4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe
Size

93KB
MD5

c5a88758df9bd2be99ddda17ea2c9f07
SHA1

e7aee451c5363a75e999828762a9c09e3e767a3c
SHA256

4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12
SHA512

b183e060f59736a529318aa3599c51ba0c9787bd652a26656380bb983982ff6766e423adbf79fde01e6dcc29b0a3ee9e9a93bb333f840222a0aac6164aedb850
SSDEEP

1536:/vDItxja7pC8nz9gsNapa/qBSBf698SuNxKBT8Ojiwg58:DIt1a15nRgsNjCBSBE2zKBfY58

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paomog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhddgofo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akgjnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagajlal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eblgon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oahgnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phmnfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phmnfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjcdih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agcdnjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bglgdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbbdip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohobebig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omjnhiiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odhppclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qajlje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbpolb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckfofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijppjfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opfnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aamipe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhgjcmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dagajlal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deejpjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Naqqmieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblgon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhppclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qajlje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ancjef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmmkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhgjcmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbbkbbkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omjnhiiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpfbahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckcbaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opfnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naqqmieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okiefn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpkppbho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhddgofo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anffje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adpogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkdlkope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dijppjfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjcdih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhlgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkdlkope.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppdjpcng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnbapjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdgehobe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkefphem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbgndoho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dicbfhni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oggllnkl.exe

Executes dropped EXE 64 IoCs

pid	Process
5004	Nkdlkope.exe
2952	Npadcfnl.exe
3904	Nhhldc32.exe
2452	Naqqmieo.exe
1320	Ohkijc32.exe
4448	Okiefn32.exe
1924	Opfnne32.exe
3740	Ohmepbki.exe
4380	Omjnhiiq.exe
4416	Ohobebig.exe
4864	Oiqomj32.exe
2868	Oahgnh32.exe
1868	Okpkgm32.exe
868	Odhppclh.exe
2556	Oggllnkl.exe
3320	Onqdhh32.exe
3916	Phfhfa32.exe
972	Pjgemi32.exe
3632	Paomog32.exe
5008	Pkgaglpp.exe
4404	Ppdjpcng.exe
3436	Pjlnhi32.exe
4308	Phmnfp32.exe
1020	Pklkbl32.exe
1380	Phpklp32.exe
408	Pjahchpb.exe
2268	Qpkppbho.exe
1484	Qjcdih32.exe
1980	Qajlje32.exe
1620	Qhddgofo.exe
3680	Qjeaog32.exe
2004	Aamipe32.exe
2568	Agiahlkf.exe
2200	Ancjef32.exe
712	Adnbapjp.exe
1172	Akgjnj32.exe
1212	Anffje32.exe
3364	Adpogp32.exe
1204	Agnkck32.exe
5096	Ajmgof32.exe
1352	Aqfolqna.exe
3024	Ahngmnnd.exe
2608	Ajodef32.exe
1904	Aqilaplo.exe
2296	Agcdnjcl.exe
4236	Anmmkd32.exe
1864	Bdgehobe.exe
2376	Bjcmpepm.exe
3776	Bbkeacqo.exe
380	Bjfjee32.exe
1956	Bbmbgb32.exe
3716	Bhgjcmfi.exe
4016	Bkefphem.exe
1544	Bbpolb32.exe
2372	Bglgdi32.exe
1600	Bbbkbbkg.exe
3856	Bqdlmo32.exe
2716	Bkjpkg32.exe
828	Cnhlgc32.exe
2516	Ckmmpg32.exe
944	Cgcmeh32.exe
2392	Calbnnkj.exe
2800	Cjdfgc32.exe
3196	Ciefek32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qhddgofo.exe	Qajlje32.exe
File created	C:\Windows\SysWOW64\Lhgkmjog.dll	Ahngmnnd.exe
File opened for modification	C:\Windows\SysWOW64\Agcdnjcl.exe	Aqilaplo.exe
File opened for modification	C:\Windows\SysWOW64\Dbgndoho.exe	Djpfbahm.exe
File opened for modification	C:\Windows\SysWOW64\Pjahchpb.exe	Phpklp32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgehobe.exe	Anmmkd32.exe
File created	C:\Windows\SysWOW64\Phmnfp32.exe	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Hjeodp32.dll	Qhddgofo.exe
File opened for modification	C:\Windows\SysWOW64\Bbpolb32.exe	Bkefphem.exe
File created	C:\Windows\SysWOW64\Cgcmeh32.exe	Ckmmpg32.exe
File created	C:\Windows\SysWOW64\Bdhiofpj.dll	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Djpfbahm.exe	Dagajlal.exe
File opened for modification	C:\Windows\SysWOW64\Eldlhckj.exe	Eblgon32.exe
File created	C:\Windows\SysWOW64\Affgmbdd.dll	Phfhfa32.exe
File created	C:\Windows\SysWOW64\Pjlnhi32.exe	Ppdjpcng.exe
File created	C:\Windows\SysWOW64\Cjbnqa32.dll	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Apleaenp.dll	Eblgon32.exe
File opened for modification	C:\Windows\SysWOW64\Ohkijc32.exe	Naqqmieo.exe
File opened for modification	C:\Windows\SysWOW64\Paomog32.exe	Pjgemi32.exe
File created	C:\Windows\SysWOW64\Jkobdqqa.dll	Djmima32.exe
File opened for modification	C:\Windows\SysWOW64\Ohobebig.exe	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Ehlolk32.dll	Cnhlgc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfgc32.exe	Calbnnkj.exe
File created	C:\Windows\SysWOW64\Ljiochji.dll	Ckcbaf32.exe
File created	C:\Windows\SysWOW64\Alnifp32.dll	Qjcdih32.exe
File created	C:\Windows\SysWOW64\Phbcfe32.dll	Calbnnkj.exe
File opened for modification	C:\Windows\SysWOW64\Bkefphem.exe	Bhgjcmfi.exe
File created	C:\Windows\SysWOW64\Jhhgefed.dll	Dicbfhni.exe
File created	C:\Windows\SysWOW64\Dfjood32.dll	Naqqmieo.exe
File created	C:\Windows\SysWOW64\Qajlje32.exe	Qjcdih32.exe
File opened for modification	C:\Windows\SysWOW64\Phmnfp32.exe	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Oejhoq32.dll	Odhppclh.exe
File opened for modification	C:\Windows\SysWOW64\Ajodef32.exe	Ahngmnnd.exe
File created	C:\Windows\SysWOW64\Eldlhckj.exe	Eblgon32.exe
File created	C:\Windows\SysWOW64\Ohobebig.exe	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Egheil32.dll	Bdgehobe.exe
File created	C:\Windows\SysWOW64\Eblgon32.exe	Elaobdmm.exe
File created	C:\Windows\SysWOW64\Lkkgqn32.dll	Ohobebig.exe
File created	C:\Windows\SysWOW64\Oigdefgf.dll	Qajlje32.exe
File created	C:\Windows\SysWOW64\Bbkeacqo.exe	Bjcmpepm.exe
File created	C:\Windows\SysWOW64\Bjfjee32.exe	Bbkeacqo.exe
File created	C:\Windows\SysWOW64\Fdqekdcj.dll	Ckmmpg32.exe
File created	C:\Windows\SysWOW64\Ohmepbki.exe	Opfnne32.exe
File opened for modification	C:\Windows\SysWOW64\Elaobdmm.exe	Dicbfhni.exe
File created	C:\Windows\SysWOW64\Anmmkd32.exe	Agcdnjcl.exe
File created	C:\Windows\SysWOW64\Phpklp32.exe	Pklkbl32.exe
File created	C:\Windows\SysWOW64\Phfhfa32.exe	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Bbbkbbkg.exe	Bglgdi32.exe
File created	C:\Windows\SysWOW64\Kblfejda.dll	Okpkgm32.exe
File created	C:\Windows\SysWOW64\Bopfdc32.dll	Pklkbl32.exe
File created	C:\Windows\SysWOW64\Plhllf32.dll	Phpklp32.exe
File created	C:\Windows\SysWOW64\Gafnik32.dll	Ancjef32.exe
File created	C:\Windows\SysWOW64\Jabajbcd.dll	Anmmkd32.exe
File created	C:\Windows\SysWOW64\Goahpc32.dll	Bbbkbbkg.exe
File opened for modification	C:\Windows\SysWOW64\Dbbdip32.exe	Dijppjfd.exe
File opened for modification	C:\Windows\SysWOW64\Dicbfhni.exe	Deejpjgc.exe
File created	C:\Windows\SysWOW64\Onbiicqa.dll	Oggllnkl.exe
File created	C:\Windows\SysWOW64\Adpogp32.exe	Anffje32.exe
File created	C:\Windows\SysWOW64\Qjcdih32.exe	Qpkppbho.exe
File created	C:\Windows\SysWOW64\Eifhac32.dll	Nhhldc32.exe
File created	C:\Windows\SysWOW64\Anffje32.exe	Akgjnj32.exe
File created	C:\Windows\SysWOW64\Aqfolqna.exe	Ajmgof32.exe
File created	C:\Windows\SysWOW64\Qcoaqo32.dll	Bglgdi32.exe
File created	C:\Windows\SysWOW64\Obbcmknk.dll	Bqdlmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5700	5576	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohobebig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfhfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phpklp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjeaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agcdnjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgehobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okiefn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elaobdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciefek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahngmnnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djpfbahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfolqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhppclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkgaglpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmmkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deejpjgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhldc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqilaplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmbgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dicbfhni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjahchpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlnhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pklkbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckcbaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdjpcng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oahgnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qajlje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ancjef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anffje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajodef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbpolb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqdlmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiqomj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbgndoho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpkppbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhddgofo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agiahlkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akgjnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bglgdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eldlhckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phmnfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aamipe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbbdip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okpkgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpogp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjcdih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjcmpepm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjpkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmmpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calbnnkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkijc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omjnhiiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agnkck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbkeacqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagajlal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkdlkope.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjgemi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjcdih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbbkbbkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqdlmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oigdefgf.dll"	Qajlje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqfnh32.dll"	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmmkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmmpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onqdhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affgmbdd.dll"	Phfhfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppdjpcng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjcdih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckfofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opfnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkgaglpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agnkck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agcdnjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjdfgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdbl32.dll"	Opfnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phfhfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calbnnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okpkgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfihoghm.dll"	Aqfolqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkobdqqa.dll"	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkdlkope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifhac32.dll"	Nhhldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll"	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difici32.dll"	Qpkppbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aamipe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckfofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deejpjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjood32.dll"	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgdlkh.dll"	Pjgemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbkeacqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bglgdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akgjnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oahgnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafnik32.dll"	Ancjef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbcmknk.dll"	Bqdlmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagfblqi.dll"	Oahgnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbgndoho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npadcfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjofpjj.dll"	Okiefn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidimpef.dll"	Ajmgof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmkad32.dll"	Omjnhiiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeodp32.dll"	Qhddgofo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polnbakm.dll"	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elaobdmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oggllnkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oohcle32.dll"	4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npnjcb32.dll"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pklkbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qhddgofo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adpogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 5004	324	4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe	93
PID 324 wrote to memory of 5004	324	4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe	93
PID 324 wrote to memory of 5004	324	4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe	93
PID 5004 wrote to memory of 2952	5004	Nkdlkope.exe	94
PID 5004 wrote to memory of 2952	5004	Nkdlkope.exe	94
PID 5004 wrote to memory of 2952	5004	Nkdlkope.exe	94
PID 2952 wrote to memory of 3904	2952	Npadcfnl.exe	95
PID 2952 wrote to memory of 3904	2952	Npadcfnl.exe	95
PID 2952 wrote to memory of 3904	2952	Npadcfnl.exe	95
PID 3904 wrote to memory of 2452	3904	Nhhldc32.exe	96
PID 3904 wrote to memory of 2452	3904	Nhhldc32.exe	96
PID 3904 wrote to memory of 2452	3904	Nhhldc32.exe	96
PID 2452 wrote to memory of 1320	2452	Naqqmieo.exe	97
PID 2452 wrote to memory of 1320	2452	Naqqmieo.exe	97
PID 2452 wrote to memory of 1320	2452	Naqqmieo.exe	97
PID 1320 wrote to memory of 4448	1320	Ohkijc32.exe	98
PID 1320 wrote to memory of 4448	1320	Ohkijc32.exe	98
PID 1320 wrote to memory of 4448	1320	Ohkijc32.exe	98
PID 4448 wrote to memory of 1924	4448	Okiefn32.exe	99
PID 4448 wrote to memory of 1924	4448	Okiefn32.exe	99
PID 4448 wrote to memory of 1924	4448	Okiefn32.exe	99
PID 1924 wrote to memory of 3740	1924	Opfnne32.exe	100
PID 1924 wrote to memory of 3740	1924	Opfnne32.exe	100
PID 1924 wrote to memory of 3740	1924	Opfnne32.exe	100
PID 3740 wrote to memory of 4380	3740	Ohmepbki.exe	101
PID 3740 wrote to memory of 4380	3740	Ohmepbki.exe	101
PID 3740 wrote to memory of 4380	3740	Ohmepbki.exe	101
PID 4380 wrote to memory of 4416	4380	Omjnhiiq.exe	102
PID 4380 wrote to memory of 4416	4380	Omjnhiiq.exe	102
PID 4380 wrote to memory of 4416	4380	Omjnhiiq.exe	102
PID 4416 wrote to memory of 4864	4416	Ohobebig.exe	103
PID 4416 wrote to memory of 4864	4416	Ohobebig.exe	103
PID 4416 wrote to memory of 4864	4416	Ohobebig.exe	103
PID 4864 wrote to memory of 2868	4864	Oiqomj32.exe	105
PID 4864 wrote to memory of 2868	4864	Oiqomj32.exe	105
PID 4864 wrote to memory of 2868	4864	Oiqomj32.exe	105
PID 2868 wrote to memory of 1868	2868	Oahgnh32.exe	106
PID 2868 wrote to memory of 1868	2868	Oahgnh32.exe	106
PID 2868 wrote to memory of 1868	2868	Oahgnh32.exe	106
PID 1868 wrote to memory of 868	1868	Okpkgm32.exe	107
PID 1868 wrote to memory of 868	1868	Okpkgm32.exe	107
PID 1868 wrote to memory of 868	1868	Okpkgm32.exe	107
PID 868 wrote to memory of 2556	868	Odhppclh.exe	108
PID 868 wrote to memory of 2556	868	Odhppclh.exe	108
PID 868 wrote to memory of 2556	868	Odhppclh.exe	108
PID 2556 wrote to memory of 3320	2556	Oggllnkl.exe	109
PID 2556 wrote to memory of 3320	2556	Oggllnkl.exe	109
PID 2556 wrote to memory of 3320	2556	Oggllnkl.exe	109
PID 3320 wrote to memory of 3916	3320	Onqdhh32.exe	110
PID 3320 wrote to memory of 3916	3320	Onqdhh32.exe	110
PID 3320 wrote to memory of 3916	3320	Onqdhh32.exe	110
PID 3916 wrote to memory of 972	3916	Phfhfa32.exe	111
PID 3916 wrote to memory of 972	3916	Phfhfa32.exe	111
PID 3916 wrote to memory of 972	3916	Phfhfa32.exe	111
PID 972 wrote to memory of 3632	972	Pjgemi32.exe	112
PID 972 wrote to memory of 3632	972	Pjgemi32.exe	112
PID 972 wrote to memory of 3632	972	Pjgemi32.exe	112
PID 3632 wrote to memory of 5008	3632	Paomog32.exe	113
PID 3632 wrote to memory of 5008	3632	Paomog32.exe	113
PID 3632 wrote to memory of 5008	3632	Paomog32.exe	113
PID 5008 wrote to memory of 4404	5008	Pkgaglpp.exe	114
PID 5008 wrote to memory of 4404	5008	Pkgaglpp.exe	114
PID 5008 wrote to memory of 4404	5008	Pkgaglpp.exe	114
PID 4404 wrote to memory of 3436	4404	Ppdjpcng.exe	115

C:\Users\Admin\AppData\Local\Temp\4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe
"C:\Users\Admin\AppData\Local\Temp\4a31c7963e1298816cf2885f3cdbbc9975f802f61633a880c0ca1c30defa1d12.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\Nkdlkope.exe
  C:\Windows\system32\Nkdlkope.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\Npadcfnl.exe
    C:\Windows\system32\Npadcfnl.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Nhhldc32.exe
      C:\Windows\system32\Nhhldc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ohmepbki.exe
        
        C:\Windows\system32\Ohmepbki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Oahgnh32.exe
        
        C:\Windows\system32\Oahgnh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Odhppclh.exe
        
        C:\Windows\system32\Odhppclh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Oggllnkl.exe
        
        C:\Windows\system32\Oggllnkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Phfhfa32.exe
        
        C:\Windows\system32\Phfhfa32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Pkgaglpp.exe
        
        C:\Windows\system32\Pkgaglpp.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Phmnfp32.exe
        
        C:\Windows\system32\Phmnfp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Pjahchpb.exe
        
        C:\Windows\system32\Pjahchpb.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Qjcdih32.exe
        
        C:\Windows\system32\Qjcdih32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Qajlje32.exe
        
        C:\Windows\system32\Qajlje32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Qhddgofo.exe
        
        C:\Windows\system32\Qhddgofo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Ancjef32.exe
        
        C:\Windows\system32\Ancjef32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Akgjnj32.exe
        
        C:\Windows\system32\Akgjnj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Anffje32.exe
        
        C:\Windows\system32\Anffje32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Adpogp32.exe
        
        C:\Windows\system32\Adpogp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Ahngmnnd.exe
        
        C:\Windows\system32\Ahngmnnd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Ajodef32.exe
        
        C:\Windows\system32\Ajodef32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Anmmkd32.exe
        
        C:\Windows\system32\Anmmkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Bbkeacqo.exe
        
        C:\Windows\system32\Bbkeacqo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Bjfjee32.exe
        
        C:\Windows\system32\Bjfjee32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Bhgjcmfi.exe
        
        C:\Windows\system32\Bhgjcmfi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Bkefphem.exe
        
        C:\Windows\system32\Bkefphem.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Bglgdi32.exe
        
        C:\Windows\system32\Bglgdi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bbbkbbkg.exe
        
        C:\Windows\system32\Bbbkbbkg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Bkjpkg32.exe
        
        C:\Windows\system32\Bkjpkg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Ckmmpg32.exe
        
        C:\Windows\system32\Ckmmpg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 412
        80⤵
        Program crash
        
        PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5576 -ip 5576
1⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamipe32.exe

Filesize
93KB

MD5
0b279bfce212af0ef57a5a0086203f79

SHA1
ab1e279e387487a8ea7df5b89f37a73a50181e4d

SHA256
98f67a93c4825fb40624ea9b056f11f602d58fa6ba0a81f0a1391f3ab825a72f

SHA512
4288667113a40ccd8e651c155b747ef8d450a0e075a352189130636d145c94567cd2a2b7d4c9265067d90edc5594ce8f37f902ac95589cb29b2947d462c39816

Download Submit
C:\Windows\SysWOW64\Bjfjee32.exe

Filesize
93KB

MD5
6a86f078a38d853a21532d2fa9f803d7

SHA1
e28a3e800a40b84c4b632437dea7be885e9ba998

SHA256
8c48ea338a35d50d30699e5bfede10f092b8658f9e08ea2468c77a6418ceb371

SHA512
4da98d58be71ae81ae938a13cac1ed422aec2e23af548c42360cd0e7b1058b05970964f3a16b87b994894aea2e6e5c255c9fbfdef18e71106fb1fd95141422f1

Download Submit
C:\Windows\SysWOW64\Cjdfgc32.exe

Filesize
93KB

MD5
e49f4e8a1029e486b61476e8ac49fae3

SHA1
47c6b1fda33dcef6e7ee230c9dbef48d04cf95db

SHA256
61b9c52f12d8bb755f059c2c2b396e3e7339961c7c5ee6063ad4535a29fadbfc

SHA512
f79ae790492e6938166700452508041bf64fc435e8d7c5e2d98910953d0626a435f9dfed3a40d951d7dc882cc687d72bbe8d3de687d7ce88b58ed6268159d7b2

Download Submit
C:\Windows\SysWOW64\Ckmmpg32.exe

Filesize
93KB

MD5
aadc31c525a63b582b0fa8b9028d6ac0

SHA1
56fc6fe78f928b0a95479b6989eadd8124396b80

SHA256
9950f0e5cf06bcb501f39b290e17ca2ff5da5e97922903a86a968073ef11cc00

SHA512
39f85a50e203c52a7d21b06b3bbe2496ce7adbf8fd4df5037779849ca9973bb3cc59bb22fd040e889622a2eb026b99d8a378c8db18b643307559ad3670f22168

Download Submit
C:\Windows\SysWOW64\Dbbdip32.exe

Filesize
64KB

MD5
1537856264a846b91f6b329109387edb

SHA1
854516afb2c7981e4f875a0105b5d1582e5bfa0c

SHA256
cfcec56951c74a745afbc9f7ad922d762ea0ba5c90d192fc1f9fa0c1b9c61929

SHA512
314ccbd15d8f899cdada54f9d0fef79bb9d6ee7bebea1d2ae98d424cdbe8731b38b1e5ff182ddae1e97c37ee3e1258b4e7dd7b443890bd98a6690cd4441c713e

Download Submit
C:\Windows\SysWOW64\Dfjood32.dll

Filesize
7KB

MD5
8b5ca24c5e6b319ad230ad7fcd450323

SHA1
8574e33a527ace545a004a08f065775213fd2f6a

SHA256
7908c6f70cc847a47b151ee63b181ef810579d7126d0f5135f2eeeba74e12e73

SHA512
71344c1c548a8476e0ebfdf7b6cb9ecf98547eee737fec046304a1cfc997c185f212d71227930cc2ba7913cbb726983aadcd2f19a237586f14e6ae3b300eca4e

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
93KB

MD5
fc58d77ec0ef2664e7d00681e4eacd1e

SHA1
96205e9fd460ac6534b9bff76ff9da345450c955

SHA256
def62af3c1854f598a4626f457c6351a69f3e1730842d9d67780c5e86776e4be

SHA512
ae74b51202b3170b187ffedf3e6e4f2c9710a07808a12ab3db1c71421f9b148fa00fcd637c8deec17f1b240c4389826e05df871123b0e19c5dd642057f6116bc

Download Submit
C:\Windows\SysWOW64\Nhhldc32.exe

Filesize
93KB

MD5
1ac7d80cd01100934317e9746641f182

SHA1
9775e119ebf42eda27a0c23d530f12562c6bfaf5

SHA256
c2c7335c396935ce50cf44b502a4e6b73dea1a51466933a57965e7faa9524a55

SHA512
768ab64a604401a84138d95bfd22d74469550f88b622d881abe3bd43efdcabb6b3d26929980a0adf3a73e142be31ad23a2a1817764582df6a15c574fef237014

Download Submit
C:\Windows\SysWOW64\Nkdlkope.exe

Filesize
93KB

MD5
7946ef93d2f1500a7212e34050ecdca3

SHA1
8ee8cbcc52f1e8e7246181fa74c27fb0bd11ead6

SHA256
76ac3d9acaf24ee03699bacfb2d03f2c2f4f80ddc7d55a0914245a8412733c1c

SHA512
26b399840acc776be11aa0c576480e48beb19054f7999e69fd76999bfc9de275223b09391f8ad280415473bdc09c44fc85b39bc89b1df514cde9fad358f015a0

Download Submit
C:\Windows\SysWOW64\Npadcfnl.exe

Filesize
93KB

MD5
d637e4a2d5b42139b724d5d568fb6e13

SHA1
97e90ccc1328d1fe86d6c3d82d041372b1e5a12f

SHA256
96433bd20f573428d86bb3e345aa1b8412b422c25c713d23967c6cd97709284a

SHA512
5d04015a93f870748bc7eb7a5d2804553dd94db2a9ce092fc1298645642c4255f1baef5beff915e46035108450925dffd3f725a0df85cd0bd4c8b9b75c395f1c

Download Submit
C:\Windows\SysWOW64\Oahgnh32.exe

Filesize
93KB

MD5
340b011ccafb415cdabd9feaaa156bdc

SHA1
e4c8c6c5a4d60d5b2527ba741c3f34cd742da815

SHA256
83cd9e668a2f36dd1e2dc9368b77c8a5b6b35b989c0054364e6e02899dea6dab

SHA512
4b25618359a4c83b6e2a928a177ec7608470af88f67c4f606693af01eb529e010f44cfe88ab575bafdfef1954dd41bbcbb35ae2e7224bb203cb994a392005d41

Download Submit
C:\Windows\SysWOW64\Odhppclh.exe

Filesize
93KB

MD5
2f882e0e6e28313359735b50cac9aaea

SHA1
e197a6e4cd092d816d772ad7689c549111d353c8

SHA256
7099b5ac6373ac9fe394b74aa9257fd70a11d6e4c110ca3583cbb7c842867995

SHA512
8050aeb5444968218c72221df5289b7b04d191be1cb8e9e2610a966e9f62f5c1df93c67a63f6767ec1a0a1728b8b094911787906cc7e7a210fdbd2862ad9f192

Download Submit
C:\Windows\SysWOW64\Oggllnkl.exe

Filesize
93KB

MD5
5f04c8bfb54ae9ebfb1e9789b6adba94

SHA1
0fb98af8982c1a3563ba4d80b4567d3d4e4385de

SHA256
3c4173cc0646e9ee80d408921488035af1e8a9694a8448c4904587cea294ee79

SHA512
ca5ab61146ea800371478cf56fe6f22ab526dde60bcbffcd7eda429e0d4c6e6822c7519ff14246b9860a2bed89f6bd5d75d66ccfcec361d97bfb2c2239d39b80

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
93KB

MD5
f05b1bfd0136e07eda4fb562d4c45fb4

SHA1
08d9674ae9182e9af31a2f335decb16a6f2725a6

SHA256
f86813c7aff19b619218810339129ba2f7b1e0e72a06dd54a772d8b3e323c922

SHA512
dafc9191b54ea8d6d862d985a0352a3f2d3608e899ee2db1743c1b56a0b8867930008dbc97ccff70c6afdd618d0c3139c579831860b86d1cbd16828c1024b19d

Download Submit
C:\Windows\SysWOW64\Ohmepbki.exe

Filesize
93KB

MD5
25637468b64b93b490d9b427411d2b63

SHA1
2bf4376117135ada6c8d473350ed247b34795b3a

SHA256
48d99b735a96b133d7f6d9d7108663647a8ab9b85d3dec1b3c8b70b3a3c9d136

SHA512
e3730bf3031169cedb078073581dc72fa9c9e81923516a371e373b02d6a422cb7493d1cd973e0e70f7e5f24c439d9a59a1648caea91a75e7ba989e8aef0bdda7

Download Submit
C:\Windows\SysWOW64\Ohobebig.exe

Filesize
93KB

MD5
a0ecca3684181f5b97e72395f69786e1

SHA1
d1ce55b3dacee0ea24d98eeb836610061230fa95

SHA256
8faa57a3daf773873f13db362c9a1e1a09e891d15d4eb05a0b23bd26c335b4c5

SHA512
4e753f6b252be3d1de4dc554ec33f91f34bf3ee95c16defbf35146720461ff77537f282e266533ea4aa9a61a1552ef65a43f0e22b8b016d3b153f67c8d77d718

Download Submit
C:\Windows\SysWOW64\Oiqomj32.exe

Filesize
93KB

MD5
7e4dd09897f1bd261e9c5c8460708215

SHA1
2cf2ac351b16acfa980b842b8c1ded42051b3741

SHA256
33e60d070962b191b86bdfa7188ed9dc38ed4fc890d49bd1b6806fb7edd0af4d

SHA512
1d6f5aa6a97d3e4ef3e713822015ff5cf929bcdf5b81fd13838f309c053c8ebb2fab27403dd67f8c7869ab9558308b8b955c8c0eeb11d7ef8ff30b811f02ad74

Download Submit
C:\Windows\SysWOW64\Okiefn32.exe

Filesize
93KB

MD5
0026f7f9abe6e397fef96e418814edba

SHA1
65320fb68457c0798c560473fa6d2d9363cca878

SHA256
a2909a8e1268c105768b65c3bd2a370a801293b7c47187ac99c39e1580aa8295

SHA512
4d8aee64b32d894625e6bdf7b7a139fc7aa3fdbcaf4742a3518842087dcb099405d96a50bbe81289375303bde9ef26aa28dd7534d95826ad8b3569f909e40673

Download Submit
C:\Windows\SysWOW64\Okpkgm32.exe

Filesize
93KB

MD5
c6148f49b6db90af80d9fd49e604b17c

SHA1
144a85f7933f551e096707f84303ce3425811074

SHA256
913b306bf9143bef32509fbbcd9512d9c823e8d798bebc0f7b6f5171657e7cb8

SHA512
4a7aee01c2e95b3bf777f4f19e0f568487a7127dc7e00ad30ebc8aeb34809afaaa29ee680c783fa923ef27e49b16c1f4f871d5321479e92e77a59acb7501ff83

Download Submit
C:\Windows\SysWOW64\Omjnhiiq.exe

Filesize
93KB

MD5
ff9f847731cc6d1b34767c68dd742b19

SHA1
d40199dfe2a04443123fa8c6d703f430226ffd5f

SHA256
ec1bd3b6f2d4ec6a938b5d0528feae0131a0e7a228d4c00705f8ff2c0a4a1863

SHA512
4855cb6f99e973370344412a8cba58da381c1a145dc311f9e088ace23a4687e529df21202af18fb7440b6e1bc4c33fcea74301194f9199f38a9e856a41693b9e

Download Submit
C:\Windows\SysWOW64\Onqdhh32.exe

Filesize
93KB

MD5
69a15a84e1290e04e0574774742ea8ce

SHA1
d1e83875d8b950d82d20d76dc85e42d7abf3cf29

SHA256
3175368e3495b0a3c40c6f0bbdf8fc47f9a43618f8b40a9f51834a96f006068d

SHA512
5e16cfe4084a354a66933f90dac1ae92687c8b2f565cac55ccc24c17f32d4dcda776564e197186dd11d82b4c8d5f84cb053eaf7a05d7b720e72dfd9b90423151

Download Submit
C:\Windows\SysWOW64\Opfnne32.exe

Filesize
93KB

MD5
a648ce942d4e27f5244b1f22de9288f9

SHA1
f3f7cb5a975bc77a7deacb7133f743e9780dbcf2

SHA256
4081156f5520a572e2d7d7c793b3f020f1404a170409b612de8b52cc31ce22bd

SHA512
be86818b4b8a5e11ceec6598aad9fe3b14ee11901720b30960bd2c44007ea2cf78295f5520efdc75b48caa5efa2791cc09d21825a8ea525846f3265352d1ac59

Download Submit
C:\Windows\SysWOW64\Paomog32.exe

Filesize
93KB

MD5
dfd3e80ae9e52293dc2b677eff4cf666

SHA1
5e8916729cc98a08e48d544d03437a6a284b3172

SHA256
ac0cf46e14f74b8dcf8ca30cf97238cbe79f2e91badcade9efb53eb3c62d8330

SHA512
29c5d37d9f47047962911933ea6bccf5ee51385551338310460b212266ca6b751ca6dae22a7390dc2a57997640a0549ddc2391298b50d6040a260b26ba31b6be

Download Submit
C:\Windows\SysWOW64\Phfhfa32.exe

Filesize
93KB

MD5
0f3a380149d5f56f58ad9b82c9865c6a

SHA1
9b7247b8d517248f37bd4b6ec19f7b48df89a2b0

SHA256
6ec420e183e126572d9f3297277acd18214d4be4966ee204744d6e8338e8f74f

SHA512
e379e3c6bad9e7f80e76d9ab9f997ada497929c60e42a8ec57b378b7d87d37b498ac51991811e6f58addb02152d51b1401f7e65996bb5d6b8a7c883af7c64c0d

Download Submit
C:\Windows\SysWOW64\Phmnfp32.exe

Filesize
93KB

MD5
221996089285e74fd42f0cbea2c74033

SHA1
fd8678642429ff05b15b0eed77d1ab0e6c2aa133

SHA256
e5c368a4aa07c19d27e55f9ac77bc47199a3ee3cb7c67de9e15ff5e132cb40f3

SHA512
03cae83eb86287823584db9a7e5be42f62934136fe0749f0f2a670cbe6406623e61af48a486a16ba153402337ebcbafb0293c88d82ac86bab1300cd985945fca

Download Submit
C:\Windows\SysWOW64\Phpklp32.exe

Filesize
93KB

MD5
ddca93aa16a49f70d0905d57eadc0d25

SHA1
7acff91b7cec1c832ebc9388d0b7e468ffabb702

SHA256
190feeea02e516726ccb343db2b11462694a25b172c29b02f2c7e90ecf85b7ea

SHA512
c86a15019009e5e0cad92cdd51eddf7336772ba5d2afae550d6450046d07bc1f6b70c09b6bb79cf563013b410ff5faeccffb82f31e39bb34432cdfe6401f6361

Download Submit
C:\Windows\SysWOW64\Pjahchpb.exe

Filesize
93KB

MD5
e71ed93bd1ed6f480f958ecf76738325

SHA1
1ac4e713243a945a95824414a8c1f6f7da75cbd5

SHA256
84310da5a4faa69581c20b6e805ac746c8c25ada6445c45664e2e16f0c1afea7

SHA512
a90980366cad374576bc33376b866737d764eb16cdce71e3ed22538b866a35fe232a79510a84f3466a3e873acf2e26a6e4e673350302aba70e7e7624c2f94348

Download Submit
C:\Windows\SysWOW64\Pjgemi32.exe

Filesize
93KB

MD5
4e33f65a179191ea3157164dcc14de9b

SHA1
ee06b1889724cab52afba0c8775ea7a6c1f33db9

SHA256
f173e9d853d8bbf72b5dfb303a322b541a1d2876fb5faac22ea6064b3c025f99

SHA512
d53f26fbaa3612e41d12c5099044672923cb3839d923cb5dfa8a11a9a1e5ec92b36a5499297c8776e2dc577985250fc6d9e92b17a7af06448a5c0efe7750fc25

Download Submit
C:\Windows\SysWOW64\Pjlnhi32.exe

Filesize
93KB

MD5
adecd8b90823b63817ae5db1250048e8

SHA1
5c149b3e35c2e6085a6fed64753a157e5231f301

SHA256
3bb226b145d2c23a57085dfdfd03598916956d89f10827b2fe0198e6c2b9e029

SHA512
ee19f7719fd9001f216d213853af81fc44f8358000e25eb64d595b11ec14e6fe780c77e28f6332c5472dae9aade917a1a9469a872a1b4c9b5a267c5373cf44b0

Download Submit
C:\Windows\SysWOW64\Pkgaglpp.exe

Filesize
93KB

MD5
01e54d3517c12a7e32e737b2057c99b8

SHA1
c3ee0507330e664dcdd2b434ced6d2508d16860f

SHA256
0da76499f12ffd48765ffb39c7b111de84df8c78f809a33f256e985869e5ced0

SHA512
7b736986a3e5b209a0c25566affe8255608f690c2a1f868615cfcfa2e93d76636571abc1e0fc507b16baf0af249dda4b3763e23fe2b31dff9b0879b89d04aff2

Download Submit
C:\Windows\SysWOW64\Pklkbl32.exe

Filesize
93KB

MD5
79502f85b3d28239aeb671fc2022cfa9

SHA1
38d46bea9137bf98c8d7ae6bca70b56e9c6b480d

SHA256
4aeb5bd98486bf7e51dbd313e7c639a27adda0dac456a4ed0ff60feb0cbec1ee

SHA512
27999812916e6d6fe37d496b6c8d39f0e254ba65cac5a380252b5c72ee8847c0d99f1cc0e91750c6bbed058e42d821a4223cd60350913c81ec5c237c55719a5e

Download Submit
C:\Windows\SysWOW64\Ppdjpcng.exe

Filesize
93KB

MD5
d7eed98973a63b95a29ba37a1d3807bf

SHA1
eedd1442705d2694ca676888cfe5ebac3cbfa16c

SHA256
17d7f02845f14936c4d4115e49c0ecb858594bfb03cb1b9c43863799d6398811

SHA512
b2430adab6cceb1b90dac4ed51ee2d493a731a3315c87dc68a94ada07480959ceeefd97981ab67984492f907cd162389382ce8a54200ccc8818e60aaaad2c065

Download Submit
C:\Windows\SysWOW64\Qajlje32.exe

Filesize
93KB

MD5
163cb5a5a83cec069e869c948bd38f1c

SHA1
d32aac7b801bfff51dbf334675820618f5881907

SHA256
1c49e16c117186ad05a701ebf7dccf2c8b777bef144b47150d582579b732a070

SHA512
cfd8ac2df63a900547c84acc65ce117bb48acdfebcc0ea1b1b5425a33d959bdc0c0fcf87937b251b70ae1bd960f766a7ad7a6877f4d44a76cf4b9d482912fffc

Download Submit
C:\Windows\SysWOW64\Qhddgofo.exe

Filesize
93KB

MD5
3abe6fb2bceb39bd63498204ee1cf3c0

SHA1
ba49f96d8ece02f702a0d9364bff3f95840e929f

SHA256
0ccd990d727fadddc45cd99584e0a91285f735513e66da3500ae22f73316cbad

SHA512
2e874715975d0ef24dd3ad3fd42f07f33128cc552bdef0bb36608087aff7362924cc5fa32151492be2f78080a6d8fb1a6fbe70efcb303c5af864c8787067d1d6

Download Submit
C:\Windows\SysWOW64\Qjcdih32.exe

Filesize
93KB

MD5
0cc0669496c346d55b8f1aa4c4e4e907

SHA1
1782f9edba9ee2707c7b1283aaf333078e125060

SHA256
da094b70ea5a42ede488f43dab7eb3669e6d7b3464346c3225695165d166d1b2

SHA512
3ae223de5cb73f4ac0a6671679238efee70f77514d77a79afc208384db2efb9ccefa0e68fdf2e59e022a6453a204f48cb8910b3dabc4849850d61d03e471099d

Download Submit
C:\Windows\SysWOW64\Qjeaog32.exe

Filesize
93KB

MD5
6d350df00db6e8cf217f00e2af6041f8

SHA1
3455b4a3f78ab75d0997242a852daadbd999ab85

SHA256
a8e2f63e0bfad0527d587b9e04078ec04435503be49cfca29e3c0194c4e46ed2

SHA512
aad5ddd1e4d6abefd8384c39bd729a11d136abd9783eabaadfc70e1623c00143518b751fb972ff8d834c796beef44770b49aecacff67d3c81a97a793dd20ffbe

Download Submit
C:\Windows\SysWOW64\Qpkppbho.exe

Filesize
93KB

MD5
afb48977e5391d3dd5964532f0d09337

SHA1
b16a56cb77d6ea6ff96f69c0ef5ea030c39d7461

SHA256
f9285b99a09882a0b0eeed4832da477347f8cc1f93daf28b454eb80fb49ea1a4

SHA512
94b28809053483f2a3a4a99c50913edf4b9293d75b01128eead4cedd53254ef3fc92bd6b36cef04bec1615ab1871d1f07dee42613a8f2bbe7b63b81f179714d1

Download Submit
memory/324-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/380-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/828-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/868-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-548-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/972-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1020-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1204-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1212-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1320-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1868-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2004-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-543-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2392-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2392-547-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-549-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2568-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-546-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3024-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3364-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3436-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3680-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3740-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3776-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3856-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4016-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4308-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4380-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5128-542-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5128-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5168-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5168-541-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5208-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5248-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5280-540-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5280-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5328-499-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5328-539-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5372-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5372-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5416-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5416-536-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5456-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5456-537-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5496-524-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5496-535-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5536-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5536-534-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5576-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5576-533-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads