3b2088ddb6e7bd7a416c86f8a8ff6e2f8b6dd2bce326a7aa49bf36a87b9b55ad

Analysis

max time kernel
32s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ecbafebd662998b215ac0a9f1eb2010N.exe
Size

64KB
MD5

9ecbafebd662998b215ac0a9f1eb2010
SHA1

8a659b92b61e08118a4f051fa9259d857057eb7f
SHA256

3b2088ddb6e7bd7a416c86f8a8ff6e2f8b6dd2bce326a7aa49bf36a87b9b55ad
SHA512

896984de01bb77973b1027acdf29a937824027b528fe7944385ca131a91d7967d84c6bc20ccee05f468b296818d5bf5a877320dd932046c3b6118620fdd09827
SSDEEP

768:P2xIIXy6DGrvMDBxB3UQS/KRt/Rgy1ppcep+nQQQQ9sbaUCaILzz+/1H54FYyfBe:PWi6DWvMDBDh6enCarWyIrPFW2iwTbW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgfnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngbcldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plcied32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aodnfbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aodnfbpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomlfpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgfnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pniohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peiaij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngbcldl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegdcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgogla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9ecbafebd662998b215ac0a9f1eb2010N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaondi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfikc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Papank32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peiaij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjgbmoda.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plcied32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oegdcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9ecbafebd662998b215ac0a9f1eb2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgogla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlpag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Papank32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeccdila.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomlfpdi.exe

Executes dropped EXE 29 IoCs

pid	Process
300	Oomlfpdi.exe
2124	Oegdcj32.exe
2944	Oibpdico.exe
2936	Oophlpag.exe
2676	Peiaij32.exe
2668	Plcied32.exe
2384	Papank32.exe
2748	Phjjkefd.exe
1824	Pngbcldl.exe
436	Penjdien.exe
3008	Pgogla32.exe
2148	Pniohk32.exe
276	Pqhkdg32.exe
1772	Pgacaaij.exe
2196	Pjppmlhm.exe
388	Qckalamk.exe
2592	Qfimhmlo.exe
2360	Ajgfnk32.exe
2068	Aodnfbpm.exe
2432	Afnfcl32.exe
2312	Ailboh32.exe
2480	Aeccdila.exe
2016	Aioodg32.exe
2348	Afbpnlcd.exe
3052	Aialjgbh.exe
2900	Agfikc32.exe
2904	Aaondi32.exe
2704	Bjgbmoda.exe
2172	Bmenijcd.exe

Loads dropped DLL 62 IoCs

pid	Process
2296	9ecbafebd662998b215ac0a9f1eb2010N.exe
2296	9ecbafebd662998b215ac0a9f1eb2010N.exe
300	Oomlfpdi.exe
300	Oomlfpdi.exe
2124	Oegdcj32.exe
2124	Oegdcj32.exe
2944	Oibpdico.exe
2944	Oibpdico.exe
2936	Oophlpag.exe
2936	Oophlpag.exe
2676	Peiaij32.exe
2676	Peiaij32.exe
2668	Plcied32.exe
2668	Plcied32.exe
2384	Papank32.exe
2384	Papank32.exe
2748	Phjjkefd.exe
2748	Phjjkefd.exe
1824	Pngbcldl.exe
1824	Pngbcldl.exe
436	Penjdien.exe
436	Penjdien.exe
3008	Pgogla32.exe
3008	Pgogla32.exe
2148	Pniohk32.exe
2148	Pniohk32.exe
276	Pqhkdg32.exe
276	Pqhkdg32.exe
1772	Pgacaaij.exe
1772	Pgacaaij.exe
2196	Pjppmlhm.exe
2196	Pjppmlhm.exe
388	Qckalamk.exe
388	Qckalamk.exe
2592	Qfimhmlo.exe
2592	Qfimhmlo.exe
2360	Ajgfnk32.exe
2360	Ajgfnk32.exe
2068	Aodnfbpm.exe
2068	Aodnfbpm.exe
2432	Afnfcl32.exe
2432	Afnfcl32.exe
2312	Ailboh32.exe
2312	Ailboh32.exe
2480	Aeccdila.exe
2480	Aeccdila.exe
2016	Aioodg32.exe
2016	Aioodg32.exe
2348	Afbpnlcd.exe
2348	Afbpnlcd.exe
3052	Aialjgbh.exe
3052	Aialjgbh.exe
2900	Agfikc32.exe
2900	Agfikc32.exe
2904	Aaondi32.exe
2904	Aaondi32.exe
2704	Bjgbmoda.exe
2704	Bjgbmoda.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pgacaaij.exe	Pqhkdg32.exe
File created	C:\Windows\SysWOW64\Okcnkb32.dll	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Eodinj32.dll	Oibpdico.exe
File created	C:\Windows\SysWOW64\Amncmd32.dll	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Aodnfbpm.exe	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Khilfg32.dll	Ailboh32.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Aeccdila.exe
File created	C:\Windows\SysWOW64\Afbpnlcd.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Ppfgdd32.dll	Pgacaaij.exe
File opened for modification	C:\Windows\SysWOW64\Oegdcj32.exe	Oomlfpdi.exe
File created	C:\Windows\SysWOW64\Hgeahj32.dll	Qckalamk.exe
File created	C:\Windows\SysWOW64\Ailboh32.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Agfikc32.exe	Aialjgbh.exe
File opened for modification	C:\Windows\SysWOW64\Agfikc32.exe	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Oegdcj32.exe	Oomlfpdi.exe
File created	C:\Windows\SysWOW64\Hgmgcagc.dll	Oegdcj32.exe
File opened for modification	C:\Windows\SysWOW64\Pngbcldl.exe	Phjjkefd.exe
File created	C:\Windows\SysWOW64\Kcfbimjl.dll	Pgogla32.exe
File created	C:\Windows\SysWOW64\Pjppmlhm.exe	Pgacaaij.exe
File opened for modification	C:\Windows\SysWOW64\Ajgfnk32.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Agfbfl32.dll	Aaondi32.exe
File created	C:\Windows\SysWOW64\Oomlfpdi.exe	9ecbafebd662998b215ac0a9f1eb2010N.exe
File created	C:\Windows\SysWOW64\Klhejn32.dll	Pqhkdg32.exe
File opened for modification	C:\Windows\SysWOW64\Phjjkefd.exe	Papank32.exe
File opened for modification	C:\Windows\SysWOW64\Ailboh32.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Ppqolemj.dll	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Aeccdila.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Aeccdila.exe
File created	C:\Windows\SysWOW64\Aaondi32.exe	Agfikc32.exe
File opened for modification	C:\Windows\SysWOW64\Oophlpag.exe	Oibpdico.exe
File opened for modification	C:\Windows\SysWOW64\Pniohk32.exe	Pgogla32.exe
File opened for modification	C:\Windows\SysWOW64\Aeccdila.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Oophlpag.exe	Oibpdico.exe
File opened for modification	C:\Windows\SysWOW64\Plcied32.exe	Peiaij32.exe
File created	C:\Windows\SysWOW64\Pngbcldl.exe	Phjjkefd.exe
File opened for modification	C:\Windows\SysWOW64\Pqhkdg32.exe	Pniohk32.exe
File opened for modification	C:\Windows\SysWOW64\Qfimhmlo.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bjgbmoda.exe
File created	C:\Windows\SysWOW64\Peiaij32.exe	Oophlpag.exe
File opened for modification	C:\Windows\SysWOW64\Papank32.exe	Plcied32.exe
File created	C:\Windows\SysWOW64\Pgogla32.exe	Penjdien.exe
File created	C:\Windows\SysWOW64\Ddgoncih.dll	Pjppmlhm.exe
File created	C:\Windows\SysWOW64\Oedqakci.dll	Agfikc32.exe
File created	C:\Windows\SysWOW64\Qqbhmi32.dll	Peiaij32.exe
File created	C:\Windows\SysWOW64\Dlbloflp.dll	Papank32.exe
File created	C:\Windows\SysWOW64\Qfimhmlo.exe	Qckalamk.exe
File opened for modification	C:\Windows\SysWOW64\Bjgbmoda.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Oibpdico.exe	Oegdcj32.exe
File created	C:\Windows\SysWOW64\Papank32.exe	Plcied32.exe
File created	C:\Windows\SysWOW64\Ajgfnk32.exe	Qfimhmlo.exe
File opened for modification	C:\Windows\SysWOW64\Aodnfbpm.exe	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Afnfcl32.exe	Aodnfbpm.exe
File opened for modification	C:\Windows\SysWOW64\Aaondi32.exe	Agfikc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Bjgbmoda.exe
File created	C:\Windows\SysWOW64\Plcied32.exe	Peiaij32.exe
File opened for modification	C:\Windows\SysWOW64\Peiaij32.exe	Oophlpag.exe
File created	C:\Windows\SysWOW64\Eecpggap.dll	Pngbcldl.exe
File opened for modification	C:\Windows\SysWOW64\Afbpnlcd.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Bjgbmoda.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Lncacf32.dll	Oomlfpdi.exe
File created	C:\Windows\SysWOW64\Phjjkefd.exe	Papank32.exe
File created	C:\Windows\SysWOW64\Fhgmpohp.dll	Phjjkefd.exe
File opened for modification	C:\Windows\SysWOW64\Penjdien.exe	Pngbcldl.exe
File created	C:\Windows\SysWOW64\Qckalamk.exe	Pjppmlhm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	2172	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aodnfbpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegdcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phjjkefd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjppmlhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgfnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgogla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pniohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhkdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfikc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomlfpdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibpdico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeccdila.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ecbafebd662998b215ac0a9f1eb2010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Papank32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgacaaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfimhmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plcied32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngbcldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peiaij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailboh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbpnlcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Penjdien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckalamk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjgbmoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aialjgbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaondi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9ecbafebd662998b215ac0a9f1eb2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kepajbam.dll"	Penjdien.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pniohk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjoaod.dll"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aodnfbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfikc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oegdcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodinj32.dll"	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbloflp.dll"	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmfllng.dll"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfibh32.dll"	Ajgfnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaglgp.dll"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebepc32.dll"	Aodnfbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll"	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khilfg32.dll"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbpnlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcnkb32.dll"	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oomlfpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqbhmi32.dll"	Peiaij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peiaij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqhkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaondi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9ecbafebd662998b215ac0a9f1eb2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9ecbafebd662998b215ac0a9f1eb2010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amncmd32.dll"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll"	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaondi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgogla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgoncih.dll"	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdfng32.dll"	9ecbafebd662998b215ac0a9f1eb2010N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfgdd32.dll"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomlfpdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oophlpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngbcldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfbimjl.dll"	Pgogla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmpohp.dll"	Phjjkefd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 300	2296	9ecbafebd662998b215ac0a9f1eb2010N.exe	30
PID 2296 wrote to memory of 300	2296	9ecbafebd662998b215ac0a9f1eb2010N.exe	30
PID 2296 wrote to memory of 300	2296	9ecbafebd662998b215ac0a9f1eb2010N.exe	30
PID 2296 wrote to memory of 300	2296	9ecbafebd662998b215ac0a9f1eb2010N.exe	30
PID 300 wrote to memory of 2124	300	Oomlfpdi.exe	31
PID 300 wrote to memory of 2124	300	Oomlfpdi.exe	31
PID 300 wrote to memory of 2124	300	Oomlfpdi.exe	31
PID 300 wrote to memory of 2124	300	Oomlfpdi.exe	31
PID 2124 wrote to memory of 2944	2124	Oegdcj32.exe	32
PID 2124 wrote to memory of 2944	2124	Oegdcj32.exe	32
PID 2124 wrote to memory of 2944	2124	Oegdcj32.exe	32
PID 2124 wrote to memory of 2944	2124	Oegdcj32.exe	32
PID 2944 wrote to memory of 2936	2944	Oibpdico.exe	33
PID 2944 wrote to memory of 2936	2944	Oibpdico.exe	33
PID 2944 wrote to memory of 2936	2944	Oibpdico.exe	33
PID 2944 wrote to memory of 2936	2944	Oibpdico.exe	33
PID 2936 wrote to memory of 2676	2936	Oophlpag.exe	34
PID 2936 wrote to memory of 2676	2936	Oophlpag.exe	34
PID 2936 wrote to memory of 2676	2936	Oophlpag.exe	34
PID 2936 wrote to memory of 2676	2936	Oophlpag.exe	34
PID 2676 wrote to memory of 2668	2676	Peiaij32.exe	35
PID 2676 wrote to memory of 2668	2676	Peiaij32.exe	35
PID 2676 wrote to memory of 2668	2676	Peiaij32.exe	35
PID 2676 wrote to memory of 2668	2676	Peiaij32.exe	35
PID 2668 wrote to memory of 2384	2668	Plcied32.exe	36
PID 2668 wrote to memory of 2384	2668	Plcied32.exe	36
PID 2668 wrote to memory of 2384	2668	Plcied32.exe	36
PID 2668 wrote to memory of 2384	2668	Plcied32.exe	36
PID 2384 wrote to memory of 2748	2384	Papank32.exe	37
PID 2384 wrote to memory of 2748	2384	Papank32.exe	37
PID 2384 wrote to memory of 2748	2384	Papank32.exe	37
PID 2384 wrote to memory of 2748	2384	Papank32.exe	37
PID 2748 wrote to memory of 1824	2748	Phjjkefd.exe	38
PID 2748 wrote to memory of 1824	2748	Phjjkefd.exe	38
PID 2748 wrote to memory of 1824	2748	Phjjkefd.exe	38
PID 2748 wrote to memory of 1824	2748	Phjjkefd.exe	38
PID 1824 wrote to memory of 436	1824	Pngbcldl.exe	39
PID 1824 wrote to memory of 436	1824	Pngbcldl.exe	39
PID 1824 wrote to memory of 436	1824	Pngbcldl.exe	39
PID 1824 wrote to memory of 436	1824	Pngbcldl.exe	39
PID 436 wrote to memory of 3008	436	Penjdien.exe	40
PID 436 wrote to memory of 3008	436	Penjdien.exe	40
PID 436 wrote to memory of 3008	436	Penjdien.exe	40
PID 436 wrote to memory of 3008	436	Penjdien.exe	40
PID 3008 wrote to memory of 2148	3008	Pgogla32.exe	41
PID 3008 wrote to memory of 2148	3008	Pgogla32.exe	41
PID 3008 wrote to memory of 2148	3008	Pgogla32.exe	41
PID 3008 wrote to memory of 2148	3008	Pgogla32.exe	41
PID 2148 wrote to memory of 276	2148	Pniohk32.exe	42
PID 2148 wrote to memory of 276	2148	Pniohk32.exe	42
PID 2148 wrote to memory of 276	2148	Pniohk32.exe	42
PID 2148 wrote to memory of 276	2148	Pniohk32.exe	42
PID 276 wrote to memory of 1772	276	Pqhkdg32.exe	43
PID 276 wrote to memory of 1772	276	Pqhkdg32.exe	43
PID 276 wrote to memory of 1772	276	Pqhkdg32.exe	43
PID 276 wrote to memory of 1772	276	Pqhkdg32.exe	43
PID 1772 wrote to memory of 2196	1772	Pgacaaij.exe	44
PID 1772 wrote to memory of 2196	1772	Pgacaaij.exe	44
PID 1772 wrote to memory of 2196	1772	Pgacaaij.exe	44
PID 1772 wrote to memory of 2196	1772	Pgacaaij.exe	44
PID 2196 wrote to memory of 388	2196	Pjppmlhm.exe	45
PID 2196 wrote to memory of 388	2196	Pjppmlhm.exe	45
PID 2196 wrote to memory of 388	2196	Pjppmlhm.exe	45
PID 2196 wrote to memory of 388	2196	Pjppmlhm.exe	45

C:\Users\Admin\AppData\Local\Temp\9ecbafebd662998b215ac0a9f1eb2010N.exe
"C:\Users\Admin\AppData\Local\Temp\9ecbafebd662998b215ac0a9f1eb2010N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Oomlfpdi.exe
  C:\Windows\system32\Oomlfpdi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Windows\SysWOW64\Oegdcj32.exe
    C:\Windows\system32\Oegdcj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\Oibpdico.exe
      C:\Windows\system32\Oibpdico.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\Oophlpag.exe
        
        C:\Windows\system32\Oophlpag.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\Peiaij32.exe
        
        C:\Windows\system32\Peiaij32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Plcied32.exe
        
        C:\Windows\system32\Plcied32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Papank32.exe
        
        C:\Windows\system32\Papank32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Phjjkefd.exe
        
        C:\Windows\system32\Phjjkefd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Pngbcldl.exe
        
        C:\Windows\system32\Pngbcldl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Penjdien.exe
        
        C:\Windows\system32\Penjdien.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Pgogla32.exe
        
        C:\Windows\system32\Pgogla32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pniohk32.exe
        
        C:\Windows\system32\Pniohk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Pqhkdg32.exe
        
        C:\Windows\system32\Pqhkdg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\Pgacaaij.exe
        
        C:\Windows\system32\Pgacaaij.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Pjppmlhm.exe
        
        C:\Windows\system32\Pjppmlhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Qckalamk.exe
        
        C:\Windows\system32\Qckalamk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Qfimhmlo.exe
        
        C:\Windows\system32\Qfimhmlo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Ajgfnk32.exe
        
        C:\Windows\system32\Ajgfnk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Aodnfbpm.exe
        
        C:\Windows\system32\Aodnfbpm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Afnfcl32.exe
        
        C:\Windows\system32\Afnfcl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ailboh32.exe
        
        C:\Windows\system32\Ailboh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Aeccdila.exe
        
        C:\Windows\system32\Aeccdila.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Afbpnlcd.exe
        
        C:\Windows\system32\Afbpnlcd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Aialjgbh.exe
        
        C:\Windows\system32\Aialjgbh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Agfikc32.exe
        
        C:\Windows\system32\Agfikc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Aaondi32.exe
        
        C:\Windows\system32\Aaondi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Bjgbmoda.exe
        
        C:\Windows\system32\Bjgbmoda.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaondi32.exe

Filesize
64KB

MD5
a6bd1828ac828d852b4a4d167a210ec6

SHA1
3e9f7da1912231921e204dd1cd8d49462f4cbea2

SHA256
36404e37b946bfa1c034fbe80b65a69148ddd350aa36ea4a13f19d055c738208

SHA512
eda3958aa90877c3432b0d83c6d162becb3c90f81052f7689090fefd672540a16dd1142d835b53359048ddd8cc5c71eb83f35a69a2c5c5a8ea088c40ebfdec7e

Download Submit
C:\Windows\SysWOW64\Aeccdila.exe

Filesize
64KB

MD5
7fd6ff0385d54ed4cca0073e4517cace

SHA1
958d7774622f485ceed3b52bd2178398d8837bd5

SHA256
63865fdb4bf4c35bf63cbf790edf2156d1f9268078f73575b0a74b1fae8e0134

SHA512
66e61cddfb4552c3dfb0278ee0f9bfe1b1ce2b38cb38af7ef43f11182b21be12222bf39e87c6fa87e7f5630113bfd95836dff0037cbd1a32a3754a256481fac9

Download Submit
C:\Windows\SysWOW64\Afbpnlcd.exe

Filesize
64KB

MD5
364ec7be026ec528f697bec8409d5ac0

SHA1
c9b87aaba32faf3eb233a0ab24b29c1e54acff1b

SHA256
2cd2e5e884801e7c38dffd8c1ea58341684e656a32556eeda242c166c8dd81b9

SHA512
98bb955b734e1c9516ecacbbaaf944a28c75a03c8d7665e21a4ee4700f7e22be3bafa40a5e253831397ba38d3a1aec97a57164e2866f0a49d23a599420d33ad1

Download Submit
C:\Windows\SysWOW64\Afnfcl32.exe

Filesize
64KB

MD5
46bb0a45c0efbf9bb6c5b2b54a5261ec

SHA1
e807093fde398edbadf76ec0c84dd2d8d9475c21

SHA256
6b7e278b83719bc9463cae6bc8c544c591f57392929c3f947f89a017bcc52eb0

SHA512
c97f894581d33c0266502297a6f10a5ec3268673b877c74180ec733c5404787beda62bd7d7328b8f299ee96a760bcebb8c079c84a878e14e23dd899619794de7

Download Submit
C:\Windows\SysWOW64\Agfikc32.exe

Filesize
64KB

MD5
7d3d16614bff97629cc93d30550a1b40

SHA1
1d4e9acb1dd671a3ff5de2a2790e1d98375378d4

SHA256
2f68556499d5249a376e0ca532fcef25c9f36451c2a99f1c5e2e9727f7085663

SHA512
7b53b6a649e54dc46c17ea1b7243ee8f541a44ee9bede3841be0d7c143dafaf0d84ab901370385a0f0d2052ffd2db74bcf5aa4a37c3d2847765502c1af386802

Download Submit
C:\Windows\SysWOW64\Aialjgbh.exe

Filesize
64KB

MD5
680166f58655c3264a39dc882a7352b8

SHA1
c3a8d952d3a826e8d6de663dc538fd4912286239

SHA256
07068737f449b6f78894b9475fe1aa14a2b0ce05743ea0a954de46756be68dd1

SHA512
b249915af61adbf7eafe29ec1c470e69ff044d06b917b4d45123c692ee7a1e478707702cc5b1005e0bf74aec814aead3fe92b04c3b236d2c5207e8d141b866dc

Download Submit
C:\Windows\SysWOW64\Ailboh32.exe

Filesize
64KB

MD5
50653934e862441c9e6accc5c3776cd2

SHA1
a4b49570472267c6fa4f199456473bce0c34c431

SHA256
fbe9eef5d23d12fa9603256318d6d016334866e245a157eed62cc290ce425218

SHA512
2d7df81cca4789a96a06ab9839902c0667129390c82a2762341f8875f9ceae099e0758bca310665cc5d96d4225937b3a9ea6b3a47775b59984f574f881b34076

Download Submit
C:\Windows\SysWOW64\Aioodg32.exe

Filesize
64KB

MD5
31e0b52a086e31ded44f0dee74abd9ca

SHA1
7affc98798ee724f21a6f04b8abaa4b9a224439e

SHA256
998dc1872a4fc9206c00da56f57858f5020ad364efe49e1c97f72bb93298a770

SHA512
6ab20528558ee8b0f567207dd9f07bc2d6f84c6423a2a9d03377977e69d64eb318f008b742d5a555df5ca18cbbe04a0439314c8961b229e30134f7851528d5cd

Download Submit
C:\Windows\SysWOW64\Ajgfnk32.exe

Filesize
64KB

MD5
7edb883ec080f6a1e9055403aa1e810e

SHA1
d5943894e863c944daf501587bc6ce60c8ff376e

SHA256
5a46dba26659b0a8c67147b59f6b8521f4867074a431d951b9dc8f54adb025c1

SHA512
eb387dd60df4fa1255281d3befc5407d8938a63f73464031bc3f8972840f478e5ff1342fce2d677a5c695a650d9c041c7e148f766a091faaf610b02527e39ecc

Download Submit
C:\Windows\SysWOW64\Aodnfbpm.exe

Filesize
64KB

MD5
a1fa37c5afb598c583eb4899715807d0

SHA1
0d437e68b79e722ddb32220f9bd3d464a55e8e59

SHA256
2652319643c7ceb0792ef59a708d4e2a07f2e385e1afd7ffe2e1becdf3f4715a

SHA512
794d07d43d9a465a7d09cb48f6fb5535f114f127e531053166ba2766a3195b231704675c7504c58f544179e17c638ea16ddbfe34a47c86a7fff158a41dd4aebc

Download Submit
C:\Windows\SysWOW64\Bjgbmoda.exe

Filesize
64KB

MD5
b980b0e25867e96669d6a0c171ad156f

SHA1
786b5e30abab63d6091a4b3516b6de9caddc402b

SHA256
fca47d0d0affc7c9d511891a1d64b960240e41ce612b3d2719c54f1d7845fb1e

SHA512
04ecdae43eb95de986ba8a6648e8e20545dde3a8ff2fd297316b5fc3e22074bacfab28fc564c6b82e5ca486782e8cc40babf89cc1b1f0523f527f494a1463e0a

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
64KB

MD5
eae461c8e7ab19a2fa54efc0ac668ed7

SHA1
dcd371f0244fed281fbf1747b626400d18df6316

SHA256
41c82bdd12bd01e409a9e8df3142be15af5baa2bfb5b15c45be5f8cd519ca790

SHA512
cf7dafa31709300865de15dec5df76cde1f86880b6baf24cac431e5919a259a9e5189004fa2cd1c49db4c27728391e2b4498622a0c3ccf1afc77b1aab6ede6a1

Download Submit
C:\Windows\SysWOW64\Oegdcj32.exe

Filesize
64KB

MD5
21df4045dcf4c151d1839e312d9a51b2

SHA1
3acbab6fc633b173b5e9cf8f892d84aeee40f95c

SHA256
d51381802cac67505f99a2990c45c1837e2955d4b22e29e9f7e0e4d0e18f39e4

SHA512
d83e6045e75eaecae0ae19a043f6552786770ddf2edf84b20d48f959295b850f5b3bd03d476fd2087e95f7d3dc2f8697b3421a99b37f631d597fc93b03e36b16

Download Submit
C:\Windows\SysWOW64\Peiaij32.exe

Filesize
64KB

MD5
9a4631d0cb3bb6fea046c119a5e7ae49

SHA1
8c5cf81a1c0108269cedeafc5c7eb682c15f2460

SHA256
763ad609026b384d072611771cecd6c33d246b0ddefe92a018d0221a7f8eb707

SHA512
30aed05d872928fa2afa121c8fc6afcaedc83e1d0f4012099639059f55b2e3c0f9851d7a7c3cf28a7bf905d3189b762e343967d50ef67c282b0468c557569230

Download Submit
C:\Windows\SysWOW64\Qfimhmlo.exe

Filesize
64KB

MD5
efc2d3cde441459b085024f329795574

SHA1
53d89e83ff07cdd033b752c8bc1ca03d7c8791b4

SHA256
c4694412059541fb184222f8795d7d3aa240492bf211cf9f0133208c6d743bec

SHA512
b2252ab181edcaf67cd1a2ffb7f7e717f86699b97d149537ef684a27525ebdcccb3b009c6c44d79e926957bdf15e355cd68734feace6f3da3ce2a3ddf63a64f3

Download Submit
\Windows\SysWOW64\Oibpdico.exe

Filesize
64KB

MD5
457f0dec9b20f6d4199b9ba616562647

SHA1
4beec7bac37c4dc9f5141db31bf3f7d031c35f2f

SHA256
750a78796bc03667b115662d6274be6c2a95e6f8b29ea2e4e32feb59c0f75322

SHA512
f9daf2219b42c4728038204fe5dd3660f4bfaf14953f22d3700de050ebbdd41f6a4a2afc8e6afc5eed65f936f9dc1a444a9207645c2eccfadce29d15e2fe0add

Download Submit
\Windows\SysWOW64\Oomlfpdi.exe

Filesize
64KB

MD5
17f9f7371510f45810394d253abd3fdb

SHA1
e9c8d4ea60650dbdf7d34db626be5865bd11ccc2

SHA256
1b80e170a6ad18586d4cf1477af2d2219bad29e96b7b8b2a69ffaf7c3eebd239

SHA512
eaf7289d25cf803f871f770786f28fe2bd48d8397c4bf33626a979682c06e3871e077be743cc23b95be9141799e8014c7672b1ae6ba6f55e2b14596cf6863210

Download Submit
\Windows\SysWOW64\Oophlpag.exe

Filesize
64KB

MD5
7c522c793ff69c80b143c6e942004d5a

SHA1
70cb4cf2cae05b86e9e5f673771a88202c24cc4b

SHA256
dad2e3daf95ee7791968ed7d72dac196a47ee3da9a8650fd52fac573de62d5d8

SHA512
b45cf2bdb3a376eede9c6824f1758499dfa019c1fc8966c5fc87bdb9cc0c78ff4b354683a32e745115cfaab4edd9258f6e4ddff6c6da2d2a7e80b60ee3857246

Download Submit
\Windows\SysWOW64\Papank32.exe

Filesize
64KB

MD5
f3813a499b2941426cea37359f0ef7d2

SHA1
ebfbbcbaee28d4ea1d29c7daf0d86a2ee3b51991

SHA256
3ae618811d614ba07e07279ce9f7badeb738680a2db1fa2fa59c7f48693b092f

SHA512
2c9bca472281070ea24b84dad85fce33e0ae20325b16bd0047aa4930cd3f39add7adf60df900ed35396ef243745804f1f5fb2f2fa22621385aee6bbe002390df

Download Submit
\Windows\SysWOW64\Penjdien.exe

Filesize
64KB

MD5
380743a5802db090ec88cf3d692a6c56

SHA1
39dd5dd50ce0157f91ae2bf5e5dab5adf0801211

SHA256
425ca261ca4aeb99a844d95af380c463a41df76666c67b5ee9e2de862b4466df

SHA512
acedab68072f1a22a5e8f1ee3574198a6467e4221577ab5bb260bf779a2a4c3f4402c8b4fcfe1946eb2b6ab9e92bfb64def631743d8fe880cb308acf3ba34294

Download Submit
\Windows\SysWOW64\Pgacaaij.exe

Filesize
64KB

MD5
c3005f820883575527fc6f441d723770

SHA1
1fd21706a41f842ad389711eb689c0cb35b06925

SHA256
ae4055ba06d23d634d9aab79b2c7627fc799c16bbe362ef38cb111bf9ed89696

SHA512
b3ac477730141b8a0851532b8d844d54e161ca9fcdb9a140de4fdac63881babef82c2c873c4f53a8ee0776a278dce167493dff932d2b2d4ae9ff6bbf9469cd43

Download Submit
\Windows\SysWOW64\Pgogla32.exe

Filesize
64KB

MD5
c0a0d1483a88f6e6ee570512cf8267a3

SHA1
19f4fa588952b7a9e9eb3fcdae2e9a9ae91e378b

SHA256
d861c6a922d334090862b1e0008664ed28b6ca96c59b6cdc2677735b6b2c1a9b

SHA512
22f3f03a757a45274489137d5c975309f8efe70b7599368294fdb3accfc49b768577ccfce5e80e5fa356dbbaaeca833b898a221005c51027e6078a3f8308825e

Download Submit
\Windows\SysWOW64\Phjjkefd.exe

Filesize
64KB

MD5
85a1fc6b65c9f826aabc3952dc0816e0

SHA1
0e3a1211f419d146f9a0728a446c30a9a7342bec

SHA256
c6bef1084ca574f4ca98f1b686b1bc03ddba89045f9a9bd8c072c103135ed944

SHA512
3fd21b38960f876635e71bffba2bb2187dc36d501a15a9eb04a26d22c9be0c851e91757a8e2731ce85e76757167d7d42ac081e74abc412f2a8ffca9c4f0af174

Download Submit
\Windows\SysWOW64\Pjppmlhm.exe

Filesize
64KB

MD5
e27a0e9118bef15c3e2eee86a4069b09

SHA1
68e294ef4da9ff6d863900279c10e4bc106decb0

SHA256
8e8d3219b3d8445a7538fe5431f4aeafeb6772dabe4be7f1dafa8d977fe06dad

SHA512
a6a5ebd7928c7c36bc401b3074b5caf1b487db194af14070a8e9244c1d62cdd124297ec0352e2a4a7b02aac6138c897f7ae37f720f1e8ce7c525b978b9e224c0

Download Submit
\Windows\SysWOW64\Plcied32.exe

Filesize
64KB

MD5
b7a04025b9df220e758bf7beaa067265

SHA1
130f9cde82463ee21755a48d23de686725b5645e

SHA256
16fc7825638eec21cbe627a96a39caf6a5f58335923ccb337c28c7a9c179b421

SHA512
0355bc2d094ede8a04eb544f8b8162be7bc69242c593945ef95badd612ae5b630c5e1443ee56bce28443331603613e1c3f7992ceb1bacecd8fe466709fc16869

Download Submit
\Windows\SysWOW64\Pngbcldl.exe

Filesize
64KB

MD5
d16ae3b650cd57b384ac3ed0b40106c3

SHA1
bb467af58fd6eb3b28aa46f5c7c9f70931113b16

SHA256
5b36348f02ae033b274ed48d70bad8ca0a886098ffdb7cc0fafef271439e0a26

SHA512
ded9728049b79433834c70715f826ee49e4f626021ad74ff3c9d4f0bb87836f208609ffb07190087cedfcb65bd2a41632e2982e438757534f278b1b845047a26

Download Submit
\Windows\SysWOW64\Pniohk32.exe

Filesize
64KB

MD5
f9a9cb3234097c37b98ac3428877f03f

SHA1
62155cec3cf8b4cb7a4da26f073c0b94527d0ac3

SHA256
ff08078674cc1193baeb86a234cde7e283f127240af20f2a077179d8246be0a0

SHA512
fc08d4fe24bc92eef972d314b915f9cdf3a84479bb026bb112159482827c7079e1be75dafddb42fcfbabc387f6f8ada32a68f3e8d87ef4a5f69f31c238de40db

Download Submit
\Windows\SysWOW64\Pqhkdg32.exe

Filesize
64KB

MD5
40ba16492260168a52eadd3951f95f94

SHA1
ca5c0b7c8babe88fea6b5a3b25afe060d5de1193

SHA256
d46aa2bf117ecfbd2b0381fe0ef4c1bd2e4354265560c84736aaaf4243abb733

SHA512
84233b8ee42cac89bde2b2e04abea73566daee9d6030ee7bb325262f833782d448efb37da4da5956d89e154116e484649f21f76a30c1fce2cc11b41b13e6e10c

Download Submit
\Windows\SysWOW64\Qckalamk.exe

Filesize
64KB

MD5
ac66f17735ab4196c61b58753b82f07e

SHA1
8d0e642c14f140c1aa45815358da67947cb146b3

SHA256
44b20b332f54c8183ffbf47f6147c86ab9ee2254dcbcb717354a494b2277b295

SHA512
231078854cdb1cd4c0b3ba949da2c44c8f7cc40e1ef2f7bad10bdd43542e291403c1ca301190a96ca12323b0de39278e5f88d3c373a7e21ffec69d06d163f779

Download Submit
memory/276-248-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/276-236-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/276-249-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/276-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/276-201-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/300-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/300-13-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/300-26-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/388-284-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/388-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/388-244-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/388-283-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/436-158-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/436-212-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/436-217-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1772-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1772-260-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1772-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1824-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1824-203-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1824-139-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1824-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-325-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2016-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-330-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2016-368-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2068-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2068-318-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2068-273-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2124-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2124-38-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2148-186-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2148-187-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2148-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2172-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-282-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2196-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-228-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2296-12-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2296-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2296-4-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2312-343-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2312-295-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2348-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2348-344-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2348-338-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2348-379-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2348-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2360-272-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2360-262-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2360-306-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2360-305-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2384-110-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2384-101-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2384-115-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2384-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2432-337-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2432-329-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2432-332-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2432-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-350-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-317-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2480-356-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2592-304-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2592-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2592-294-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2592-261-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2668-97-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2668-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2676-80-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2676-76-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2676-128-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2704-390-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2748-172-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2900-364-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2900-357-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2904-374-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/2936-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2936-70-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2936-109-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-48-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2944-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-100-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2944-54-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/3008-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-171-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3008-233-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3008-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3052-355-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3052-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3052-354-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3052-389-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads