc05e

SHA1
c33efef797e85134cd01697969902fc716411e07

SHA256
32def20aea404f05125872fac2563a50694fa3013796a681d2e220b187dc4b93

SHA512
24b4fd86b1ef23ccacbc926d54304fca22da80d7c9477535a1d39cde26d3bc8b8369668b6d00cc47a7479e41a0ec8cdaa7835db76c03c32e30b160441d424459

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
482KB

MD5
1e136bf14c69dd9e1091671711e46a73

SHA1
34b5eae454fca1efae83ae5f12768be70662aaf5

SHA256
183318320c7b9b3d83e2a5bc611f49965e1925fa53b9a9de0e9a3c0a2cac7420

SHA512
45690c4d727a6529b5e5512f96c0171b46d14c98eb055f2ef8d9f8cd802d3e83ded4eb41e7b05746fe15b8745e0b94ce005e2cd1c4d92e4c6750ac6db2274c27

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
482KB

MD5
5b75ecdc76386365923ebbb91fee3a2a

SHA1
c7347edfd15ee9085776d2971fcca617101fe6d0

SHA256
ed0211181933d917cf2f06070c36cf3add26665939ff463813d31c5e560078fb

SHA512
75ef5b92c609a5f844715a60484e4b5ad5f50df240aad83056d018827804f6a04d8959d820a2e6b68807179e9f6b16f5e1598ea6a854c41b15e5eb838499b77c

Download Submit
memory/536-362-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/708-250-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/708-245-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/708-251-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/908-272-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/908-263-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/908-273-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1028-316-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/1028-311-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1028-317-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/1268-445-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1268-77-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1268-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1652-252-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1652-262-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1652-261-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1740-166-0x00000000004D0000-0x000000000053F000-memory.dmp

Filesize
444KB

Download
memory/1740-167-0x00000000004D0000-0x000000000053F000-memory.dmp

Filesize
444KB

Download
memory/1740-461-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1740-159-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1796-394-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1796-55-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1796-63-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/1796-443-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1864-91-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/1864-395-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/1864-447-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1864-96-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/1864-83-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1924-306-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/1924-302-0x00000000004E0000-0x000000000054F000-memory.dmp

Filesize
444KB

Download
memory/1924-296-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1952-207-0x00000000002E0000-0x000000000034F000-memory.dmp

Filesize
444KB

Download
memory/1952-213-0x00000000002E0000-0x000000000034F000-memory.dmp

Filesize
444KB

Download
memory/1952-199-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2248-169-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2248-182-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2248-176-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2404-105-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2404-449-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2404-416-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/2404-110-0x0000000000470000-0x00000000004DF000-memory.dmp

Filesize
444KB

Download
memory/2416-284-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2416-274-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2416-283-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2448-152-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2448-433-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2448-139-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2448-459-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2448-147-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2580-240-0x00000000002E0000-0x000000000034F000-memory.dmp

Filesize
444KB

Download
memory/2580-229-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2580-239-0x00000000002E0000-0x000000000034F000-memory.dmp

Filesize
444KB

Download
memory/2584-226-0x00000000004D0000-0x000000000053F000-memory.dmp

Filesize
444KB

Download
memory/2584-214-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2584-227-0x00000000004D0000-0x000000000053F000-memory.dmp

Filesize
444KB

Download
memory/2592-295-0x0000000002000000-0x000000000206F000-memory.dmp

Filesize
444KB

Download
memory/2592-294-0x0000000002000000-0x000000000206F000-memory.dmp

Filesize
444KB

Download
memory/2592-289-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2636-356-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2636-361-0x0000000000340000-0x00000000003AF000-memory.dmp

Filesize
444KB

Download
memory/2640-333-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2640-339-0x0000000000260000-0x00000000002CF000-memory.dmp

Filesize
444KB

Download
memory/2640-338-0x0000000000260000-0x00000000002CF000-memory.dmp

Filesize
444KB

Download
memory/2648-441-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2648-41-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2648-53-0x0000000002070000-0x00000000020DF000-memory.dmp

Filesize
444KB

Download
memory/2648-364-0x0000000002070000-0x00000000020DF000-memory.dmp

Filesize
444KB

Download
memory/2672-349-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2672-340-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2672-354-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2748-435-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2748-350-0x00000000002A0000-0x000000000030F000-memory.dmp

Filesize
444KB

Download
memory/2748-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2748-11-0x00000000002A0000-0x000000000030F000-memory.dmp

Filesize
444KB

Download
memory/2752-439-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2752-363-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2752-27-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2752-35-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2832-426-0x0000000002060000-0x00000000020CF000-memory.dmp

Filesize
444KB

Download
memory/2832-455-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2832-112-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2832-120-0x0000000002060000-0x00000000020CF000-memory.dmp

Filesize
444KB

Download
memory/2876-437-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2876-25-0x00000000002B0000-0x000000000031F000-memory.dmp

Filesize
444KB

Download
memory/2876-18-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3020-198-0x00000000002F0000-0x000000000035F000-memory.dmp

Filesize
444KB

Download
memory/3020-184-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3020-192-0x00000000002F0000-0x000000000035F000-memory.dmp

Filesize
444KB

Download
memory/3024-137-0x0000000000360000-0x00000000003CF000-memory.dmp

Filesize
444KB

Download
memory/3024-428-0x0000000000360000-0x00000000003CF000-memory.dmp

Filesize
444KB

Download
memory/3024-457-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3024-427-0x0000000000360000-0x00000000003CF000-memory.dmp

Filesize
444KB

Download
memory/3064-318-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3064-327-0x0000000000330000-0x000000000039F000-memory.dmp

Filesize
444KB

Download
memory/3064-331-0x0000000000330000-0x000000000039F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads