cae4bb6ac59cf405e077d4af110581c67ca99ce211a21773dec1c2a72f8dd075

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c02124f84a63a63350dd19f5a40556e0N.exe
Size

144KB
MD5

c02124f84a63a63350dd19f5a40556e0
SHA1

1a77402273c4cab8b9991bd97d0a49a196c59433
SHA256

cae4bb6ac59cf405e077d4af110581c67ca99ce211a21773dec1c2a72f8dd075
SHA512

8ab24bd9b5ab97c00cbfae8780982136061c4f790d380184d6fe7a58f89699b02f293c9ae26220cd0faac4a0a4a560b11d586e3b3c011069cb46e36e29acb2bb
SSDEEP

3072:TSVDB7GSDMhaP+2BJG+NGCwK3DZyG1PGwwc5nTJI46gs1EFzGYJpD9r8XxrYnQgX:eKSDMbUDx1Pri1EtGyZ6Yu+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c02124f84a63a63350dd19f5a40556e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgbpaipl.exe

Executes dropped EXE 64 IoCs

pid	Process
1560	Ofkgcobj.exe
4916	Onapdl32.exe
4552	Opclldhj.exe
4208	Ocohmc32.exe
4336	Omgmeigd.exe
3168	Opeiadfg.exe
2476	Pjkmomfn.exe
1012	Paeelgnj.exe
4272	Phonha32.exe
4504	Pnifekmd.exe
2648	Pdenmbkk.exe
4920	Phajna32.exe
3708	Paiogf32.exe
4636	Phcgcqab.exe
4908	Pnmopk32.exe
4672	Ppolhcnm.exe
2588	Pfiddm32.exe
1968	Panhbfep.exe
2652	Qhhpop32.exe
2896	Qobhkjdi.exe
468	Qaqegecm.exe
2868	Qdoacabq.exe
3456	Qhjmdp32.exe
3712	Qjiipk32.exe
3136	Qpeahb32.exe
3824	Ahmjjoig.exe
4100	Afpjel32.exe
4184	Akkffkhk.exe
1628	Aogbfi32.exe
4540	Amjbbfgo.exe
2012	Aphnnafb.exe
1388	Adcjop32.exe
3256	Afbgkl32.exe
2196	Aknbkjfh.exe
4852	Aoioli32.exe
4224	Amlogfel.exe
4484	Aagkhd32.exe
708	Apjkcadp.exe
3152	Adfgdpmi.exe
1192	Ahaceo32.exe
4556	Agdcpkll.exe
5116	Akpoaj32.exe
4456	Amnlme32.exe
1808	Aajhndkb.exe
2540	Ahdpjn32.exe
116	Akblfj32.exe
900	Aonhghjl.exe
3280	Amqhbe32.exe
2956	Adkqoohc.exe
1180	Agimkk32.exe
1392	Aopemh32.exe
3164	Amcehdod.exe
3608	Apaadpng.exe
4944	Bhhiemoj.exe
1460	Bobabg32.exe
2112	Baannc32.exe
4764	Bdojjo32.exe
1600	Bgnffj32.exe
2348	Bkibgh32.exe
2632	Bmhocd32.exe
4296	Bpfkpp32.exe
4780	Bhmbqm32.exe
3100	Bogkmgba.exe
1524	Bmjkic32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Phonha32.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Ahdpjn32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Bkibgh32.exe	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pnmopk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Egilaj32.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Onahgf32.dll	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Paiogf32.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	c02124f84a63a63350dd19f5a40556e0N.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Eehnaq32.dll	Boldhf32.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bobabg32.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Pnifekmd.exe	Phonha32.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Onapdl32.exe	Ofkgcobj.exe
File opened for modification	C:\Windows\SysWOW64\Opclldhj.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Opclldhj.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Bdojjo32.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Aknbkjfh.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Aknbkjfh.exe
File opened for modification	C:\Windows\SysWOW64\Bogkmgba.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Adcjop32.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Dnkdmlfj.dll	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qhhpop32.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Adfgdpmi.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Caojpaij.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5284	5160	WerFault.exe	181

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c02124f84a63a63350dd19f5a40556e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c02124f84a63a63350dd19f5a40556e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c02124f84a63a63350dd19f5a40556e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c02124f84a63a63350dd19f5a40556e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnjdpaki.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 1560	3836	c02124f84a63a63350dd19f5a40556e0N.exe	83
PID 3836 wrote to memory of 1560	3836	c02124f84a63a63350dd19f5a40556e0N.exe	83
PID 3836 wrote to memory of 1560	3836	c02124f84a63a63350dd19f5a40556e0N.exe	83
PID 1560 wrote to memory of 4916	1560	Ofkgcobj.exe	84
PID 1560 wrote to memory of 4916	1560	Ofkgcobj.exe	84
PID 1560 wrote to memory of 4916	1560	Ofkgcobj.exe	84
PID 4916 wrote to memory of 4552	4916	Onapdl32.exe	85
PID 4916 wrote to memory of 4552	4916	Onapdl32.exe	85
PID 4916 wrote to memory of 4552	4916	Onapdl32.exe	85
PID 4552 wrote to memory of 4208	4552	Opclldhj.exe	86
PID 4552 wrote to memory of 4208	4552	Opclldhj.exe	86
PID 4552 wrote to memory of 4208	4552	Opclldhj.exe	86
PID 4208 wrote to memory of 4336	4208	Ocohmc32.exe	87
PID 4208 wrote to memory of 4336	4208	Ocohmc32.exe	87
PID 4208 wrote to memory of 4336	4208	Ocohmc32.exe	87
PID 4336 wrote to memory of 3168	4336	Omgmeigd.exe	88
PID 4336 wrote to memory of 3168	4336	Omgmeigd.exe	88
PID 4336 wrote to memory of 3168	4336	Omgmeigd.exe	88
PID 3168 wrote to memory of 2476	3168	Opeiadfg.exe	89
PID 3168 wrote to memory of 2476	3168	Opeiadfg.exe	89
PID 3168 wrote to memory of 2476	3168	Opeiadfg.exe	89
PID 2476 wrote to memory of 1012	2476	Pjkmomfn.exe	90
PID 2476 wrote to memory of 1012	2476	Pjkmomfn.exe	90
PID 2476 wrote to memory of 1012	2476	Pjkmomfn.exe	90
PID 1012 wrote to memory of 4272	1012	Paeelgnj.exe	91
PID 1012 wrote to memory of 4272	1012	Paeelgnj.exe	91
PID 1012 wrote to memory of 4272	1012	Paeelgnj.exe	91
PID 4272 wrote to memory of 4504	4272	Phonha32.exe	93
PID 4272 wrote to memory of 4504	4272	Phonha32.exe	93
PID 4272 wrote to memory of 4504	4272	Phonha32.exe	93
PID 4504 wrote to memory of 2648	4504	Pnifekmd.exe	94
PID 4504 wrote to memory of 2648	4504	Pnifekmd.exe	94
PID 4504 wrote to memory of 2648	4504	Pnifekmd.exe	94
PID 2648 wrote to memory of 4920	2648	Pdenmbkk.exe	95
PID 2648 wrote to memory of 4920	2648	Pdenmbkk.exe	95
PID 2648 wrote to memory of 4920	2648	Pdenmbkk.exe	95
PID 4920 wrote to memory of 3708	4920	Phajna32.exe	96
PID 4920 wrote to memory of 3708	4920	Phajna32.exe	96
PID 4920 wrote to memory of 3708	4920	Phajna32.exe	96
PID 3708 wrote to memory of 4636	3708	Paiogf32.exe	98
PID 3708 wrote to memory of 4636	3708	Paiogf32.exe	98
PID 3708 wrote to memory of 4636	3708	Paiogf32.exe	98
PID 4636 wrote to memory of 4908	4636	Phcgcqab.exe	99
PID 4636 wrote to memory of 4908	4636	Phcgcqab.exe	99
PID 4636 wrote to memory of 4908	4636	Phcgcqab.exe	99
PID 4908 wrote to memory of 4672	4908	Pnmopk32.exe	100
PID 4908 wrote to memory of 4672	4908	Pnmopk32.exe	100
PID 4908 wrote to memory of 4672	4908	Pnmopk32.exe	100
PID 4672 wrote to memory of 2588	4672	Ppolhcnm.exe	101
PID 4672 wrote to memory of 2588	4672	Ppolhcnm.exe	101
PID 4672 wrote to memory of 2588	4672	Ppolhcnm.exe	101
PID 2588 wrote to memory of 1968	2588	Pfiddm32.exe	103
PID 2588 wrote to memory of 1968	2588	Pfiddm32.exe	103
PID 2588 wrote to memory of 1968	2588	Pfiddm32.exe	103
PID 1968 wrote to memory of 2652	1968	Panhbfep.exe	104
PID 1968 wrote to memory of 2652	1968	Panhbfep.exe	104
PID 1968 wrote to memory of 2652	1968	Panhbfep.exe	104
PID 2652 wrote to memory of 2896	2652	Qhhpop32.exe	105
PID 2652 wrote to memory of 2896	2652	Qhhpop32.exe	105
PID 2652 wrote to memory of 2896	2652	Qhhpop32.exe	105
PID 2896 wrote to memory of 468	2896	Qobhkjdi.exe	106
PID 2896 wrote to memory of 468	2896	Qobhkjdi.exe	106
PID 2896 wrote to memory of 468	2896	Qobhkjdi.exe	106
PID 468 wrote to memory of 2868	468	Qaqegecm.exe	107

C:\Users\Admin\AppData\Local\Temp\c02124f84a63a63350dd19f5a40556e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c02124f84a63a63350dd19f5a40556e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\Ofkgcobj.exe
  C:\Windows\system32\Ofkgcobj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Onapdl32.exe
    C:\Windows\system32\Onapdl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\Opclldhj.exe
      C:\Windows\system32\Opclldhj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        43⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3048
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        73⤵
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        79⤵
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        90⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        93⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 412
        96⤵
        Program crash
        
        PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5160 -ip 5160
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
144KB

MD5
60e7c01bcefb08c697a33cd5bffb7af5

SHA1
8623e1a18160fa2e9b120a814912449efb08d452

SHA256
3113b98dcd84740f55960af942ec863b4f0b5141f1693d107020f98dcda7c542

SHA512
48a5ec0ea3364f8809674982aa9d01d63f8e73440adb22312214ce8838779756e6cd92b42a75cfaf25f536a5d60993eb58799e64658c3b57b006ab5ad581047f

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
144KB

MD5
6ad1f8ac9283993189092471b0b5bb35

SHA1
0b6ca494823e5bb72d52be66da3137c89bacd28a

SHA256
9c95d6b496aff568b2b34730e91622b59646698beab1d18c40dd2e1614ced1d7

SHA512
c405afc08276cb0a4e6bfbda6cb8e0e7f5e642168b4c1576da63b16f7eb97bff85835c6372e4a5c92d12be6e51c96a753a847be15bc99e9317a5514514053e5f

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
144KB

MD5
a1e9144598629af185257b7c5e6f38a1

SHA1
9454e0c3758cc2277443b8ddbb0a54890dba9188

SHA256
9d2b8361fab7754accac7f72c3d0d581cad61bcebfd4a1241a0259c478c1c2ca

SHA512
3fd0da8d39fdda593f20cdc9355decfa3745dcecefe4f8c6d1688cc3a54294dc483e6e3f11ed07d35423f222965404f28164b78b63e1c757d508df02cb1f2729

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
144KB

MD5
1ccce544c19b84fbb31809b7379c80ee

SHA1
c4e7965e5f72e55c86b276deedfe85b32e128d04

SHA256
0d3f3d47699f3246194a520316fb01a0604b9c3e10228a58d94a0f8ba03c1b6c

SHA512
c2d01a891ca1769650e3dffbb1e8ee32e16189b4a841b7fa71fe43117c3cc9d120343e1026543d47c47714996520862fd97bc77fccd026a12f084224e6bda36b

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
144KB

MD5
f4e90c7d112585d2f751e10619966ea5

SHA1
84ff968a414a45a0b95388018ccf38db31d6576a

SHA256
87dbfae2ef3d00aa60dee748080f6945e058750667dc98b6372691bc5ad2e38b

SHA512
ac1e2a71020800ad3270e074e8596773ac4b86234ec4c01e2162c48ca9873032b08d7a45f23718267d449df1bf0c7d9445ff8d0e23a9c80d6f19cecf611d0d2f

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
144KB

MD5
9b269b9eab80afcec82962b4aa3769c5

SHA1
63b4fae32d869f29a36552251e7e383b294e4390

SHA256
aeae90a1cc2e08c7f2840f9512f96d95eeaf914a114d2af14e09e6410aa52625

SHA512
a8b1c8c7753b8f1315da75099446b4a02c66e13c81455dfb69871872155d848a99011d7f1e9876869f9060ab88df32c1aa9de7496f057b1570b66ce0b14c31f2

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
144KB

MD5
15fba343664a03837b890f469d33e7d4

SHA1
56c8c6b2c0c2b3a2ede729b19af5f187f73502b2

SHA256
3bcf022cd8f6f3e5cedf429592ada4861b34297b369bb4a54b35786ce7893fc9

SHA512
d41090c3d42db61f45709629339e3909d84bf50aa4f99d32a1ebef0e29bab80ed10533642b8fad8213815653663032bf7aa69ad3e8d13ed0718a27848268a459

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
144KB

MD5
80520e22a827d2ed91d122d092a9cf45

SHA1
e39dcb6f6e49301c729150327bcdb784fbb981f8

SHA256
b5cbd879191bd885d5b19a934199c3d411ec551cbd7638751a5b38c71519c9c0

SHA512
951811ca3737c664e8e319c1a37dc31992941d528c54fe59d7a9eff2df471bf1f190b73504fa609491a2c02d2c3baa9bb9edd0a39d58d08ebfa6a0e3ef03d207

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
144KB

MD5
4848522fc506315033e8d6d811ef2647

SHA1
f9bad9f4297db2eed40f002d2d3c560bf1c210b0

SHA256
9e6c70bd692a28cfd31c5ef8d9edaf9bbbcb33e99a6aae0f29e1973132f602f7

SHA512
1895ccef37d887458c856a3f6a4a9a8e212b6033ec5f653859a0270cc3855d0bee0f5876bf200401138a14a407c460df7491969eea3bdc1017af3059d338b768

Download Submit
C:\Windows\SysWOW64\Dhhmleng.dll

Filesize
7KB

MD5
54d14a4b1c550219ef6ca7f9a764ff02

SHA1
40feba7ff2775f8005e3810fba6c284611282362

SHA256
2b8593798aec2d0ac851ca329c4faed414619f79053fc3ef4e102c4474ea2c70

SHA512
da389c2f6bc60b15dfe2a4b6e1ce1b3eef6d97041d9ab61fa8bdd274c631b68ff12b7ca5f04402c7f320dd36e3f3b716dd1af786deabdd9e32cc0facd15f9458

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
144KB

MD5
923ac553ca62b5eaeca887b3ee6c3188

SHA1
c45292cada810e242d6446c8fbbd9465d573d95f

SHA256
00221f8fe452db96c6a78d70cca6b98656b52323a7ce7aa1d73d6fd5c2c6be88

SHA512
6c015c0d5f51babe7c2d51409af597a7b2e6d2df159036fd9696f67039f93ecb3a662d683fc0482fa7eb3b234e258fb2ac66709d44c79414bb4fe47c0e975f21

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
144KB

MD5
874c9ec4bc0f6d07cc61e9bdd4b68cb9

SHA1
cef0fb0394c0d6d15afdbb551c09d1e3c6e88de6

SHA256
d8e7790c9d3572c4164891f539d31783fe2a8100ff4dbd0874c0eb18afe4619c

SHA512
dc6d36c9fdfd7c1d1d9cd5ff58d3bd5690dd27a209ac49e9144a59e60dc5b61f6fa9e3eee60f0a3b36df84d7b840109ffa3cb8ac1278fb93f6ae3756430315cf

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
144KB

MD5
766b6ae28b334d9ec4be26083570cdc0

SHA1
d061e17e676bc4e32b02484886751b2c0bc874f1

SHA256
93d9c5993667b13b7c8c0b1407dbc287a0835fe8a77fc0486a5382c5130ba5a8

SHA512
1f2756787a312253848137fe335ff6414965e7e1be46a0ee9fc7ef0eced398968b500981638ff5d6f089b0e7646117f579eff974046bd5a5d48e2c63110337a5

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
144KB

MD5
0a49a6a727f4ce9cb8df79daf204d6e6

SHA1
1bfb9b809dd75adf3f272e8ff79eff71d15c745c

SHA256
c1f9354b28a03cf9d91e560ca24b6851cff5c92857c191b0484b40b0bc5ceeab

SHA512
baff4a8facd4a47133a0ce41d4c79175d5029906f470dc94952938627126c3d803e2f55733977fb8d72c441afeac0003c39335ee5941d8b07cb3c714584e72ba

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
144KB

MD5
10495625e61cbdfc5638c2b8f5d03769

SHA1
7ef282ed6261780c50a06a595b4189b39d821401

SHA256
7adcdd6ee47a59e71d4d7116c3dc501dc1ffd32eb595bd634098a5c558b22104

SHA512
8017c2ded04ef9029f8f35d9f3b92e24f4064b56636f5edd8fc22c20dfdcffddc414ab7b711f458a0dab01b6753f0fc4e6d0abde7ed933db154c6264e9a62783

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
144KB

MD5
a58ba957b1a507e232d94ac144a4de0f

SHA1
c289cc094c4cade2065542587fc0fa01f448fc56

SHA256
002690dbc50589aa060da838e7e81451f277fb502dbfe556f06c83f2d824fdb6

SHA512
ae0d276b7a19d045cc532cd65609bc8b65212e5637609fa5ed44c3e57f6347c28c4138b615d1e1a1c310d5079ebea969e54b0988a4c057cdb122d6b66cabf2dc

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
144KB

MD5
fc38577a8c542d45bf5235c5ffb949f8

SHA1
7b6fecff491513d7249f37a2b77d9dfc633ca05d

SHA256
6a784babe2f0b5a5ba41563be8ec1e9aac8446e0dae4b1d13c46c2ee6a852d7f

SHA512
bf5ab641ce467adf656a92d9eb46a5fe486dc74f38faa88efe8e14a8e880d599fd9897d118c34e5cc6c828b4e30b23fa116c4fca410917fa7247a30130195fed

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
144KB

MD5
296f89e3a86507e9bd6325d9736b9f13

SHA1
267a3b6a98f5cfd68747b0bcaa0b613f28a4f40d

SHA256
22927649a28942fa97b1fcf57749383cfd0efdc7d8ff70f2125b1ad1aaf48e2f

SHA512
dbb3ce725958d90d85990c6b4b159b5a11650c4c880b7e278f48f8d8f0c08741af1840760f5e0fe4f5b10ef0db13974417fd17119899a2460ca0a5decc21d54a

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
144KB

MD5
ccda751faa2fd88d06b3e0bd2f808453

SHA1
b5da549ac0cefadbe8b6cf9575c775dba1afc992

SHA256
5fab5df778ffaad4e0440715b0a16f2256fd764ab99287c296542a2cded1cfaf

SHA512
42ed0dec29e09ad591ca1f96fe195874f4b2746ec4249346cf3b3bf72665342000ad9d67609aeaa8b4efb7d75d1511bcf1d3f9a262e6eebcef0085dd3a6b76f5

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
144KB

MD5
172000b8dd31cf952b9ee687e8d5400e

SHA1
cd2c50e4272d2cdd366d8cef0dd62b9ab2694205

SHA256
87f3c62e5dfa48a17c51790920c414765a22daf14da8f0dfd44407a72900afab

SHA512
b08c536473c4134509c895b1fb1713d4b9b37337d3e4383a27aa585b61c665f7b24739939649eff81148b41f5b4b5ce22d6d51783ee66b8c5e5d567ad913c073

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
144KB

MD5
a02e27e8848e2eb18a04a2630bd40659

SHA1
485b3e4b852c5406b0cbb751bea885e206174041

SHA256
a56afdebbb8c424ee856e151ca2b71dbaad4b00d654e21c12182da86b1bb890f

SHA512
6c64dc53398c6272de23fb6c0c373ac415b7d7c6234f66fb48c2b5adda6e4c642ce1aa97519218edbcf6225cb608e62aa83c234182944c18eb32259629d9784e

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
144KB

MD5
ce1278ab4945fdc56be89d86a5927049

SHA1
95d446149cd1f7521b49516d794ff8e51a2a2f83

SHA256
a4e0b656362adb0efd729e3bd4b1ddf080a402dfec0e31e5f738b0f8bf67b93f

SHA512
1880d8b62a7341354c34ae63b5d33a3d0f6878df78e5717ef73e78e2049c3a20e34ce177bbddd089bc16c7b660f0a57a350009a62e8d418e0971d17207adaa38

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
144KB

MD5
90d755075209aadc1a7c9ba513db3ff0

SHA1
8026ba09f60a5853d4b37406c27540e62635e538

SHA256
86cb6a968fda26b15ba981e8c9f5819d17afb695d47c3088388b0e5f9180ffac

SHA512
ecbd7127c05f2dd120bafac3141ba190babd111dc0cbd71e6ab018ce72ec685659c1346a45e30543df9a2ff27e61a6c5783b69ace9dc392aee9bc142885ea754

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
144KB

MD5
167ed78833d9b8651f931713ed93f193

SHA1
8548e89b154d27b872fab43214143f6d2dd9cad5

SHA256
4a5c397855c1a8058c76e58ccf7fa5a637c392debd2dd3afb00492a86b7e9ef4

SHA512
0e5226512efb12594eaee6a76ce593ce36002d74590d483c68ffbf9ea5f4e4ef39a8fac30788569a56fd31a4bd686bf2fad9e017fe05df1b5a78809e7f12e505

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
144KB

MD5
49089be88fc7abafd3143c610f118d23

SHA1
b523608fdfcaceab99e42ee569664f2bcd48c0b1

SHA256
d4272af9671749f3c374341f6fa3435d3c848d09f406a1533d11a3345f93f3e6

SHA512
e465289541260f689637eab8c88980af3f5b0c0473248864beb31d36ad80d200376921d6f0748f5f6b8ec6e8c8244681314c9ee5040f38e69468fd9efa418a3a

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
144KB

MD5
8f0bbb00ff906ed49f9045e20d0c2cc4

SHA1
e7c17b66895aad79f3c1340848d6457d021b794d

SHA256
cd22772f321a7349833761e34f9b50d6c8918ce0999111ea9d3e97c5f8e0d030

SHA512
340a597feed8c41bd59b590897d6b44a9946f512bb05f3d43d20a5fa1f95c398c54609bbea478b067be2b9c14a486b1db1d15f8dff5b6110d2b9011461749f53

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
144KB

MD5
fb85d428c14c79a37ccd960f13178733

SHA1
648af1ce72f0551e73a021058be6a1bc80b08385

SHA256
6869433548d61c11a068ecea8981d1c7524f34497414014cde78248a8103d95b

SHA512
9086ea6023b0f495674d851cc9a0e32c2457194cd10e83a9b45d6ee6ededa663c3d2f40e9137a179ba20f806425a202b2663749aebc251567dc116ae26995b7a

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
144KB

MD5
0d43e86734d3df09ed26bafed276bf7c

SHA1
0f3bebc4d3a35d9635c854b2e5fd87660080bcca

SHA256
61107f580ea5143858fa71a0b5d2b1ac600edecb78eb1a14b70607f9452bd747

SHA512
2d0b300c93141a9eda798cf110ebc27b857655412d6a64ffb75a397527be809811cc31f938411bb4bbbee7c6269e1cb5cf473f2c328a6e9751fc0604effba79b

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
144KB

MD5
7ce76156ec99efa33f37c6e822fb1113

SHA1
236d2cbd359022683ba45117e9dbb04f3b3bc71f

SHA256
69c369d6ec085c7f6cfcfa02d764ef37b3e10c4c9554bb2a6521acfff6aa2226

SHA512
c380c058f1e233e5a7878da116cdf8341e54f09b5f08a2e82f156a6e7824e31a2d9479ccdf1232defbcc10ba2a9c6e971e63d6e7bbcdc3073cd2cde3cfe55eec

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
144KB

MD5
85f8b39d340b158d5e52391c83dc250c

SHA1
42ff07cee4cc7237e4f17486afa12519d2e4e51c

SHA256
8888848a8d4a5fda44a480e1acbb330b45acfa50ea1fc75dbbcf142a1ccadad0

SHA512
b6372d6c1a28bc399443538ff3722c6b2f5ac8ec7eb6ca0b6ba7802eb558827c4b76748d3bb7203f425b9e4aa1c73c98c5f1624f920d4f91ab22f9f2872b4299

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
144KB

MD5
252ef6f9da29b71530df2b32eac64112

SHA1
86b6ab8e09026bb8231b698c344cbe83484c1a8e

SHA256
83633afd92b75d8c3199f37c94d70115bd56f5e236b3f90e78497abba93245fb

SHA512
e8cfff5c5393cf1dd265babf4ba11631e1412a6b246a60c521d5840bf2aca5c9aed52a9151d5a2f76be7793581ee05e907310c4b12e96e6a650ec6921a8e719a

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
144KB

MD5
39b66166de6031bddd3fae8f00b9ef66

SHA1
3e55527355260db9c8416c990a1518f0abcd2c03

SHA256
4e1999223c0a768ded49c492faf2b1253ff32e627de3ef4ae3ab3c667d05e0e8

SHA512
3be93a3b12100e027e0c18d4ed54e14c23e3aadd841e96cd08d1d5d280aa9b6f71ef8f26574bce6d76d785d9c24544f419bc9e60864b5ac7519f939432de6acb

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
144KB

MD5
1ee0522af5f7a0147c661985a8f420c1

SHA1
305f8b31aff53992f427d8166ce1aa1b97a8396c

SHA256
eb96060eff8990d7b239ca22406ab9a4a844fd35f60143608f9a9303626a0fcc

SHA512
cb9261708ee8767dfb7052a6158f9f7e2f5184f28561e0131c1a0ca835915a009153edd808041fd0eb6a80f1ae9df8f25236729426f98fec897369f8fa0849ab

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
144KB

MD5
e3c0ed4cf65622b2a2e0f03a6b825e29

SHA1
bfb328582a4d416fbf5896fa9dc228498ab09cd6

SHA256
a9f221c6f68207026ad183b7a5976e12e5b953aaa0a2d6abfce6f4eac61f4b3a

SHA512
cb704cec403a8b84fed44dcc353b0982640bc323a20210aecbf27f0b576800b9de07538408fd185dc56469df99e4b4025416d79e3f5046d0f23ba0bcb3b28648

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
144KB

MD5
c3f282b554285f0b31b25eb69a5e462e

SHA1
34b73492492fc7a1b72dc1758f513e6a609ad548

SHA256
c0593ce6f63ad3bd897cef852d1b14faa4b96bc52e5abecf7430d028d3eda2ee

SHA512
a3f918d39e2e2196e0567382d0f641b9c8c574060cfce086c7ab23e6205601f680ee5437dbb05276acd1e441d0bc59285df6125db7d583bc3418b3268d944a6b

Download Submit
memory/116-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-737-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-728-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-727-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads