68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 22:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Size

45KB
MD5

ba9361757c07738ecf5fd047e69fe5ad
SHA1

6a238bec38c6eb1f459df2d901b6f3dd7e222d60
SHA256

68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f
SHA512

7e043b9af75d9e4a85e0a6052a7d49ad72ea453408b8ba351951a37c9df1c68c5bbe826838389c9e08ea3127a696f927de3cd587f7487a13daa80e1ad4b3a511
SSDEEP

768:MDZ5BAB62EzA4vBcDhRXhI6EMZqyiHS6nTI6Nl7/1H53X:u6B62Es4W+PhbtF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe

Executes dropped EXE 64 IoCs

pid	Process
2108	Ocpgod32.exe
4504	Ojjolnaq.exe
3020	Olhlhjpd.exe
3624	Odocigqg.exe
4516	Ognpebpj.exe
4804	Ojllan32.exe
1388	Olkhmi32.exe
5012	Ocdqjceo.exe
5028	Ofcmfodb.exe
1592	Onjegled.exe
2248	Oqhacgdh.exe
2920	Ogbipa32.exe
972	Ojaelm32.exe
3168	Pmoahijl.exe
3040	Pcijeb32.exe
3716	Pgefeajb.exe
4132	Pnonbk32.exe
3044	Pdifoehl.exe
5092	Pggbkagp.exe
1640	Pmdkch32.exe
1564	Pcncpbmd.exe
4120	Pjhlml32.exe
1580	Qgqeappe.exe
1956	Qjoankoi.exe
4092	Qqijje32.exe
2324	Qcgffqei.exe
2536	Anmjcieo.exe
4376	Adgbpc32.exe
4000	Afhohlbj.exe
644	Ajckij32.exe
1892	Aeiofcji.exe
2472	Aclpap32.exe
3556	Afjlnk32.exe
2756	Aqppkd32.exe
2892	Agjhgngj.exe
2260	Ajhddjfn.exe
1864	Amgapeea.exe
1832	Acqimo32.exe
3148	Afoeiklb.exe
3420	Aminee32.exe
3528	Accfbokl.exe
2944	Agoabn32.exe
4408	Bjmnoi32.exe
4256	Bagflcje.exe
3704	Bebblb32.exe
1172	Bganhm32.exe
3024	Bjokdipf.exe
920	Bmngqdpj.exe
4976	Baicac32.exe
1676	Bchomn32.exe
4780	Bffkij32.exe
116	Bjagjhnc.exe
4636	Balpgb32.exe
4700	Bcjlcn32.exe
5020	Bgehcmmm.exe
2188	Bjddphlq.exe
1808	Bmbplc32.exe
3964	Banllbdn.exe
1316	Bclhhnca.exe
1504	Bfkedibe.exe
4024	Bjfaeh32.exe
4188	Bapiabak.exe
4540	Belebq32.exe
2596	Cfmajipb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5672	5584	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 2108	3600	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	84
PID 3600 wrote to memory of 2108	3600	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	84
PID 3600 wrote to memory of 2108	3600	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	84
PID 2108 wrote to memory of 4504	2108	Ocpgod32.exe	85
PID 2108 wrote to memory of 4504	2108	Ocpgod32.exe	85
PID 2108 wrote to memory of 4504	2108	Ocpgod32.exe	85
PID 4504 wrote to memory of 3020	4504	Ojjolnaq.exe	86
PID 4504 wrote to memory of 3020	4504	Ojjolnaq.exe	86
PID 4504 wrote to memory of 3020	4504	Ojjolnaq.exe	86
PID 3020 wrote to memory of 3624	3020	Olhlhjpd.exe	87
PID 3020 wrote to memory of 3624	3020	Olhlhjpd.exe	87
PID 3020 wrote to memory of 3624	3020	Olhlhjpd.exe	87
PID 3624 wrote to memory of 4516	3624	Odocigqg.exe	88
PID 3624 wrote to memory of 4516	3624	Odocigqg.exe	88
PID 3624 wrote to memory of 4516	3624	Odocigqg.exe	88
PID 4516 wrote to memory of 4804	4516	Ognpebpj.exe	89
PID 4516 wrote to memory of 4804	4516	Ognpebpj.exe	89
PID 4516 wrote to memory of 4804	4516	Ognpebpj.exe	89
PID 4804 wrote to memory of 1388	4804	Ojllan32.exe	91
PID 4804 wrote to memory of 1388	4804	Ojllan32.exe	91
PID 4804 wrote to memory of 1388	4804	Ojllan32.exe	91
PID 1388 wrote to memory of 5012	1388	Olkhmi32.exe	92
PID 1388 wrote to memory of 5012	1388	Olkhmi32.exe	92
PID 1388 wrote to memory of 5012	1388	Olkhmi32.exe	92
PID 5012 wrote to memory of 5028	5012	Ocdqjceo.exe	93
PID 5012 wrote to memory of 5028	5012	Ocdqjceo.exe	93
PID 5012 wrote to memory of 5028	5012	Ocdqjceo.exe	93
PID 5028 wrote to memory of 1592	5028	Ofcmfodb.exe	94
PID 5028 wrote to memory of 1592	5028	Ofcmfodb.exe	94
PID 5028 wrote to memory of 1592	5028	Ofcmfodb.exe	94
PID 1592 wrote to memory of 2248	1592	Onjegled.exe	95
PID 1592 wrote to memory of 2248	1592	Onjegled.exe	95
PID 1592 wrote to memory of 2248	1592	Onjegled.exe	95
PID 2248 wrote to memory of 2920	2248	Oqhacgdh.exe	96
PID 2248 wrote to memory of 2920	2248	Oqhacgdh.exe	96
PID 2248 wrote to memory of 2920	2248	Oqhacgdh.exe	96
PID 2920 wrote to memory of 972	2920	Ogbipa32.exe	97
PID 2920 wrote to memory of 972	2920	Ogbipa32.exe	97
PID 2920 wrote to memory of 972	2920	Ogbipa32.exe	97
PID 972 wrote to memory of 3168	972	Ojaelm32.exe	98
PID 972 wrote to memory of 3168	972	Ojaelm32.exe	98
PID 972 wrote to memory of 3168	972	Ojaelm32.exe	98
PID 3168 wrote to memory of 3040	3168	Pmoahijl.exe	100
PID 3168 wrote to memory of 3040	3168	Pmoahijl.exe	100
PID 3168 wrote to memory of 3040	3168	Pmoahijl.exe	100
PID 3040 wrote to memory of 3716	3040	Pcijeb32.exe	101
PID 3040 wrote to memory of 3716	3040	Pcijeb32.exe	101
PID 3040 wrote to memory of 3716	3040	Pcijeb32.exe	101
PID 3716 wrote to memory of 4132	3716	Pgefeajb.exe	102
PID 3716 wrote to memory of 4132	3716	Pgefeajb.exe	102
PID 3716 wrote to memory of 4132	3716	Pgefeajb.exe	102
PID 4132 wrote to memory of 3044	4132	Pnonbk32.exe	103
PID 4132 wrote to memory of 3044	4132	Pnonbk32.exe	103
PID 4132 wrote to memory of 3044	4132	Pnonbk32.exe	103
PID 3044 wrote to memory of 5092	3044	Pdifoehl.exe	104
PID 3044 wrote to memory of 5092	3044	Pdifoehl.exe	104
PID 3044 wrote to memory of 5092	3044	Pdifoehl.exe	104
PID 5092 wrote to memory of 1640	5092	Pggbkagp.exe	105
PID 5092 wrote to memory of 1640	5092	Pggbkagp.exe	105
PID 5092 wrote to memory of 1640	5092	Pggbkagp.exe	105
PID 1640 wrote to memory of 1564	1640	Pmdkch32.exe	106
PID 1640 wrote to memory of 1564	1640	Pmdkch32.exe	106
PID 1640 wrote to memory of 1564	1640	Pmdkch32.exe	106
PID 1564 wrote to memory of 4120	1564	Pcncpbmd.exe	107

C:\Users\Admin\AppData\Local\Temp\68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
"C:\Users\Admin\AppData\Local\Temp\68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\Ocpgod32.exe
  C:\Windows\system32\Ocpgod32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\Ojjolnaq.exe
    C:\Windows\system32\Ojjolnaq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\Olhlhjpd.exe
      C:\Windows\system32\Olhlhjpd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        35⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        64⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        66⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        79⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        98⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 396
        99⤵
        Program crash
        
        PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5584 -ip 5584
1⤵
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
45KB

MD5
ffe6e9549505b23f355632186fd80a50

SHA1
5e52f75dc8017447a1c202ec1502df21cd5fb4d6

SHA256
5ed02fe464ef7be18ccaaca2b7033d1dd91f7fc6e9ec99fe625703af21dec04c

SHA512
c8f282f9094a66045fd17a1205b6eec3cbd31b513c7b0bbe758a8ecce592a06a1cd0f5f41ca76e7bc68b7e544531863c33534ede440ad425cb4b1f54c74f7a33

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
45KB

MD5
edcecd48f580a12cceffc3a93745837e

SHA1
fd13769731d314d5d47df963b3e9717e3899fd71

SHA256
6c021580f79976b722c11c17924c0daaa2eff4c2da041d2f222b9037594963b4

SHA512
d79c3dbbb30bb5003eea5a3ba7b8d5532a462a5f04c6aa70ec7de3493f645a2619b3c9025f03e151d577a28cdb87d0c428c8e04d11169e0b9d0e9f3889b32097

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
45KB

MD5
3cd5e54226c2bef52b7e2a0b9d89d1f4

SHA1
beac2c8611611517c11c0c1ef78e0797ce5cb582

SHA256
65431aeecf776af5bc8baa0ec17047c2671ae1525fc10b44dad41eaf7aa4d60b

SHA512
7569332164cdf438b2b2b62af22c00e9f9f6a7d34b7b68e8034d612ebbb57dbcaf8cf8f257b2d14a0d0faedcd919cf20aa9c21ec16f55a138d6f5e63087ec666

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
45KB

MD5
c32b8d0e785b72bfa4277519de1988d4

SHA1
0d079f6830765d1be55300cfb8eda236f5d1d832

SHA256
202accfc8b1f776b07117c614b41bc92118cc10eabe63816d3c110cdadc3f2a5

SHA512
5a6c737e359dec4c77213e6573adf2bd6a8115f5353a8580685721ab67ee5e2cc25bd8290c591bdcedc10bf63886576a1ba52c2d071ccbe95bf82cfb8fd9a5aa

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
45KB

MD5
e464bc95c0756c51bfcd291929cc1fce

SHA1
7aa3d76cac077de515ffed2614e1d9a4839d19a5

SHA256
8d674b0584ed6139d464c5c1a213c626889501e5e228ab5a9c33b6fd45e67486

SHA512
25e3d52ce2c1fb0ab5b3ce5a63e59d3d0d849ae465cbdc66afa074da9ba09e023b6ea94d3a58c6d9ed1ff8e6612e96fe3ce3fd3db7e9fba5873db6a6251eec0a

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
45KB

MD5
b08423a727587c5b026919aab89acd16

SHA1
f8df975a60c52f22abe3a6d419e51d08100d5b1f

SHA256
e78b8c047db2c6a536c6e5799df6374c28cc50ae251093fe17faccf05da1ab5c

SHA512
c97d16fb750644bd3a522429a3efe529cd94468b6369a5338077e24459431f1b5172481e6f4f02e47e1982428a31ad0c801ca3ab9490a40fe699b45a148e2d37

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
45KB

MD5
641ebbbc02c157d51617684de8aa1cb6

SHA1
5ca6938c613b724213635fee93aa9fa0d2678849

SHA256
58b677ec08d2bc70fd9ab0ba149e85f742f974d0fe525c85cfadc67dcd419181

SHA512
18d7442cecb882e3748e71e23eaa301846744962bf5912eae35e5572342c5c81dbaec3da11398cff41387698d83b9f28eed56ec33adef04d9094515d87c6c595

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
45KB

MD5
24fa5a80229d6887683c185d3be5fdcb

SHA1
41a1931fc0a1a76bf68a2227ab889308dcdefb11

SHA256
b70aea70d2bef2b40222f12240823bb92a11c2e8b3429da0240ad40277bcb9d1

SHA512
7b39601ff6375455e1b5eb811aab165b05a359def8b4642dfa881c04c2407a56cc65dd3cd5055a47c81ace2deced9d3758849f137e36ea50e8dcca5163f2d546

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
45KB

MD5
076dff8ceddc3bc1ba6aa85cb387cbba

SHA1
4ef1fe0aa02a4dc6c786aaa03846a1124685066b

SHA256
b58ba67cd08e7a7448569c465853c604f9cd93f1df9fd64d8c4b3e0a7282a50f

SHA512
b9fca8e050fa64496320ac8885be8b07d0c8c0e26b16944949c754e21812cea44ec385a880810aa4e1e397209bfe2cd41fe0ca3f7a06469fce0abce421b8c286

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
45KB

MD5
0a2f38939712b66095e34e3d7ebd3934

SHA1
46c66e22b764ab62aec0c8e62f7005de04d012a9

SHA256
8d53948accdeb653ee8d2a9e67358b31f463dd9007a90f998e05db66ab3e70d3

SHA512
dee254f044f1b9236fcc80cce43dc938808292347a0fa165e011586c6b25fe8ae9ed480a2d98b2d24b074a0bf00d25e9f2d4ddaf49a63f2f169bd9ee4b7ca82e

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
45KB

MD5
ce37588f3124a480e9b06d53e85657d6

SHA1
cf0243540c32026624bf0a1dcb86cc0b84445a67

SHA256
27abb5c481c3d1c06dddc49f9d5ad7c0995673c3fd1dadf2bff15c8aab4bcec4

SHA512
80d0f73cb267d09519c16029fa2e1ed270a8419aa9222ccaa4fe1ca439c9fc6f41c6ee312424f8b9324a38c3c176cb4b2a69166c537bf225902699a0228f00d9

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
45KB

MD5
150f4bc9873146c8e6b92fabc1282891

SHA1
47d5250f0b16ba9ca578f52d4ee885f38dfc31d9

SHA256
f13c747c8cc810886c6836677666b6da6daf78b32f993f791a80d2f6da9d0346

SHA512
79977592ca5c5ba0f8528f1c73aa37fe80c0f0f043dbb02fc3f432efeee6e1f841c0383bc7a8d8ce40ba01cdc4858fa9c0d1ae40cba35d87e748d8545fa55316

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
45KB

MD5
b34d87f2780135a0c4ccef60d039452c

SHA1
ed976d9ae663ec3c88bd69b8ffc1a2178c4c2b47

SHA256
0d59954e25ccf7ad525b959236749c5d3d63976aa9f6258730cc5fedb851b716

SHA512
ec6f669ab0fbb1e8a3bb9dd91f4a3957461dfaf2aebcea8001bb7721579d78b064ce35e7d21c98df67512b486125e1c15b16906cd7e3b40c653b9c358f4553aa

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
45KB

MD5
1dd7f350c378b26ccd8a4e9c46695576

SHA1
9a235dbbcb252ad62b764e84e980fea3bd73cd72

SHA256
76bb984d42c08cd0ab819cc246a28b911af273bbcd01c2df7501962038f46832

SHA512
a683fc23d53d581b0930c229ef4eef7b764a7b6dc9f945d59d3f6d369381d21d8391656c16487065b6c80ab0f7b38bb1312405f717d12b6b22c3ed81fc44a8fc

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
45KB

MD5
78c74d9ae073ef5cd7dad14df2d90de4

SHA1
73365f962f39aae5bec5d14dcec5ae6fac2c01ee

SHA256
f04a0461dc9761492edcc05cbaa359c2aa9bb79c7ebdf50564563358a4c4ae43

SHA512
397f3e5bc71e8546c98aad0d98636a6bb62cd99d9a1059a1e397f629c5b310088a3d5e4d5f38345c364897f7c50d0dcbdbe6f1b2e1489daabee93330f3332368

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
45KB

MD5
f2b4c6bce4747117934d8b01a9a58bbc

SHA1
a7e54a745a7e5e74adf91749996fbe7150e7a89d

SHA256
1529da73996cedc8f493f461bb83c001db8161f30df2e6f7dd044f7163b8ad92

SHA512
84e3dd61f9f6611e4e3f84caa8c44d588dfacbdb77f8039d0eb1d28fc5bf930e5063b8ec12efa3ded1792fcc260335292c26a08d8b56307dece87671e19c2606

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
45KB

MD5
f68e20898b4b0684bf2d9f3b6f38e65b

SHA1
497a085c97f2fb82f2f148e47e3dbe0360f5fc65

SHA256
255356a18f6dab1b006b406764343509cef8ef1bccde0936f4306e8b544a836c

SHA512
89716d3285c79ed4cc0451f5ca0f94538ea05217027fc6c3acf02c90a7fad2c8f69b12f28841ac2217ab52b1d67bf7dd2283e72f253311677de4ba577d604121

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
45KB

MD5
3c7c8e7f4ce097e7310e17554c2fb394

SHA1
1fd0d964a6706e2dff60ca30add88bf43d573341

SHA256
5fa958daa5f234e60628d1ce42a7c1487b133b12b7d8d5edc987376fb76373bd

SHA512
1ca34db3496948d4c63c3e842d388e6f39663c44721afcae4b0eb90c6461009d4d736ab2830ade6babe171015fa17c44139045ed88a15ef519700d70d572e032

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
45KB

MD5
3525b9cf7676e62c5e0f81141f262712

SHA1
f1359a768aa1f336d3d6ae4a9329f9c8d7c5f738

SHA256
e8a42e1a6960b4ad1eb5d4f8f44131f0a9a09e485359671f34f3737cb02d6830

SHA512
82e8a94a12255344f85ad1d7099f5306ef9695b9cbfbe033486a89cc9d957b1f1cfe27200405e6cdd020baf73142492db340897f00eff7d81e04958a2d44aa0b

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
45KB

MD5
5a349660a65d835fb30fb23ae5ec7ced

SHA1
dfb5e350e8cf7c7e811ab0e323aef14129c9c5ad

SHA256
262221ab2e2e2acd9909515b5ec7c13edceef6d3abd4da2e056af36552f88de2

SHA512
df3d8ec7e6e1c9354532e0beb9e9266ee84676d35e9c19d3954eb596eeacf375484f69e5cf3ac67192178ec8a4bcffe767b089dc27dc98a895958530126550e2

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
45KB

MD5
386a6b20ff5315b1bc4ced5aafa5c8a8

SHA1
aa54d79eb6711672236b461ff291c03e140c5308

SHA256
4c895f53e78546a1775d3e74df5572fdcd975ce60a361814f9f68c3b7f30e8c0

SHA512
7eda6e5bdb0761ea66e86bb07dc2f5cf57b2ba567afacb2bae59d5e4137e9d1be2b26d0de8db34c7bb3282346cc9997e2a2ce6b65e7f379f1b950e6f2120bef2

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
45KB

MD5
d86a35b37f1d4ed9d8624217056b8ad2

SHA1
6c7f7db00bae1d3b49fec830a2fe7b871e51e117

SHA256
eaca8cdd4ebf33a9776e02a43d8a462300092e1b1554541a9a8bf6840b0e2348

SHA512
135a8303b241f627014f95e49bf76f45a22bbe6852a3a018c15d40f045caba616ca8dbbf570526ff8a5934fc9731cdac090f0a7910fb177eff1570a3aecdcae1

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
45KB

MD5
4998fb8990e2410eaa2a21c1af1f972e

SHA1
463aa9f5c6de674ba0cbdec1b7be7c14e5b67d65

SHA256
c0121b3d7a5f8f9432df339ec2a3a8560ce6c7100333820c6639ec4a12629cdd

SHA512
17ed44a2dd4a327b14afac12d98ef1fb261a64d1b0ef9975bd9861faba48f7f2fde686d914a6aaf1e268e64c2ff1757cc8d99106181b55bdea59f1cbe35c523d

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
45KB

MD5
6ca89836a4ed5974f2f7af2a2dd8c732

SHA1
cb4dad3396828d42fd95adf78b1133de32d63760

SHA256
914de901147d23e6314f2bd16d70dc6f2a0f5b8c55bea024a0f93f4ca745d8a9

SHA512
0d6141ae314330fdf54cb4521aca1697b908866d425832dc34b6a2c6bd4d200d8c415fffd9c23e347e3da8c82d24c8a01bffb42dc3ec3bc622b5d90ee6483bd6

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
45KB

MD5
c7a8decdaa37c5227fc6ba80da26af72

SHA1
dcced1a9b2412a5d720f07d326b91ce9f271f09e

SHA256
909eb6a5f0bf7839ffac04be888474ed4d7f445cc394e4aff2dccd2964008f58

SHA512
c330c2fcca4713059a1f18f3856399d4fbcdbc5e7042e1cb633a5cc7a9d3dbd98367559f987adc2240f8998c783f11d67eef16a55247bc3e5d17600671166175

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
45KB

MD5
8a53f57d50e5a4f73a1300cc567289e8

SHA1
90f40bc17cec91754c1f0de0bbdf0a5a53a3dc41

SHA256
da02c9f1cecbd589cf81f22542d2d0fcdb61cc4288396c529d225039cfa4cdaf

SHA512
22dd16cf8bdaeec5d67997e5ce75a1b5aeab0c64082be6a81d9bd35f4576d56dfac830366ddb086deb4bed90915ea5a356acd8c5da2e5b9f736f2c71702b2bb1

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
45KB

MD5
76673406001ecb2240c74694574a07ea

SHA1
c21a3f3fa422883770a9f2dc64334b0587a260e6

SHA256
716bf8457612a9a9cf5b269327ad71fcc08d77cd162551b9bf919284dc54a7c6

SHA512
cc2215e3bc1aa35bc7d6ae6843c243f5e53f29616ff30ebecc14eaa60635b9220b2a781bc6f4556ae61ae834522210e35928fc8d60222361e76dd03025abb9fe

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
45KB

MD5
b41a37c1290caac6c298f1d425b23855

SHA1
b42d591b3a97a4093633c5234be0e092ce838538

SHA256
364804b33820edf16fb9f03c09d6636752a4aec4aa9a966afcd1847546b15e3d

SHA512
cee7080803035c7083d89a16d69cefca806abe92335923367c62e8418361f80af48097d30c6d22e2c25e4322c1527067fd581151bd735d7c49120cb86ed71c69

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
45KB

MD5
ccc117f025beaa782b8e684704ebba07

SHA1
fa744928a9788412097c9089d32e2f3d1429c4f7

SHA256
ccef8df3cc4ce836d84135f891efae64285b2fa691cb792414810444f11e4839

SHA512
2c12c0563fc22a03429f39dba064bc48292daae91ccf3a8cf2f5aead16677b52732691656f754fdf2be0c01a1ab145710916918a094c0f60351fea24717a80f4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
45KB

MD5
91021fd2a8c02510b4b74d590cd78ccd

SHA1
4738628b3d7610916a924a76f5999c847d453d81

SHA256
c61ab4da4c0210d2ca31bb55437e51b0ff3139b85155a30322732cfdd1ba1d15

SHA512
a63ff8167c6b203dae4cee43ae8a2a92d7baa5d4a48713f32c8a3bc4f4f8b48917bc7fd2a8b5131c5c0c1007124b5374f536ea24d66f329677a579614f276fbd

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
45KB

MD5
5bb128e219185bf6fd1b343361711843

SHA1
018f8be989a541cddff8bf56b388c77d5fc9b5d8

SHA256
4aca47833201181a92d6915bf9d7b8da4524bcfb6eda69067f32c094b9441579

SHA512
f0f291a6b92ca174948f1cf8d655b97e155a1815b3aed00d92a1aa989b11caba362d1cd97fd105099772fd09d6c0836d86d73bcd8f8d3e91ee9c507bf3bd3b7d

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
45KB

MD5
3f5988fc9e2d25a1766e6f82ce107203

SHA1
0d402fce17a8922dde405e1172f86dc7c07d2662

SHA256
dab2ef101ab7511fae672e0b5c5d0e94ea2446235d7c5fe9556009c2bf581cc8

SHA512
3c3c59ca4d16d9091f47f9888994df48a19d1593c98e8cf86c9e82312e4cdb59139736900d17fca8a88ec413864aba4c6e5a2ebfe9001c5271fab09ed5ff5bb5

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
45KB

MD5
67a26bed2a8578b917d2e4c31be4bd33

SHA1
546764064f1f13e166238a75cde067c5828e2723

SHA256
b2aacd8cbbd9dcec5930aad3a4fd3b10dc9febdcbf1f215d829d3388bcf6c8e1

SHA512
ae1e60dc4717e95aee7d4cd5daeafed18a4c2f9138309c93500de659612cf6aeb6dde9936f7aed62a9bf2b1a90b6d4becd60c110f84a27bd32ce2cf2b9d349be

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
45KB

MD5
19f06e8764744af4b20dd784468dd021

SHA1
6ad4bf1347eb3240db19509442889f7c1e38b4b2

SHA256
43d70dfd531184f68de3af0a5308450324e397092f72ff1f2e2b621f176363ff

SHA512
57cd8ec00c166d2c4cd3fabd7f3fb79424ce8c5365a94201c724a0c706af9ec1cff70f91c94319b5232aca75990f251194586c305c9ca03fbc834623ebca637f

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
45KB

MD5
93e64a83e9e1be3cd7ed2d4c43db19cc

SHA1
68f718768cf75a7e1af5e495617cf92ac367213a

SHA256
dba86eaf6a831b874760e08d50b7be65b8cb1a5962048909e6adffb0d53c15b7

SHA512
87f926eab4e78729971b05bc71bc86cc8f19f7609dd655707d0451bacd8db4786724f4fee43a50b6dcb7f5b500295f8f60f6f38cb7b38edb6ebb4a3c782d14cd

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
45KB

MD5
d16bcf4a941484f7b708423d5b9a855b

SHA1
3b0724716a3b5a2ef9270e3dd1a06e3e97bb34e9

SHA256
debef60f1fa3cfecb8f4e2547c92bfa35baf7be2e9babe627120c0b294b8b699

SHA512
e0c1dea344cd43f069e2347e15bb6fe704b69bc77e8a5fbfe8c82620be1a5b54a4298007eb44ce8b76e9c194a2afe652eebf1f29947034785587c59bad229bff

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
45KB

MD5
9f2b493b36878d82eb5106fbff4621dc

SHA1
c31c2761ca555e782548992c427681cb9ef5fa20

SHA256
c1447640abc800de3d8b898c6a195cca21c83b7b4b6e5a8180e690f26bc4f012

SHA512
8a630f89ec476c4c2c7bc7513bb80a0a07997edc6e50b1dd75cd38e8bc0b94fc72e071986cd1a80b650dfb31a9bb457d3ee35324a48debcd5f6d1bcb7c4e554e

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
45KB

MD5
770a22b800840f788218c4c724c34418

SHA1
12600126b3aa13b093afa69a151407480f1f6cf5

SHA256
5441c61e6e28f70461420213dede00e525b708d00cfd0e1b59de5c582a5c6665

SHA512
0eab07e48c24798eac38f9a46313c5af0352dc752feadc2a689039e5041a07d6efcc46c32913901c0633afbe93a19972d75851813ce810aa78c635c0afa6f328

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
45KB

MD5
f53631d6557f04f0db95884c033ba9fa

SHA1
6e6f20d224ef3a04ab152889138aa216317f11f5

SHA256
91e73e3b0d314328a0ad75578118675e3850ca22072fcf600f42e57f90ef2f51

SHA512
5644e5f8789c036bcfebba84f170041845d92c94c46a26972279fe9e3d1e2f8b2ece42390fb400d3c50b4649d7ffe9762be14d047591670018b089029d17d92c

Download Submit
memory/116-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-764-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3468-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-751-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-685-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5140-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads