f33917552b0c5686bf869b3a9cad1c6de013546875407c09d4dc5e85d7f8f13e

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed67004646d20dd3973a4b3d6e782a20N.exe
Size

52KB
MD5

ed67004646d20dd3973a4b3d6e782a20
SHA1

a3daa3ee029b03a0ec4bb648287d32b643510b1d
SHA256

f33917552b0c5686bf869b3a9cad1c6de013546875407c09d4dc5e85d7f8f13e
SHA512

736c5b32c65e3257e1726eaa341c0695599cf57c7d55cd7f78abee015d473bf15c2a9445bca39b31ef3bd23b457f2ff4628ea147336e9940be3ef22180bf15ce
SSDEEP

768:C5MT94l4e4BO7YfwnoXu+MFz+OGxcw1b66DTMFn8V/1H5F/sfMABvKWe:wyml454YfwZTIHl6vn8PWMAdKZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ed67004646d20dd3973a4b3d6e782a20N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe

Executes dropped EXE 64 IoCs

pid	Process
4348	Olkhmi32.exe
2388	Ocdqjceo.exe
1512	Onjegled.exe
3124	Olmeci32.exe
1920	Oddmdf32.exe
1296	Ofeilobp.exe
1876	Pmoahijl.exe
5036	Pdfjifjo.exe
3416	Pfhfan32.exe
2132	Pqmjog32.exe
4144	Pclgkb32.exe
2972	Pnakhkol.exe
4732	Pdkcde32.exe
716	Pflplnlg.exe
3164	Pmfhig32.exe
864	Pcppfaka.exe
4840	Pjjhbl32.exe
3620	Pmidog32.exe
5008	Pfaigm32.exe
1740	Qmkadgpo.exe
4248	Qgqeappe.exe
1036	Qnjnnj32.exe
5044	Qqijje32.exe
552	Qgcbgo32.exe
4328	Ajanck32.exe
4396	Ampkof32.exe
4292	Acjclpcf.exe
4320	Ajckij32.exe
3332	Ambgef32.exe
4164	Agglboim.exe
1960	Anadoi32.exe
4360	Aeklkchg.exe
516	Ajhddjfn.exe
3092	Andqdh32.exe
3424	Acqimo32.exe
4592	Ajkaii32.exe
4224	Aadifclh.exe
2028	Accfbokl.exe
4564	Bjmnoi32.exe
1452	Bebblb32.exe
2524	Bfdodjhm.exe
4780	Bmngqdpj.exe
1520	Beeoaapl.exe
1752	Bgcknmop.exe
1480	Bmpcfdmg.exe
3228	Beglgani.exe
4632	Bfhhoi32.exe
2592	Bmbplc32.exe
3216	Bhhdil32.exe
1244	Bnbmefbg.exe
1408	Bapiabak.exe
3592	Cfmajipb.exe
2404	Cndikf32.exe
2488	Cabfga32.exe
3440	Cdabcm32.exe
2740	Cfpnph32.exe
3640	Cnffqf32.exe
2420	Cmiflbel.exe
3616	Cdcoim32.exe
4872	Cfbkeh32.exe
2932	Cjmgfgdf.exe
1900	Cagobalc.exe
4812	Ceckcp32.exe
768	Cfdhkhjj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5264	5176	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed67004646d20dd3973a4b3d6e782a20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ed67004646d20dd3973a4b3d6e782a20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 4348	952	ed67004646d20dd3973a4b3d6e782a20N.exe	83
PID 952 wrote to memory of 4348	952	ed67004646d20dd3973a4b3d6e782a20N.exe	83
PID 952 wrote to memory of 4348	952	ed67004646d20dd3973a4b3d6e782a20N.exe	83
PID 4348 wrote to memory of 2388	4348	Olkhmi32.exe	84
PID 4348 wrote to memory of 2388	4348	Olkhmi32.exe	84
PID 4348 wrote to memory of 2388	4348	Olkhmi32.exe	84
PID 2388 wrote to memory of 1512	2388	Ocdqjceo.exe	85
PID 2388 wrote to memory of 1512	2388	Ocdqjceo.exe	85
PID 2388 wrote to memory of 1512	2388	Ocdqjceo.exe	85
PID 1512 wrote to memory of 3124	1512	Onjegled.exe	86
PID 1512 wrote to memory of 3124	1512	Onjegled.exe	86
PID 1512 wrote to memory of 3124	1512	Onjegled.exe	86
PID 3124 wrote to memory of 1920	3124	Olmeci32.exe	87
PID 3124 wrote to memory of 1920	3124	Olmeci32.exe	87
PID 3124 wrote to memory of 1920	3124	Olmeci32.exe	87
PID 1920 wrote to memory of 1296	1920	Oddmdf32.exe	88
PID 1920 wrote to memory of 1296	1920	Oddmdf32.exe	88
PID 1920 wrote to memory of 1296	1920	Oddmdf32.exe	88
PID 1296 wrote to memory of 1876	1296	Ofeilobp.exe	89
PID 1296 wrote to memory of 1876	1296	Ofeilobp.exe	89
PID 1296 wrote to memory of 1876	1296	Ofeilobp.exe	89
PID 1876 wrote to memory of 5036	1876	Pmoahijl.exe	90
PID 1876 wrote to memory of 5036	1876	Pmoahijl.exe	90
PID 1876 wrote to memory of 5036	1876	Pmoahijl.exe	90
PID 5036 wrote to memory of 3416	5036	Pdfjifjo.exe	91
PID 5036 wrote to memory of 3416	5036	Pdfjifjo.exe	91
PID 5036 wrote to memory of 3416	5036	Pdfjifjo.exe	91
PID 3416 wrote to memory of 2132	3416	Pfhfan32.exe	92
PID 3416 wrote to memory of 2132	3416	Pfhfan32.exe	92
PID 3416 wrote to memory of 2132	3416	Pfhfan32.exe	92
PID 2132 wrote to memory of 4144	2132	Pqmjog32.exe	94
PID 2132 wrote to memory of 4144	2132	Pqmjog32.exe	94
PID 2132 wrote to memory of 4144	2132	Pqmjog32.exe	94
PID 4144 wrote to memory of 2972	4144	Pclgkb32.exe	95
PID 4144 wrote to memory of 2972	4144	Pclgkb32.exe	95
PID 4144 wrote to memory of 2972	4144	Pclgkb32.exe	95
PID 2972 wrote to memory of 4732	2972	Pnakhkol.exe	96
PID 2972 wrote to memory of 4732	2972	Pnakhkol.exe	96
PID 2972 wrote to memory of 4732	2972	Pnakhkol.exe	96
PID 4732 wrote to memory of 716	4732	Pdkcde32.exe	97
PID 4732 wrote to memory of 716	4732	Pdkcde32.exe	97
PID 4732 wrote to memory of 716	4732	Pdkcde32.exe	97
PID 716 wrote to memory of 3164	716	Pflplnlg.exe	98
PID 716 wrote to memory of 3164	716	Pflplnlg.exe	98
PID 716 wrote to memory of 3164	716	Pflplnlg.exe	98
PID 3164 wrote to memory of 864	3164	Pmfhig32.exe	99
PID 3164 wrote to memory of 864	3164	Pmfhig32.exe	99
PID 3164 wrote to memory of 864	3164	Pmfhig32.exe	99
PID 864 wrote to memory of 4840	864	Pcppfaka.exe	101
PID 864 wrote to memory of 4840	864	Pcppfaka.exe	101
PID 864 wrote to memory of 4840	864	Pcppfaka.exe	101
PID 4840 wrote to memory of 3620	4840	Pjjhbl32.exe	102
PID 4840 wrote to memory of 3620	4840	Pjjhbl32.exe	102
PID 4840 wrote to memory of 3620	4840	Pjjhbl32.exe	102
PID 3620 wrote to memory of 5008	3620	Pmidog32.exe	103
PID 3620 wrote to memory of 5008	3620	Pmidog32.exe	103
PID 3620 wrote to memory of 5008	3620	Pmidog32.exe	103
PID 5008 wrote to memory of 1740	5008	Pfaigm32.exe	104
PID 5008 wrote to memory of 1740	5008	Pfaigm32.exe	104
PID 5008 wrote to memory of 1740	5008	Pfaigm32.exe	104
PID 1740 wrote to memory of 4248	1740	Qmkadgpo.exe	105
PID 1740 wrote to memory of 4248	1740	Qmkadgpo.exe	105
PID 1740 wrote to memory of 4248	1740	Qmkadgpo.exe	105
PID 4248 wrote to memory of 1036	4248	Qgqeappe.exe	106

C:\Users\Admin\AppData\Local\Temp\ed67004646d20dd3973a4b3d6e782a20N.exe
"C:\Users\Admin\AppData\Local\Temp\ed67004646d20dd3973a4b3d6e782a20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\Ocdqjceo.exe
    C:\Windows\system32\Ocdqjceo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\Onjegled.exe
      C:\Windows\system32\Onjegled.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        70⤵
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        90⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 404
        91⤵
        Program crash
        
        PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5176 -ip 5176
1⤵
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
52KB

MD5
28e96b0ccad308eb347dc75aa056f446

SHA1
ebd5011927ee8c1281cdc399bc8fa403b8f2fb95

SHA256
71604a94142f84f92d23f4915a89d56071e22a28750d843352152e3763624154

SHA512
2845f0b507d87c47273128968a27746c72ede93798886f1ec83eaf00fcf4680e7cca1cf03e11e061639aa2ded3cd4a3c9e1ccb41336ad9902bdf195963f3861e

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
52KB

MD5
ac8eddec205e6ff7eec91e98372d6274

SHA1
fb8a4b61596534063cef61ef7e06ee91a81ea45f

SHA256
3b4f95c42bd6d0f20c2fa3ef093232fb34b2c7b8a950788e9093a9a81764e1b8

SHA512
e21bae9bdf9f1b733af5339916f8222f78fcab8ad3446db920e476dcb065fd3d198c02daa06aea1f5c3475674da5ba0213d1f120277d93a2ba9cb0ed95f46278

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
52KB

MD5
73e0602e574d7be2f4a5c2fccf790fe2

SHA1
1192aeb2815861ae8684c2c58932fd7dd441a465

SHA256
4d8d00bad0d6ef01961f3fb8aa6459f5cb646660a114372fdd0a870d971ddd3f

SHA512
9452ac4bc2c8bcd584afa671252a2210237919406ee1b29f688fe514d7b66ad6a9d68a9afd5108b7dd02680c48f18d1ceaacb1a11f5ca766b5de1aee9d54aaf2

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
52KB

MD5
574f56b9735db853a8beffb611b29e88

SHA1
ac17e499e8b6b12a8f0181dd492af60e64f66d41

SHA256
af943d616e0ab34288d864bd4fca6c2731334e3138701f3bfed59e3e075d3f8b

SHA512
6a8220c702ad9abc91d6616e3b56fcbdb7d067b89ea071c8d0d1b74b4b00955aec9e439b193db89cf62be299093786dca2c9e92e2b2d564e71dd81c7b71539f0

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
52KB

MD5
460bd862c4c7cbcf56b0943c5ed2316a

SHA1
4ed00e3da9dd76be8c93e9ac3f459a2a35be925b

SHA256
299d8d4605c9c8a30ee6ad9cd3469176846e50a1d7f180271ce110417673f2da

SHA512
1f254f21623ed8d20dff609f4259b3539a1a7ef0069373fffe80f3a1de5c032f6ebe5abf925a6d00d88c3eeb9727a90bc1a02505caec22a79d9d8b47e79a0981

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
52KB

MD5
f9bb67e4e5174d796c9e489eebd30064

SHA1
4ab8886bdc00ce489424abf2469289caedc7ab13

SHA256
9ede216ab671c35c7e70521e63ce48d9338cdb640a1ed9447c7976c5c7e67743

SHA512
9f80f547dcd907659e8cbbd61fd108d2b1201fa09e9e8094027ab9c95e9b634b7d1cb555d967dc62faf4dd00cc5b8a249aa7ecf6e37e89d4a07c319872ea4ff1

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
52KB

MD5
d3053564bf7448aa47ea2a8502748587

SHA1
83b0cd4f01cf611fba3a89a3310d953cfc885896

SHA256
3c3cd74e7f4834d46d49a0b5d999f91c5367a1a64b2c1a71b5f3e77ffb2f07a6

SHA512
28382fceaa057f9e5ff2a2f4dd0e23b7d317b1dd22177aa9ddbbef7146d31b44a181a7e90c8286ae35db59402bac3dfef973f85a596ea0c1cf432be8b0943858

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
52KB

MD5
40e883c2741bfd227f7c93d8556e6444

SHA1
8dceee45c9030d2992fc52c2bd5addd8d2590bc4

SHA256
3bc7be96040c5e216e6c5e002e2fd0e5456cc0b361d029f119a50193e4989eac

SHA512
64ffd160134a91749d8448799697580e46355a015bdeb0b2e6fd0d2c3f11383a43e769592afbe7cb1c1e92a350cc9e641e55e3bf17b12af741e5f0c0a0a0e7a3

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
52KB

MD5
a1193bf2cc312237405d3bcbca292897

SHA1
9dc86e9d5d34e9c4bc2920e8013d3f79496cd96f

SHA256
68824819bfc33022b9a750d6b141e932ed6c4748398106ac24fd8f35182c90c9

SHA512
bcdb88cbc8925fe47c5ea563202c107e3db5e25215c72b2862129789ec9d41064a39aa3d6b552886889981465a91ab6aacea12e7f9c553f34619969929da8052

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
52KB

MD5
2d8b07d1ab92b2b2a21924aa2388bbad

SHA1
348ed8ee5340b8bf30830ff3d7ade8bac651c63b

SHA256
52339313e5b29ad828511a3174cc388ccc3af338918008dc24d4acc8b88ab7e5

SHA512
501ed2c422088ae0c05e66f50c4f9d9a881656a39dcffb672c57598d435bba14fc21084e567cdd7cd9565e74c142536bfc1dd1b65708a543cfaf7c284c9af65b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
52KB

MD5
d7695041d483f9e74e4b16a12c57a435

SHA1
dc8e638e35617a2b829e0f3c78aedf105d36fa35

SHA256
eb20e76aa77c4ab30cf85241e6b95550d3ff8d255e3abb8cfa2951c3cf8b73fa

SHA512
a614e08a2bb6b19eddd9d30c57bf93f4d03877211c82f8a6217be978e2c45d68ae0243d1b453e59a1545b50a380e6f99bf493eeb16a5f2757ff1bbde788fbb25

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
52KB

MD5
8d75c14b0118f771e61dc81ad57c2b9e

SHA1
b0b1f2bee544a03854780c09db420b1b75fec4a8

SHA256
7e63645408168a3ad89a85fa14cff5dbb765589081a50b3ea2f7540ce5c9a9a7

SHA512
57633dc9184a2ccad8221d1a9a985b6652dc25e584b8aeea533047e9309479f4e48fb36cc3e20970a26bf1d3c81213ec8bc6c53ace32c360e504d9457871499f

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
52KB

MD5
acabeb3658c5de7f599d1eaccc5787ca

SHA1
8931407a8fddd1fa23096345e25ad716023a7f5f

SHA256
e40c5b21361b1f74442c717bd76ffd4de307d6296c08daea8a8091de453138dd

SHA512
72d77dda08950574aa678f730c0ca2f4931ec9da227d3b72f1f16115e74ddeb43f24b5da56675c493753924fd52089690091c54c51e86a60decc5844fa23dfc3

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
52KB

MD5
5fa06c03e0527a60b3866ad887e9899f

SHA1
c6fc2d2f72d2fefec2819dc58845c1030d13ff65

SHA256
51d4775b143ee64a61c020e2c359fe5d6a31e32f8ff3495cd16375bdd286ccda

SHA512
f86a5f4d05ed0a947bc4c690b4d32760c438b23b3011122c4ee99b5b814fd6306c237ea2cf90cda8f6ad2393913885b49ce2d11a447f67daec03d021217a0ce0

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
52KB

MD5
6873736f4b09a81a3aa25d39868c2d8e

SHA1
9dcefefe0dfd599df23b2622db584e98e7a2a6b7

SHA256
a53e72d56548ddd4abb79fe1f9571f5337317755829b2b735f00db81c36d46af

SHA512
7514b4cec7fdfd488e65f21abd1fc7b01ce244b87bf1fbcc04a618ca7a989d8137ff2bb5b45c83801ca634200ce5e94ef35f7f47a1e3dfddbf04556bade2d0c4

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
52KB

MD5
4ceb00966d54470098acc1c4eba9c933

SHA1
9b229bbcfb3c9c354829c855db4cbe36a69751ed

SHA256
35b2f56429d5c60ad4e899c0b09191ca2027c681ef5a48f9e85e6b90f8dc8d08

SHA512
f931d11f70bc96e273ab77fea7b937534b589e9267ff03554e62fc2efdb23f12d0cb949ad1ed97759910600f7ca91a5efcf3af9aba7e512315b6c76a3efcf736

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
52KB

MD5
8377d418bcb3bcc9619503bcc5784c47

SHA1
ae9bec1d6a60011ae7e7051bb42ca944118e25a2

SHA256
6b668b6fb4242e3de8a97993d437abd439c62f3925fe9c1d8684c9b85830a5e4

SHA512
847c3f2763dca4fe9a83721a9841c87077170b7c99c531d7b49d5ab2769317629bd153400ef36e3ca31832fcf457ce842cc8a215fa42d7f02bb783b8daf35ddb

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
52KB

MD5
81a85b83418e4a4060db55732fa3e0d8

SHA1
65f2c266792f825b2b437af18a01c5c570b5cfcf

SHA256
4e25c7701dbd21b51d43af14ed59fa2b0cd8c489c67b0eea59797b2a3e8b6d15

SHA512
1b24a62f4d17b18ad850afa71889c28cbbb6ca39888b9d71117df90a3de0f7ade0dff703c7c37e265d642a3155e3d706f54abcd2673093497e0499aa9827aabc

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
52KB

MD5
c2e4ecf6fffa2e293432cbde3f3849ff

SHA1
bedcc3d44815ebae5355a0afeaa0b2156a75430b

SHA256
de6ae0059bbdcd3bd95ddd7ada64ba1c25fa6b0fb090ca8a62d93d4342dbe61d

SHA512
ca8a6e6ece99cc1a316a92cbabd1c08f498091c46cef5116953ae5e6ff3da94a6c704eb5453b2f31eb9c42cdf2ab9b7b8af103cf004ae1a0d6fd51ec10975a1e

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
52KB

MD5
f91ddd7dbb7e20e4193a3bc27f13662e

SHA1
d92c84f064e6f13dd8e960b2e8a01dc4ea7e882d

SHA256
5b071bf67f2a2b56f7031e0d07af55ba6bfc987e4d138a0e7d0777740d8043a5

SHA512
c0a862a4bd5b294cbb85c142a762d5b29ea34eb3fbf60206d906c02a72c8a1d7ecd3cb7d36d920c93d86db16e1060b3261f8fa7565f36c2974ed6627f489f7a0

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
52KB

MD5
3b5e3106ee3db8d289a6cfb603e50432

SHA1
45165f824b25d6ccca356998282601da8f409dd1

SHA256
3dcf7dcc4bef91c7c815c08690f39e8903a3bb5cbe0ee1c54635780fa687de77

SHA512
af8739a60d31e9a436ae3d371df62acff380334a6fd0208bab2ef7b039b392842a1a9cd0d1348ee98c3c2289f3d1df576c056d8d806cee04130c9289ea395820

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
52KB

MD5
2935a48a75ca4bf3f5fe16eb6ccc004a

SHA1
348de4017b64d0f7c9498c8bc75d57d57ed29749

SHA256
15426f8401e816a44c96f5c8ce141a26fac52bd5f4fca27193703d6e739405e4

SHA512
a0b9577402855e188f0bab2f79df9a53da558219996f5c27f9d6f612439a7b5976fd88c7aa0d4aa6fcdbde9bb933888996566a6213e0ee5db791118620d48496

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
52KB

MD5
17a452205c8199b18cfba918d36fbb8d

SHA1
29721e53edcb0182ad35ecb3c17c93b4ee45c6b7

SHA256
ab83a44adc2689e5734255566bbea3720e4db21e5bd99eb182a2030a01730da6

SHA512
91c1c73026dd7635a5c3a4ea26e9ca1daf8949c395a6a7dc7b60b0eae69537c7828aa3f026c908b426133b6d49f7d7ad841bf717d99b7a8f589ac23f84661946

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
52KB

MD5
17681ced6a3bc7c63489c003158fc1b0

SHA1
963cecc847cf8fc7ba2ca02254f4434809bedb11

SHA256
fdd27feef5cdd0f6bb582b5e9596b94f5e39196763d68568277188a289627854

SHA512
faaf79a56729982e263a4fa8cd795cc9805778c5df9301812ee0e4284d75a4cc2082cd659c52c376fbb42f64a4fa42238c2160bd65fa9a4da68c8a79122ebb25

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
52KB

MD5
0ecf38f11ff03d0dade27bac96a8d982

SHA1
a42dbf558bf3de3a476027a3d54120a8f380c5f8

SHA256
72c22201779946a435801407a1481ef1391e0c81d45344bc35f42fd0a0a871c1

SHA512
b932bee2f9c22d13ac79f2708ac12b04c10806b00af00f061f083b543fdb95a08671769a9ad242d741d173639d839998d749141ca041b10b9f66a2f6e39b6f5c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
52KB

MD5
e4d2421cf9bbdce48e463d6762556046

SHA1
63a67cc2c00b2b885366f32b2059b0b6ac8686e8

SHA256
8bf6b575a0213afa6b5de51dfdc7fe92503a3b3f2c0e8d5bfd7e596ed5e557a8

SHA512
7af91affff23e9a5baa207b17921475fb9fce7cfb4f5482f1aa61731d484c03674a65c3b936a89def38aa2a4dd8be42e9d43a6a0c49554e377b4ea0a7de75f04

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
52KB

MD5
f9478b9f788896da64ff2b62b2982c55

SHA1
f480c9908bb0798ec3111cc80685910c5fba11b9

SHA256
16617ed7e294f687ad667e1b7aa3a9aa7719e839a80a58f5ac099418a7b8145c

SHA512
49cbcaca5a71d9ee0044c7f3135470c510f86b811eb4d4e466c1b8d81f65eaa940c9ca636b5c32903b152b61dfa3ffdffc4b18ee032fa4abb16767f0fae22232

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
52KB

MD5
5be536147746925c458f57a23faf9585

SHA1
7b1dfbe89a849feaebd869caa222b2af514386bc

SHA256
403e9d2f347b52c2dffd993c6f64cd8924632d2211a28e91f4edba29dc30de83

SHA512
92d0606b6b89bedbb452ac7382215ed3ea80cdf193ed80e53eb2f8fe44d231b561d3cf54d045386036fe42bd13cd60244473c744721fbba70e169952a8eb9641

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
52KB

MD5
8ae9dcd9a2620076e9142980bc63d770

SHA1
cc0ed78fed195df39559b36066c25233b9a11f4d

SHA256
1137442640bc36ece14c81906c693b1708db1c25d009cefdeb38a0ca15d04a29

SHA512
e3a69c0e35291afb1eae2050ce49a1c90d4289f2a424f7b99195cf51bc90cc76c8512c221711a2ffb2d65d1c2aee1fe24edced57de29fbb1b32dd95bde2912dc

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
52KB

MD5
5a6e06fd44fece9446e04c5dcf4f27e4

SHA1
8c01423572c2c54910cfaa2248fae8a713a76d51

SHA256
98f601f26fe272e03f7abc9919ea5966328c8ca3bdf6d920b7c741fc47448a83

SHA512
37351f61d0c7b77b443e36b3bc7aa778c79f8894a35b357a5f20cc2daff037c8440d07a8094bea126751b6e135b788f3122170d3692aee10bcf15a0a2dbf3b61

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
52KB

MD5
ff18fad0ac9720b91580aaddd4ef6e85

SHA1
a769a10ff9392e4599729ea852caf3f39e26cb6a

SHA256
701750cf8d600b5181a2cffe9bc0b2779383e5fcb4f5b563108abb26ca0dc935

SHA512
1fd57004be4fbb1e1c69fb6e438874c1e8538c15b67d9cc85de00803b3eee74a57c3280aba0ed1001d71bb9ffa6e128696b5635622a2af60a609835fccafe905

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
52KB

MD5
f2e053e1fd576768ea38e66547a9d1f3

SHA1
be1cb06e6a1472994e5a5ee0c98abf4fc823a4da

SHA256
5c97b6a97df2bb4477836b7959ec4c691b479073a76fe7c056c5ba81a5abbb0d

SHA512
3b3d471d35f25a2027a88447f852b946b817364250473d9577f90299a362fefb40ef3111a0a2e0fdab17ef6d340de4f13bc28e974600172a532bffafc4740597

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
52KB

MD5
f18852091c600cfe70c688cd63f6a4d7

SHA1
545793c0f844cd5b53b11bf382be596c12c8fe2a

SHA256
61d1114fc98615578438b360d18e9e2cb620e148bd4528d1d49777330354af3c

SHA512
a661fa05ac6155b56c28088ed2716ba3d8cb7151aa832abdd04e92d624ad93b814f4fdba6c0be91681d5f0b2eb037a948d4c18efde2627d500444d95330a388b

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
52KB

MD5
4eef0be90c5b5c5e9d9d3b11bbc1dca0

SHA1
06a1217ff49dd84107238bcb51b9443506108f3b

SHA256
42667acb08792f2195feef15d95edd0ce8d1c63ac36e095173722b7b2d9ea89a

SHA512
01b171a8416c51003db1bf2105cecf212948400e92fd0a642b81e5aaf820e345d16447bfdaf7f3cb6872260a3cb6d21a84889707e295d925f4e865adee174815

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
52KB

MD5
eb9ff590b512a46d0fc6c9529c043e7c

SHA1
b3335da557f3740b36b3d000c89a7013f026fb4f

SHA256
4668e56c052d38e9643f6e84219de5ba1d2a5b994903be8e5e3bd4f3dee64de3

SHA512
dc5b49ab64296cc25fba65264cc3dfbd7f146c9130b542d445d56f29e7bb0722f6dd023b961a0b2d0a34088d3db1b40d0cca198e49f436d3fe30133b353aa110

Download Submit
memory/516-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/716-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/716-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1244-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4164-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4164-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4224-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4224-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4248-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4248-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4564-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4564-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads