14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f

Analysis

max time kernel
140s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
Size

49KB
MD5

2182b3c69ab3385f87b1cca4b1fdca05
SHA1

81a820770564983a88134bd6b3d5c42ba10eca40
SHA256

14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f
SHA512

8d5124df876861729e945f457f709c7983e314fb6dd6c6b6be7eb9d8212e49f0a240d86233b0a0fcff44c5d05b8815c3816bf830c94c593dd4f81818e454dd69
SSDEEP

1536:E7NvCnUMhg4t/Wo3/lsmCnmo0X6QaicQmFk02R4l:EpaLiQntX6/C1R4l

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe

Executes dropped EXE 64 IoCs

pid	Process
3988	Pmdkch32.exe
4984	Pcncpbmd.exe
2136	Pflplnlg.exe
4692	Pncgmkmj.exe
3520	Pqbdjfln.exe
1560	Pcppfaka.exe
532	Pjjhbl32.exe
1704	Pmidog32.exe
968	Pdpmpdbd.exe
3168	Pfaigm32.exe
3120	Qmkadgpo.exe
3856	Qdbiedpa.exe
2732	Qfcfml32.exe
3640	Qnjnnj32.exe
624	Qqijje32.exe
1712	Qcgffqei.exe
4280	Qffbbldm.exe
976	Anmjcieo.exe
440	Aqkgpedc.exe
4088	Adgbpc32.exe
1212	Ageolo32.exe
4604	Anogiicl.exe
1144	Aqncedbp.exe
4968	Agglboim.exe
3424	Ajfhnjhq.exe
4700	Aqppkd32.exe
3180	Agjhgngj.exe
700	Ajhddjfn.exe
1192	Aabmqd32.exe
3100	Acqimo32.exe
1968	Afoeiklb.exe
1248	Anfmjhmd.exe
2528	Aminee32.exe
212	Accfbokl.exe
1592	Agoabn32.exe
4568	Bjmnoi32.exe
2996	Bnhjohkb.exe
756	Bmkjkd32.exe
5100	Bebblb32.exe
4072	Bganhm32.exe
4836	Bfdodjhm.exe
3748	Bnkgeg32.exe
800	Baicac32.exe
1612	Bchomn32.exe
1520	Bgcknmop.exe
3560	Bjagjhnc.exe
3956	Bmpcfdmg.exe
4204	Beglgani.exe
924	Bfhhoi32.exe
3500	Bjddphlq.exe
3916	Bmbplc32.exe
1584	Beihma32.exe
1040	Bhhdil32.exe
5116	Bjfaeh32.exe
1832	Bmemac32.exe
1116	Bapiabak.exe
3620	Bcoenmao.exe
4356	Chjaol32.exe
1332	Cjinkg32.exe
220	Cmgjgcgo.exe
4396	Cenahpha.exe
4316	Chmndlge.exe
768	Cjkjpgfi.exe
4504	Cnffqf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5920	5828	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 3988	3852	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe	86
PID 3852 wrote to memory of 3988	3852	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe	86
PID 3852 wrote to memory of 3988	3852	14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe	86
PID 3988 wrote to memory of 4984	3988	Pmdkch32.exe	87
PID 3988 wrote to memory of 4984	3988	Pmdkch32.exe	87
PID 3988 wrote to memory of 4984	3988	Pmdkch32.exe	87
PID 4984 wrote to memory of 2136	4984	Pcncpbmd.exe	88
PID 4984 wrote to memory of 2136	4984	Pcncpbmd.exe	88
PID 4984 wrote to memory of 2136	4984	Pcncpbmd.exe	88
PID 2136 wrote to memory of 4692	2136	Pflplnlg.exe	89
PID 2136 wrote to memory of 4692	2136	Pflplnlg.exe	89
PID 2136 wrote to memory of 4692	2136	Pflplnlg.exe	89
PID 4692 wrote to memory of 3520	4692	Pncgmkmj.exe	90
PID 4692 wrote to memory of 3520	4692	Pncgmkmj.exe	90
PID 4692 wrote to memory of 3520	4692	Pncgmkmj.exe	90
PID 3520 wrote to memory of 1560	3520	Pqbdjfln.exe	91
PID 3520 wrote to memory of 1560	3520	Pqbdjfln.exe	91
PID 3520 wrote to memory of 1560	3520	Pqbdjfln.exe	91
PID 1560 wrote to memory of 532	1560	Pcppfaka.exe	92
PID 1560 wrote to memory of 532	1560	Pcppfaka.exe	92
PID 1560 wrote to memory of 532	1560	Pcppfaka.exe	92
PID 532 wrote to memory of 1704	532	Pjjhbl32.exe	93
PID 532 wrote to memory of 1704	532	Pjjhbl32.exe	93
PID 532 wrote to memory of 1704	532	Pjjhbl32.exe	93
PID 1704 wrote to memory of 968	1704	Pmidog32.exe	94
PID 1704 wrote to memory of 968	1704	Pmidog32.exe	94
PID 1704 wrote to memory of 968	1704	Pmidog32.exe	94
PID 968 wrote to memory of 3168	968	Pdpmpdbd.exe	95
PID 968 wrote to memory of 3168	968	Pdpmpdbd.exe	95
PID 968 wrote to memory of 3168	968	Pdpmpdbd.exe	95
PID 3168 wrote to memory of 3120	3168	Pfaigm32.exe	96
PID 3168 wrote to memory of 3120	3168	Pfaigm32.exe	96
PID 3168 wrote to memory of 3120	3168	Pfaigm32.exe	96
PID 3120 wrote to memory of 3856	3120	Qmkadgpo.exe	97
PID 3120 wrote to memory of 3856	3120	Qmkadgpo.exe	97
PID 3120 wrote to memory of 3856	3120	Qmkadgpo.exe	97
PID 3856 wrote to memory of 2732	3856	Qdbiedpa.exe	98
PID 3856 wrote to memory of 2732	3856	Qdbiedpa.exe	98
PID 3856 wrote to memory of 2732	3856	Qdbiedpa.exe	98
PID 2732 wrote to memory of 3640	2732	Qfcfml32.exe	99
PID 2732 wrote to memory of 3640	2732	Qfcfml32.exe	99
PID 2732 wrote to memory of 3640	2732	Qfcfml32.exe	99
PID 3640 wrote to memory of 624	3640	Qnjnnj32.exe	100
PID 3640 wrote to memory of 624	3640	Qnjnnj32.exe	100
PID 3640 wrote to memory of 624	3640	Qnjnnj32.exe	100
PID 624 wrote to memory of 1712	624	Qqijje32.exe	101
PID 624 wrote to memory of 1712	624	Qqijje32.exe	101
PID 624 wrote to memory of 1712	624	Qqijje32.exe	101
PID 1712 wrote to memory of 4280	1712	Qcgffqei.exe	102
PID 1712 wrote to memory of 4280	1712	Qcgffqei.exe	102
PID 1712 wrote to memory of 4280	1712	Qcgffqei.exe	102
PID 4280 wrote to memory of 976	4280	Qffbbldm.exe	103
PID 4280 wrote to memory of 976	4280	Qffbbldm.exe	103
PID 4280 wrote to memory of 976	4280	Qffbbldm.exe	103
PID 976 wrote to memory of 440	976	Anmjcieo.exe	104
PID 976 wrote to memory of 440	976	Anmjcieo.exe	104
PID 976 wrote to memory of 440	976	Anmjcieo.exe	104
PID 440 wrote to memory of 4088	440	Aqkgpedc.exe	105
PID 440 wrote to memory of 4088	440	Aqkgpedc.exe	105
PID 440 wrote to memory of 4088	440	Aqkgpedc.exe	105
PID 4088 wrote to memory of 1212	4088	Adgbpc32.exe	107
PID 4088 wrote to memory of 1212	4088	Adgbpc32.exe	107
PID 4088 wrote to memory of 1212	4088	Adgbpc32.exe	107
PID 1212 wrote to memory of 4604	1212	Ageolo32.exe	108

C:\Users\Admin\AppData\Local\Temp\14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe
"C:\Users\Admin\AppData\Local\Temp\14e9f98f9bdcf0e77380024feaf996db652c902a63ceb64a105e2fb7186be13f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Pmdkch32.exe
  C:\Windows\system32\Pmdkch32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\Pcncpbmd.exe
    C:\Windows\system32\Pcncpbmd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\Pflplnlg.exe
      C:\Windows\system32\Pflplnlg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        62⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        78⤵
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        88⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        94⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 396
        96⤵
        Program crash
        
        PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5828 -ip 5828
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
49KB

MD5
2e4e10a6df9267793da0f6efd65a42e8

SHA1
707f09eaf9e5d6e9869de2baccf5fc2a6821a7aa

SHA256
b7b526c92ea59173b17328619007719a34cf65444f053324420c0813c64e97b5

SHA512
ff6ed503e9a5b7cfd45223532d61a36cfae7a245933c93635ec605de1196e85e0075058f919b4d422dbe5339d9fa64dcd128509a0b74d77cd36aa90bec49b6b7

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
49KB

MD5
399c58374f78a21572458d500fdebbc5

SHA1
085b0cd5422187e1563096b60e671525510f4745

SHA256
643475e09b34b68e5f5d1d3a32f6a752102a5aaa7c3fb2dc995b852f0441ffe6

SHA512
8b94a824cb80495e61aea4b5c37db33345819080903066048e687f51351f5699b9ecefd32d4b093b1a9b4bbabc46f77bfc16f0c06c2ae7b897aece0fbac476ab

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
49KB

MD5
51a742127273f914cb4c40e958c2ecae

SHA1
23ae73a53522f13302f0b76b8a08b8841c1adacb

SHA256
90f5e0b5fdbe8ffe6ba7f4c8eba7c50bad5529fa1c94c6f2bbed5abd4fccbeaa

SHA512
9e6c9e9eb5464a54d2ae743dc23d28ed2a6da390c7e0f2940b0cbca94e72ef58eba93b529cb0acefa4bd637474854c3b3edbf72a1cd34ecf9b46779544a8710b

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
49KB

MD5
88a85936ccce3d8e9b101f61af347e5f

SHA1
97c9ab25952ac1c385ede6856b55c827ba97653d

SHA256
0075967765c31c4897b0596c5732a6c2862f9e5e4e433563a2d579f4cf63c9f0

SHA512
5176f320df66721fde2683c1741b577b7e17e000308cde7d101727430a00fd0c3efe511db5f1683d0f0922a95b7e4e33f178adea6f39d97aeb82c47b974d7cf8

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
49KB

MD5
b5c4c3c71a969efc6f5c3202da2a3cc5

SHA1
ea715a2bb54fcc3b0322ad81b5c8995fc2f5f225

SHA256
7c9766f3ad870b28ca93b78839e7647c4da26e8614bec36534890a9b8051a769

SHA512
31502ce92d169b62e1490bb173795835730195ba2be97e0ce435a955040989b67748cb65c2af923053efd8ca6d19f8938cf5094c0d425bfb0db9535d449b2044

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
49KB

MD5
0137ababe1009920b501e638d1a87a63

SHA1
fdede2ab83faaa2c1dc013be0a5e3053b160c42a

SHA256
fc8e7729384b5b787eed682712d0baa825a1973cd12819c23b95b89240cf0d9a

SHA512
d9ca7e5f6d51cb7d7803918676ab142408a3979ba7d24637bb69294919220c07fd18ef860d371f6efaa0d3abc2aa76fcf5859372641b23347cd0b7482576d9d6

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
49KB

MD5
5e4f88dd2b3fe62b8a939513b0ce9ef0

SHA1
c92d18cab11f2a1be4a6e54a6aa9e7565e5d13ee

SHA256
8eb305c98c68c4342f4537b49e14a2dbb3f4dd764671af9db7bd1cf93971cdee

SHA512
f6f6b4428062c9668696a7cf957171c366f9765c6fea4e66230b31a60bf8b61254484c9d3885f39300d3f038bc6117fe5bfa13d61d64f0a51ebd631e43a24e9b

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
49KB

MD5
d6b2e712926c2b9a3b9e856db6d461cd

SHA1
236db69f721182ffb90cd858f40f045fa6205e85

SHA256
b3734d7272e49083111a5e849122e54abbd6e98d905333522db42e27de79cb12

SHA512
1747abda7e4073e550b1fb8a9301295500a90dfd3f8bc19f607841e0d0003a7a441f500caba192efc69d85b39cd272c526c52922f2fdde7d30b87f1543e66f4d

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
49KB

MD5
54915a43eeb0ddae064a7068f45f5bd1

SHA1
0c583f804db9c7780b5fcf86edf1f3b14deb7566

SHA256
0a8bf46e57e91ecb0e19c355703667bdb5bb60cb7095c7b0676832f2bbcfa745

SHA512
172be5b9e26a42bcbe9b2c6a5348b23d7a415a77f88440997a22f530625c0fd3071e57ae887111c3355b33d2b266ee578723486e00a3dbaf1577711aaa3adb62

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
49KB

MD5
65adb6b93b380589d44e8391c2bf9edc

SHA1
29dbb5d563ee648d5b51788c7219bea82ee55942

SHA256
622f575357f78084018a028016bc090c714cd00401dbd364628252433f965f32

SHA512
08e0e36ace6f22479f6591f54b5456d27c8bf43d6762294ff2d321edf6420bed7bcfd7a6a9d7ba3cc2074f295b4c25998435cdb46b92face6ae68e33b1c069e6

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
49KB

MD5
46398dd1df07322d9fd271acd389a2d5

SHA1
2321e59393a8977aac5e6669a7b326c907e24c75

SHA256
28abae5238edc896e327f5384f0f06ae8c2cd63984aa609c212899200536cc86

SHA512
5776ec61e18eda49ef62429d436f1fa090e721dd511c453c8c3f1dae9cb68533f5cfd860a03bdcd89e07faa09f3968e13276923d78b28d135244aad3b0e9b7dd

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
49KB

MD5
032f5a812e6fb129aa7359095b90edcf

SHA1
39e899a145cd0416d9a556d1e6799b1f6eea65c2

SHA256
c93bfe575f05a26974351e005afe9f8397a299d50f3bbb532264269451a5017f

SHA512
a6a59aac237f09782fe7e4944990850bd4ad9cac435dbdd79bd06d8e4968986898d42c244fa940b2634930b3ea81ea629ea716acb8f2a86a6e2b7fed2abe5cda

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
49KB

MD5
94a4b675aa01ca31388b6ae3558f227d

SHA1
95e1404dfa83deae7691b261f6e8b7fa06985816

SHA256
6eb89df4da1a9f30c2bed1f0126f1d3f57f7b108f0e9694a09c781890e82e507

SHA512
7dd2424e3c6ba97153f3fc8f0571110e71bd2002356699078909ecb0763e288079747fb878db57361bb29e4be6f7efef17bb7394e1c23fdcaf74287cff97e615

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
49KB

MD5
764d156aa31c9dcb1c3019c576a2066f

SHA1
4799c168d4c9015861310f1ac3a151f62785f5ad

SHA256
e1da9a591e5c88dba62ca16e41cd4c7974be72cc7d9df6d5cc661aec743f1830

SHA512
7137140fef7d699f72a6ff69063256795b26fe59518b613c960214bfee1890f46178ff459b2047aac5baaef41c069505aff8a3c9c137374208641a22fe417d61

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
49KB

MD5
c1eb04e05b96474fc4b505f40bc4136c

SHA1
b35126f53191e31ba7b243d19640ed3073862082

SHA256
bc95e1a53233ed5f16f7009e4c1653150359cf16d347f3eb058ecf8bd9073e12

SHA512
afb347eb9f0cab03aca1710da739d86cfcb341b442382d4df187532e9c412efc1aee1e34d515ce3e4cc0de1841c290a4817c2c9c869351bb7a4e6998d8b5cd93

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
49KB

MD5
c7ba3d903f9c0e643270c419bbf50f88

SHA1
2cc19345c18fd0c36f135c533ecdbe804501e11a

SHA256
f86f72d13cdf30264feb2b90250eeacfd05f2c672fec4c0625242bf6b436c4df

SHA512
2f4a0ed62161c738116412c9b843170b2bedd177128691faa398cd85aee6f168843ce867a590ae4f7fc1c99802627f4d88881eed80a5ea0b506f97c78089f8bb

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
49KB

MD5
a53dcf50dd5d3d225e465c84d1582342

SHA1
824a05786e2ff520aa638a0e87b536fb35aea583

SHA256
796c29a0f01d9d3fb8535ef3c69195851e1144d8eac569f95c8191e954ee8ea1

SHA512
d01f673e83ed68a3ce2870943f825626cc8d006e3913eba4c4383048348e411f623e20253c33e73d5d4a518fe02d24ebc74a1891474a0771d974ae924bfdd684

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
49KB

MD5
ee39ec0dc0c0555419828d2298618736

SHA1
3139e9e01ee35b8de5be08f8d21c3d4e20fbdb2f

SHA256
fe2d1c462d4646cbcfda34df671f03f95951cced1b3f29b9c9acfe5129f97945

SHA512
6593edb7177eb4958e29c7b72e1b884abe731c893c430bd17bda7a962eeb488012a40c6b03ffeaed3b61a5f7e93ad56abe501493e1a90512c4fb7a1205a43ca0

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
49KB

MD5
11bc0d215a0e31fdc1d505d710dc4644

SHA1
e00a71bf12af0e0340304ea94cb7f431347bc1cf

SHA256
b72f2c7b3e5cb49aafbc6ebb75dea171e6604c53b41f139cea6947a94dc5de68

SHA512
998c8a9d2059aa14e4fb60d348f5c36b1c3a7392386d6c5d919f3b8a6c42fa53e161376ccd5ec05f4ef91c1af1ba7de9841a7ed2cd8d68876a3af247b0dada92

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
49KB

MD5
f8051b22d11e364268a125f669bd58dd

SHA1
e3ede65c3f94cce1ea8f1222c0684f9b696387a5

SHA256
4d326e2576ce07b6209cb986a581dfe62d4a8313863d69cd82a0f52fc6cf934d

SHA512
337c69502ea2162a22714ddf8143cf9183c0b60ccd3b6f1f2511ef283f9f90722fd153751d34d11ed73d9d9d2e2d73fd14fc7510717a2497c44730c1f142d68d

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
49KB

MD5
d88d1f0253fe87a762727bfa7abad809

SHA1
9735dca6d5f241b08de697ceb6e72793587effba

SHA256
9d473c9c6ae240ebac477121c10f2b54bb4c9410a5cacf63b411b3819ec6678e

SHA512
ba44534989d8dc51ce472d1095a6d77ead332db0522f787ee3e3787a0c446163738fa7c527fb0d8ff94d97d3f7acf4834cc9fd8e50d63674ffe5e7f668750bc0

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
49KB

MD5
f60e9d7fbbc259c9565dfd2a17922b3e

SHA1
f9f2109204dbeba43b13f35720bea5324ab437d0

SHA256
f61d4c3447a905bc53f2fef9aad57c32c1f9e9f245ac949e82fb1f3ca81821df

SHA512
f5c5a232c809c66463495e6992f2a0a5fb2c3af1a95c61ab16060045c35cfeba051e0d7b0214ced5c2d7f5e41a30b5ad494bd28da7d4b8154937197b6ba4b652

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
49KB

MD5
416016ae962fcc5278dd2dff429d0ac6

SHA1
d9e5dc50e736b60f2ced5cf2146f0844d90ce183

SHA256
6a97f531ce996e9cdd81eb306e60597b79eafdb0cc1f255c836d9158cbcc8100

SHA512
8959429dbabb8b4eb152c7797d3e9a860153335ededfbdb403b035b97362d08a9f241f2d75e33f3a2ef1f99eba3bab968f88ab57368f660681d3d7992d97a6b8

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
49KB

MD5
7c0cd22cd09f777cd15c076736e11b89

SHA1
0a8f0d6c7c78edf5c0c7a448ee0064b32041f044

SHA256
b1fa54981b82d10f4f2a83165f655358f9cbf2419ce686e9452406219f8c38a6

SHA512
047f53a8f66e1434e2537c0bf442bbe436453b343046d4346c4c7b6886524534ce360671a15050f6d27f27d5aabafd79ae3df9b718396ca5859699fb0b2a2cc4

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
49KB

MD5
e1b7df7941569477d48140799af9b54c

SHA1
2f8521a85f47874c1ac5ff1a13b3fa2b54de2dd6

SHA256
fd471e6f4fc675ec600722ad7b582496c24053f92331619f003516d2374a3978

SHA512
cce666b2e3d1b6842bf6d4dec4ddb8ffcdc037e547f9892c0ad5b174bfdc4f287aa606f8a5c8ed388049f9b76e24a1ae37556689a3b67fffdc86501d52f9df8d

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
49KB

MD5
64d52ff94dc8501d369d93a81a044068

SHA1
5d32eed0d3accc37af58dd4ea99e9924f6fb0c06

SHA256
b477cfb1b5483ab53b19930a22236348cde04988099ff6decea5e3cfce8e4fc2

SHA512
61940236f69263b2bf14c0da9abe85bd0f6f6525dbd21f5c153c51a5a31720eed92ceb6a13d71804cf58e84b603d0c0a818b19e76dd7125660a927d3d95f5e8c

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
49KB

MD5
bb5174c9e58d3761e6ccb46adcdcd2f8

SHA1
95b7a7d8a1f2b16c4f25c620c0a84346c739bede

SHA256
3f3e3a8ca87f3c03df1f45fc404df2000f55f1bf5b6fc5386696bfe5720d1163

SHA512
5190f9d08373f620802def67a62568f6f6abf0f7ec9c82ca7b96771c682a4b4c25b179865a9a999b5395dc3ff36c00c8c2c69498358f775f3361ad5de9b06f01

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
49KB

MD5
f7f8916956c1af506d618bd631ca37dc

SHA1
64c939650eafe4f02369a66bca952f6d1e5c6707

SHA256
254bc351271b54d108b9cf9fa541033c2c89a8835221a2b4f4b083abd8c0e5b6

SHA512
d4fd9a3cbfee4c10e1612c15b56b49844a89134fc747946eaa443c1dfd217ddf7895f1cc6d32e0f6e9dd2e2593614007d5007c3acf7de8c3c2f4d27b735ae89e

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
49KB

MD5
8f35435957085335de8ac448d4e22baf

SHA1
d869ed463b97876e8c42ab933e803294f8c1e506

SHA256
a0aa165e1c283824ad1e433a7c43c47fea0062f7a7f308491f259383a9c5203d

SHA512
7cd3ec3b980fac9d06b065b4b0797740b7f17630bca88d217e644fba01eb19940581f04bc704d7cfba2c43fb5e6a53475dc12f6feb3d263c390a14b68dc026d7

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
49KB

MD5
e5f9f6012b35f7bc3471afdd7c8bf0e2

SHA1
656e66556aa16d4c2e8e9f50a79157d7f90bac4c

SHA256
08d4d683ccd3616af90de5a8fefe358e2f24d08a61ca2e0624561e481f9b93a1

SHA512
4c5a8053388c4c61555b4a01e17a5798c41b399f90cd8a231113e1292e37e41e5efe906ecef60eb0eaa1460bc21e289770f02686faa9a2c75b621f9b36f02ec5

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
49KB

MD5
51c8fdcf0bd46907daeed8feec5ae09e

SHA1
9fcd57e422e1b8f096cef7ee951df5707f55ac75

SHA256
373a95dfcc9aa9025f1855afea4fb4bc395a57eec7868550b4e2ab899e4b2f04

SHA512
90dc33f39a5a654db61172f74a680249285a99d181eb7901e6339f4f91e0e6fc9af1b2cd82b020d2a53b24169662587105d9ccdd4f6a1c61a30e07da23501701

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
49KB

MD5
63fec89c5c854c0dd403a41308ccfbd3

SHA1
016d00afdd07e2483ab3692ebfcb139e3ea484b5

SHA256
f14212d9b4db9fd522d3c32a8eaab4906cfe250d37a0efa2e9a1f95e1d7752ec

SHA512
6c38b2cbdcbb0132964b086e7767d22616a76fc98dd4f315e8b4f3a50074c95fe212db64cc3d8d5bba3cc62749541a3eb4050786193d715da92f18161a777ac0

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
49KB

MD5
92b45f04a0bedffa8175e28871c9f4ac

SHA1
b8b1261b56f9603a031d773aee312a80eb663d12

SHA256
62cbe8b57ee764870547247026356dfdda0ae7f6a58a8c0add327b7e5a7eca05

SHA512
45959319a778aec84d381bd85f2b352ec04dfbe1b1e09b52587b3dee1ad5b688ef6b1871b78f1ed9262e740441b591b86672d6cdcaad98d7904fdc8fe1ec945f

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
49KB

MD5
a5a4b6109a644944cc4fd3955475432b

SHA1
76cf15162943233e7feb3e190b874b67e31015fc

SHA256
88ff1aff47d16f3e430071e9437e77e0ceffd2073f1034b0506fea20c9e078b4

SHA512
34d110cfd5bec3e1c81d276cbfd8dabb236d20fcbd79102fe6e84100b338457528e5776d957f9c70ff002eac0e8321f44bc0c4f7cacb026da2e92a597904f325

Download Submit
memory/212-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/220-425-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/440-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/532-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/532-594-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-121-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/700-224-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/732-527-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/756-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/768-443-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/800-323-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/800-742-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/924-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/968-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/976-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1040-383-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1192-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1212-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1248-256-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-419-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1448-503-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1516-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1520-335-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1560-587-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1560-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1584-377-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1592-275-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1612-329-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1704-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1712-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1832-399-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1876-519-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1968-248-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2064-455-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-566-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2284-521-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2732-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2900-473-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2904-461-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3100-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3120-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3168-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3180-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3192-485-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3424-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3500-365-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3520-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3520-580-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3560-341-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3620-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3640-113-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3748-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3852-539-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3852-1-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/3852-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3856-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3916-371-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3956-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3968-511-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-556-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4072-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4088-160-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4204-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4316-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4356-413-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4364-538-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-431-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4504-449-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4568-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4604-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4692-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4692-573-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4700-208-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4836-311-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4888-467-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4896-497-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4936-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4968-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4984-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4984-559-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5100-299-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5116-389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5152-540-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5204-546-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5244-557-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5288-560-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5340-567-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5384-574-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5428-581-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5472-588-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5828-646-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads