e2074cfeeef1ed7ca186771195537736535b952c7ce90c54443568d60270ff86

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bacf51602797c96c59fe400fc4db3c0N.exe
Size

94KB
MD5

3bacf51602797c96c59fe400fc4db3c0
SHA1

e0bf8dd4cf28edb2c4c9045c9027d8371f0f6270
SHA256

e2074cfeeef1ed7ca186771195537736535b952c7ce90c54443568d60270ff86
SHA512

968a5918db8dfa4961c1124af7add0b730d12d38e1b459f62694e40a97697bfefc66462e5d4d30204f0bb8319cf24849104d72385f27859f260074486cff02dd
SSDEEP

1536:eRr3pvZbMpC9WwF8mSdF5HUj3elowLLi17BR9L4DT2EnINs:MZhIAF+dFRUjXwvi16+ob

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe

Executes dropped EXE 64 IoCs

pid	Process
3296	Njqmepik.exe
1532	Ndfqbhia.exe
876	Ngdmod32.exe
4752	Nnneknob.exe
4304	Ndhmhh32.exe
3620	Nggjdc32.exe
3548	Njefqo32.exe
1432	Oponmilc.exe
4836	Oflgep32.exe
4184	Olfobjbg.exe
5032	Odmgcgbi.exe
4152	Ogkcpbam.exe
5056	Odocigqg.exe
4524	Ognpebpj.exe
3592	Ojllan32.exe
880	Ocdqjceo.exe
916	Ogpmjb32.exe
3168	Olmeci32.exe
2128	Oqhacgdh.exe
2032	Ogbipa32.exe
2228	Pnlaml32.exe
812	Pdfjifjo.exe
436	Pgefeajb.exe
1636	Pmannhhj.exe
4604	Pclgkb32.exe
1780	Pnakhkol.exe
2084	Pmdkch32.exe
1596	Pcncpbmd.exe
3768	Pjhlml32.exe
1304	Pqbdjfln.exe
3308	Pcppfaka.exe
4756	Pfolbmje.exe
4412	Pmidog32.exe
2848	Pdpmpdbd.exe
1640	Pcbmka32.exe
2036	Pfaigm32.exe
3736	Qmkadgpo.exe
4280	Qqfmde32.exe
4232	Qgqeappe.exe
2040	Qjoankoi.exe
2880	Qnjnnj32.exe
4700	Qddfkd32.exe
2972	Qgcbgo32.exe
3076	Ajanck32.exe
3828	Ampkof32.exe
1896	Aqkgpedc.exe
5040	Acjclpcf.exe
4080	Ajckij32.exe
2888	Anogiicl.exe
2668	Aeiofcji.exe
4640	Agglboim.exe
3528	Ajfhnjhq.exe
4464	Anadoi32.exe
2288	Aqppkd32.exe
3964	Afmhck32.exe
1884	Ajhddjfn.exe
4516	Aabmqd32.exe
2784	Acqimo32.exe
3824	Ajkaii32.exe
4792	Aepefb32.exe
1972	Bjmnoi32.exe
4660	Bebblb32.exe
4484	Bfdodjhm.exe
4288	Bnkgeg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5684	5488	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bacf51602797c96c59fe400fc4db3c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3296	2252	3bacf51602797c96c59fe400fc4db3c0N.exe	83
PID 2252 wrote to memory of 3296	2252	3bacf51602797c96c59fe400fc4db3c0N.exe	83
PID 2252 wrote to memory of 3296	2252	3bacf51602797c96c59fe400fc4db3c0N.exe	83
PID 3296 wrote to memory of 1532	3296	Njqmepik.exe	84
PID 3296 wrote to memory of 1532	3296	Njqmepik.exe	84
PID 3296 wrote to memory of 1532	3296	Njqmepik.exe	84
PID 1532 wrote to memory of 876	1532	Ndfqbhia.exe	85
PID 1532 wrote to memory of 876	1532	Ndfqbhia.exe	85
PID 1532 wrote to memory of 876	1532	Ndfqbhia.exe	85
PID 876 wrote to memory of 4752	876	Ngdmod32.exe	86
PID 876 wrote to memory of 4752	876	Ngdmod32.exe	86
PID 876 wrote to memory of 4752	876	Ngdmod32.exe	86
PID 4752 wrote to memory of 4304	4752	Nnneknob.exe	87
PID 4752 wrote to memory of 4304	4752	Nnneknob.exe	87
PID 4752 wrote to memory of 4304	4752	Nnneknob.exe	87
PID 4304 wrote to memory of 3620	4304	Ndhmhh32.exe	88
PID 4304 wrote to memory of 3620	4304	Ndhmhh32.exe	88
PID 4304 wrote to memory of 3620	4304	Ndhmhh32.exe	88
PID 3620 wrote to memory of 3548	3620	Nggjdc32.exe	89
PID 3620 wrote to memory of 3548	3620	Nggjdc32.exe	89
PID 3620 wrote to memory of 3548	3620	Nggjdc32.exe	89
PID 3548 wrote to memory of 1432	3548	Njefqo32.exe	91
PID 3548 wrote to memory of 1432	3548	Njefqo32.exe	91
PID 3548 wrote to memory of 1432	3548	Njefqo32.exe	91
PID 1432 wrote to memory of 4836	1432	Oponmilc.exe	92
PID 1432 wrote to memory of 4836	1432	Oponmilc.exe	92
PID 1432 wrote to memory of 4836	1432	Oponmilc.exe	92
PID 4836 wrote to memory of 4184	4836	Oflgep32.exe	93
PID 4836 wrote to memory of 4184	4836	Oflgep32.exe	93
PID 4836 wrote to memory of 4184	4836	Oflgep32.exe	93
PID 4184 wrote to memory of 5032	4184	Olfobjbg.exe	94
PID 4184 wrote to memory of 5032	4184	Olfobjbg.exe	94
PID 4184 wrote to memory of 5032	4184	Olfobjbg.exe	94
PID 5032 wrote to memory of 4152	5032	Odmgcgbi.exe	95
PID 5032 wrote to memory of 4152	5032	Odmgcgbi.exe	95
PID 5032 wrote to memory of 4152	5032	Odmgcgbi.exe	95
PID 4152 wrote to memory of 5056	4152	Ogkcpbam.exe	96
PID 4152 wrote to memory of 5056	4152	Ogkcpbam.exe	96
PID 4152 wrote to memory of 5056	4152	Ogkcpbam.exe	96
PID 5056 wrote to memory of 4524	5056	Odocigqg.exe	97
PID 5056 wrote to memory of 4524	5056	Odocigqg.exe	97
PID 5056 wrote to memory of 4524	5056	Odocigqg.exe	97
PID 4524 wrote to memory of 3592	4524	Ognpebpj.exe	98
PID 4524 wrote to memory of 3592	4524	Ognpebpj.exe	98
PID 4524 wrote to memory of 3592	4524	Ognpebpj.exe	98
PID 3592 wrote to memory of 880	3592	Ojllan32.exe	100
PID 3592 wrote to memory of 880	3592	Ojllan32.exe	100
PID 3592 wrote to memory of 880	3592	Ojllan32.exe	100
PID 880 wrote to memory of 916	880	Ocdqjceo.exe	101
PID 880 wrote to memory of 916	880	Ocdqjceo.exe	101
PID 880 wrote to memory of 916	880	Ocdqjceo.exe	101
PID 916 wrote to memory of 3168	916	Ogpmjb32.exe	102
PID 916 wrote to memory of 3168	916	Ogpmjb32.exe	102
PID 916 wrote to memory of 3168	916	Ogpmjb32.exe	102
PID 3168 wrote to memory of 2128	3168	Olmeci32.exe	103
PID 3168 wrote to memory of 2128	3168	Olmeci32.exe	103
PID 3168 wrote to memory of 2128	3168	Olmeci32.exe	103
PID 2128 wrote to memory of 2032	2128	Oqhacgdh.exe	104
PID 2128 wrote to memory of 2032	2128	Oqhacgdh.exe	104
PID 2128 wrote to memory of 2032	2128	Oqhacgdh.exe	104
PID 2032 wrote to memory of 2228	2032	Ogbipa32.exe	105
PID 2032 wrote to memory of 2228	2032	Ogbipa32.exe	105
PID 2032 wrote to memory of 2228	2032	Ogbipa32.exe	105
PID 2228 wrote to memory of 812	2228	Pnlaml32.exe	106

C:\Users\Admin\AppData\Local\Temp\3bacf51602797c96c59fe400fc4db3c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3bacf51602797c96c59fe400fc4db3c0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Njqmepik.exe
  C:\Windows\system32\Njqmepik.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\Ndfqbhia.exe
    C:\Windows\system32\Ndfqbhia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        34⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        62⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        67⤵
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        77⤵
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        82⤵
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        108⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        110⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        111⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 408
        112⤵
        Program crash
        
        PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5488 -ip 5488
1⤵
PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
94KB

MD5
6f89f63b2de1a7bbb123865fd062b6b2

SHA1
9a06321c9c479d7cfdb904c706bdd97e9622617e

SHA256
8fb1bbaa86e9f04dc797dcb6ba8eadf249a7dd5ea534b50a63a6e5d58ea5662d

SHA512
1ffbcd7d56455ac2cae894cbd005ae022f6521ddc7b7660cb85c09bd0870e9e57cf45c662985250e35f9a746ab5cc160719d0e41e4f0a707b8cb8dfd6a96507e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
94KB

MD5
355eae2dfce5c50df4f2b4a7f2a37649

SHA1
f141fa31ac017d18d32e9423d2953ab2e42be29b

SHA256
f16a5d807fd0386b7faa9bb45899835875af6564e4f2a39f6c8ac667430823f4

SHA512
bae1d525357bd389411e1be8e7b49999390485876cbcb97da9c62e53f30b829460b935b1cf633b7cfb634e8c0936960c69caca9356de5dcf3d16d8dfef65fcaa

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
94KB

MD5
e49d2b244d20116c7208c49b317e777a

SHA1
966a17cb45bc74558ae7a5dbbad5aed3c7c27b97

SHA256
7eaf4f32eac8a56e8b803e936e2c86cd91f34f92662560601907a6bad41a737c

SHA512
d23a9fad44b976cce151b84bfed9b91248f1821e83dacecca2df7d9ced57d8cf38106ccd571658958b8a984bc6c0b2ec414016c92c5f6ad2157f64fe6925557f

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
94KB

MD5
d168c90a98983a96837c910a02a83d4e

SHA1
11ecdc2eb023cf08379f8299d84c360706d3eaf2

SHA256
f6bfef26a6443b38cc7b4315eea6a4dbbc7a1cf0cc8d7d963ec703c64c38a8bf

SHA512
efed6325e9c8c012c049897941678075e2a503902e8e5970e531c9eb7202b2d1fbca4b9326739bc6101c807a680271e15869848afb9bef587a44a99f04e17c80

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
94KB

MD5
e407fbf6461218c7a61f2ac50fcb8a97

SHA1
991bdb9e46314d768e98e551dc8889220332e733

SHA256
3c22ca1f14b2b913e03d8353c22407e07b08a53b62a74c0e4c54d52b0b05fca7

SHA512
f6ae09b0c741ca135de5ff2f1770bad014d827cfb247d2fe862a5f4b2944e57436fe00393c8e73d182c196cb8f328a4d81e879866609b1405592b85e6ba4a957

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
94KB

MD5
06ad6ee3b6dd8d2e5141ca81f6edf081

SHA1
c017e2d72b528da56555f17a1d4398c1f5644f20

SHA256
2bcd777607297fc32c670c570c3a9d308fa69dcb26885d0456e25cb53846b21a

SHA512
7956fd4b42175bbd6fb8c1ac53e28611a444f78e6103b80a5dfe958de7c11c742188fd7e96d52745b75dc5f237d6b51d440a325c6cb6f0596e4a136529592828

Download Submit
C:\Windows\SysWOW64\Fjegoh32.dll

Filesize
7KB

MD5
791902e7058f966d4cf9c07956a4fb3b

SHA1
1038eae1c73c9392ec941459bf632e370b4655d4

SHA256
a34254cf4dcfdfb636af3ab217926faf08c8956a16405584ecb5dc719444c3b4

SHA512
593346747cc71acf34e18bf659e9be49b93b90f7b5fee363d3186b224f0b163880ce3866b682ca64fba3384ffbeb81c077ad1a777ac6e6f3934fa63f8ae32736

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
94KB

MD5
acbd52b09d8b29cc790412faf0057877

SHA1
f95f3029fca9f2788869602e346b1402bc969148

SHA256
b01cae65fef2209ff130c9820f2a45073badc6ceb087c883bb938befadd5d9d5

SHA512
453809436106f03c2a5a3c3a9e04ac949d19027a22ec91238932207d0edde687b26e831412af289adec5e25107ed1052e830d4a20a09f59332782b6a667cb0d2

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
94KB

MD5
bd96c6f3d726ce7ed7ee03cbe8dc4f32

SHA1
257d7c15f379bcdcf19669a576ea827f8233ece8

SHA256
e929a7f277906ec7e5720e282f83cbd4a05374d55f7da403171179d959a4b5e4

SHA512
b557999b6f288093deaf247487d7f1c10b6879c426428c557145512466e117e8fb7bc0b5f512c6bc80254d5d3b435b9b66012c62bf8811402ef115c47ded2f5d

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
94KB

MD5
cb88fd7e0a57cfe4a415ba7adff153b8

SHA1
730252d7edbca7bfc71d685e2ab22e31b93cb097

SHA256
148ffead11f9a83e326d76dfef325ef8bd6f124eeac6856b97d93a434660c791

SHA512
1dc9a82ad2038b63ebde61c924dd98068428eb9a01f5ee99360faeffdea9aba4b96ce3e34512f7d066a74d77a54bdcb38f18c7acd080a8f43317b0d2be43636f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
94KB

MD5
c91bd4a4509631c4069c734849c99179

SHA1
82f1046516d097594fca12c5a941a007f919ff40

SHA256
6419e989d4c335b290a63bce1a6fc63c87654bb560e3e9280022f8d0ccaeb9b7

SHA512
ba03bffed082a57b32adbf860278a4640a155f4891b4c40372ddf2a7881a7d5199de0dc3cfc108906509ced205ce179fd3212d529462ce3ea0f1ff5a96eae44a

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
94KB

MD5
f61e282d8650a295729da9d7a85ad21b

SHA1
1b2c95a27a773d23cf55f5ba137739643510d963

SHA256
d12ef06dd68b20885f7dafad3dfaea0cc29b65dbfbf43691732cc2832328c8a3

SHA512
fbb244386e0924c85c66e2ec17e9810a85c7c52b1812e40e39ed2bbfe9cfea34ca7079edd35197cf9240f220cedf1315fe132785cc4323fd88d14cc4f829574e

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
94KB

MD5
885f2fdc5ae376326120ff0391975a3c

SHA1
cbfd4fef1bd820b14b69d5d0db13bfc564cefa08

SHA256
9388032d74b4b431dbfd9d8add2753c9e70c0e18573bbdba86afba75d5203dd2

SHA512
18f7186eb88d2261a88e5812710848d7ee40ccf25648d336af3520be5ed4b3258266d3e448a0d752e0c73c1962abcdd0e5e2cb7992fc1978831fa7295c0aa2a0

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
94KB

MD5
5486a4c5a35ebfa546d50cc1d56a5df5

SHA1
237bc83f2af977649068baf3ef94ffd6efd915de

SHA256
20999eae2675cbf373fefc9948265f513acac8534a330f06a0ce193cdec1ef38

SHA512
6e8a0399b517ef988f43479b95476a4dbcd5916a56381a8c38d91b1d0dbf1a1c7fd500941181ca615b9144283a5fbfecc2077046905c9222a9e3519dbcce1c2d

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
94KB

MD5
83c1ea4232c53f54655aca6a064d21a6

SHA1
242235d505b2d0729837311381cc1d4d87308c6d

SHA256
88a4d4ee98998cb21a2754dcae7ec35249e91fa09bab7e5fc9013a8cba40c0ab

SHA512
58536b6ac4daa096f88e366d55cdd7e0e67555f0f7dfaaef51aef1a0dd6f3268dd865e8fe8a1c40cd01b0de8504b05657f5798d9ae039f3fd3741d771003997e

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
94KB

MD5
e6ce6200529a34090dd7ce65007234e0

SHA1
6f923e2fd0a72ab05ce4bf83147cb093ca22f0a3

SHA256
294b260f77768d09dfbbaf79d7ac54de5729a6cd6bec3829267ea46ad22c2d7f

SHA512
a1827e9012d15a342ddd6553fba3dbd59661a7d7f2a1598056c7d5a924fe2d1e054889b5de94360e032fc0d352fbffa6cb47ae5ab39a23452492c9e6209cfae1

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
94KB

MD5
f41fa077522d20040ea9091a2c2726d7

SHA1
0bf1673ddd34ea3e8e61847a127c3fe78fe608ea

SHA256
f76082458721c467bdddaf886b677421a8407a9cb04db941a7e19cf8c7de6841

SHA512
df4505f94b705f5ed8b7cca86e9899e9ea1030588d4f79b7cd40f9fc33a4a12c59fee4769fdcde88c41bd402531448b3ef1893139a35a9b22dd6a8da6bd7da74

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
94KB

MD5
a171031c9ecdabfcfa1b2f0734413232

SHA1
46e46d03b9b9afe3ee9f616941d0411f98229246

SHA256
d66179c3985fc1980964a36a1527fe9e8bdff03257febad50140c18a03298190

SHA512
6d114d11827079d480e58468e9050995e067bde156abacb9faf8082cca60f1c8190fe636e78baeae4bdc8da499434181bd59832d9dee5208715e0c0d46fc448f

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
94KB

MD5
81ba990c10d1fe8287d58fa1ef04e2ba

SHA1
c412829a53f38a913db3e7ae194aa13b90e842c4

SHA256
ba495f2280c499d276fe16791bdcc663044e38f040f7a13cb233b0b495de5d88

SHA512
a37155648bf8e9293769d444dd2f87de1754de69870d846a52980aba8c4c1a18e04130176455b146e8768163fa7cc2984a5a8d0049a38c3be5033ae89d841b30

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
94KB

MD5
b2a594f2b33e621d802dee4929766a1b

SHA1
eb0ce71db59fc037b7f528d6f4996e0fc8fc973d

SHA256
ac929ff37af3bb2dabacad834cd54bd6a9eb41aab92d2ad37647e6f6bf73378b

SHA512
99b74a615d5b11434418e5e466b38fe7579a4c62ca662779645806f2dff42da09d90fa3fead8ae772a428daaef14ac577a09a8ac5da050e9fb279c9b0d993e62

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
94KB

MD5
1c14aafb6ea51402d62f3b0b3acacf9d

SHA1
d313089f4894d26f33327f46c09a9234377de965

SHA256
fdc9c372b3dd75554965f5c8d0b7c1cb669e8bd8fca58cbe892e58eff83ca02b

SHA512
d445b424e25a50e131869a968c7b7932f00345b60a51f9cc09bc445783b2e9db8e178ec24951f083a4a47533bf11297d70cba5ef234b2b9889d5deaa10ab7075

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
94KB

MD5
a966988ad91a8e5c873dfcd130fe6869

SHA1
5d86626ea1b35dcb9dd11c3c8e780e0cb33c8f60

SHA256
a1f5ed2f97e13203233daa3345748e3b5801a4e4e134062b11dcc3328484a8bc

SHA512
066c6185c07523c02b8c8c08b2e22d9b121802b4e97f88545869ca03e1bec60232f02176e65e0735b088634681412542c07021841b3815de41773dfd38f61877

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
94KB

MD5
7e14bc8cfacfd4e0c648ae52aeeb55c1

SHA1
6c1b778f48bc0b22bcad84ea7ab60aee32cfcadf

SHA256
543063b22f0c1bb35aeb1cff20d69a228b8d6493ec4346b0a10e2eba8f063055

SHA512
75c6a449a8a7c68591f73576af3bfd2b31a88bfb5169dc17733682571dbfb441ad1c05fb9da2a767d057f5384cd108e3635c85e5d4c1eecae883257ee6f35384

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
94KB

MD5
e13d79e3ed5cf9427423540c10851afe

SHA1
2826d9ba934009cd5f1078674cbeaf70bfee5e73

SHA256
432cc62fb593a5677b424260199677b34d373587a8be23b6d4e3511f89b212ab

SHA512
65f3ba02f739eab44f0c7f86992581dc49316a158eca26246d16969b9525b1162669c73499937fa55d676140e50c3514e707c2641e6c5e26177698ad62658c70

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
94KB

MD5
f047acf825540c9bcc64477578614321

SHA1
c51fc5c0bfc1e0d2d5a7dae0807b17d2fd793b56

SHA256
3e71349a200c45ee0ae6dd0d7523f1e47ebdfafdff58a0d9739490caf940fd85

SHA512
12d51096780e0ce061ea0b45bfadd3de4f4830d022f84530f3f1bdedca39b01e3c202d87e2fc71c5b2b7f6b55f0689b8810414d40cb5274becedd3c8ca9da222

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
94KB

MD5
64c7c456b767b60b26893ecf0b177ee5

SHA1
ff2e9aa0a651c976897e95a911ac9a091f519fa1

SHA256
83ce678ab61edc94e46526bdc028ffbb02f2fa2dab60555cf19420d11c5a4e05

SHA512
be3d123d847cef0da9a21ea1fb02994049038fb4dd1a1a539b65b659fe55983bac6e1e7021b0d3f386c5a0ba1d0d59ae5d0682a92b80a15ddfe4d56af9969684

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
94KB

MD5
437fa6aeeca2ef758e6d5d9493beb955

SHA1
624cca0247bf80687aaab82618cea4e8ecd39bb0

SHA256
34e949003e7d1bbbcf73b5f8a5678dce3faca5db34aacb5ce88b534a80118f06

SHA512
bc7b3e3d1988f3da1d3854ad1177d3c306e43512acf0ad20d9e820a5d1f069f49a4c214d344b9b1ea4e9abcd8cacd2e40bc9d747a938a42dc34fb7364dd62e32

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
94KB

MD5
3317382e8e1512349e5c308ed3aa330d

SHA1
d245b976fbaf76cbcec4d576eeb64e7ba5c98c5c

SHA256
d30006896024fcd9c4daab356c1f1568d5f02f34f91802a8faf7ccf1e63dbb77

SHA512
12f95d2177af3dd4afc185daa4befebc0c557114d0ebd5bab9e50ef110c9ea7037e56a5ac8ea31ce1fdf1bd2290aa2f55a44313081309fb02a6e1566b933e088

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
94KB

MD5
186fbd139a93d94c8cc75ae3796c34da

SHA1
c34796bab04c44d2829081e7d1c011e06662fa61

SHA256
c207386f96b5a5b224bf310981107a2d7eacc2cebaf3ff9f4d624cbf6179624b

SHA512
28cdd18a5c269d6e2f833e905cdb8b4383c4bf16d860b68147796ccbaec6da85ce9e5c58f9db4ad035bfe5cc6248c9a17b9720d1308e6963770bfcbeba55d223

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
94KB

MD5
11a7b3649267708a6265b6d5502c880c

SHA1
43b97dced88aded4d2637a6e1e4d5adebf805719

SHA256
d588a42576e1226490e3225feab7aafeac682c8736daf2c94cba2111fb631ae0

SHA512
11114fd4a0f128abc33cf6f67c4aa6418a28b78f09a5ccfaaea378a75f43807da8b0c47dd0fb24f2d36c3815183062706e83256cedec9559a29e645cfdf55bc9

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
94KB

MD5
44e66cd6d771ef93eef9947b6a5db748

SHA1
c3589fa2c9c8e645e6a578e7f608460a922211cd

SHA256
3a973468caf762c3eae1a34ef45e8ea0419e61f11e89b80c2d5d494248ccfe4f

SHA512
88dd808ebcb88e76a498b8f6edefd533240f93f25b41903db88a8a2f29b507876a3d4a1a58e92065083aff3d47f3d9e831b2a3bdfbd4d4d04c6995fe621c0432

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
94KB

MD5
6466b56f1e3060a793dd1d5837c86abe

SHA1
c60dd0ca27f1cc517161a56be33dbbd67eace9fd

SHA256
0fa719764c4171ed6eeb0a69166d9e41c93c50fb6277232392b3ee3dba3d4aa1

SHA512
3ee0441af1a4ee580dfd7534431451df8228f86e4cd03e8449b725ed0191007adada6850c4d0b7c833751aab8862a7b559b5f388a72401546993f121821a5635

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
94KB

MD5
3f4fa028519755401a3d38a5fe878850

SHA1
be2fe4fcd48004d23e2b1376adf4b19a0cd2b4d5

SHA256
9e1838c51d2fd52fe8a2e0b0e3cba34e9cc7e041ad58256d1d8f48f46969c62e

SHA512
ccb397490057f9c2936d262ab23431350016f3feaa4f68bd970af2775fafdb5e2ff52467ee58671e002ca286f3a4ea50078abbc8733621d04af257be729913e5

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
94KB

MD5
106d920ff8a7eb294f7dd4aae4c93f4e

SHA1
5ecb9bbeebe800ecd1546712dbe30f45360bb9ad

SHA256
abf5e18c899c018f05225383133c99fa4ca9c927faf662d97d55a1c098375c30

SHA512
9dc571bb37c1f0fe8906419e65605ace71d202ec8f6ce8a711caf1a3ff160378f7d096ba74aaadb5ea11193ee1ff9783039768ec0456efd29b629fbaa4169342

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
94KB

MD5
3db4a885838cddac3811b905f68761b4

SHA1
a40b93e6e8e7243de9cd5037d799ea38aa475c5c

SHA256
4765ef18bfa551eaa6fa4d4bb1f2ca16c6955e4d52bb7dc25bbc368aac817228

SHA512
f55f80df9274304bc6cf5c1aaa893ccf5e5bef132fc51ac573b1341fd472bb4843e7421943996734378827fc77e9d4444c484438ecff306f912b6de938f8acc2

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
94KB

MD5
13e8a69670ef592d799b3315e72e4338

SHA1
f8076a54c44f16151c9d4a144d27a48ab5fd8c2d

SHA256
14e56fc71ef85f973c18744bcaed35f292671209defbc61f335684e0d76d485f

SHA512
a9688c6e90b4be9b0d865a495364bf4e20cd9f54ce52ee5245ff38da1dea35db2c526f47100371ba9b92d93df4b8fa011e4dc714c7f7eb92754e2533298d83e7

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
94KB

MD5
ab0a23e52bd749d2d340814d1bfdc52b

SHA1
a1b93ff3bb0515ecc9a4cdd332478640e81bbea7

SHA256
13d5be75a44d1357dd0a899540d2333d55c6dd1240949b08061c4e31d1aab335

SHA512
c1d2b12b63ed36728b58b1573984300158b11cc2d14df39c405e7b97db5ef68e62ce052937791982c091f13ce5b572f663723632d594ec52abd2ec9758f9c008

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
94KB

MD5
9c147b401786e6d8de852ba9de14d8b4

SHA1
06ab3d712a67458ef877608b79a06a1ffed663fc

SHA256
39dd385fd9bec6acdd218c770f1bd64ac88311ed3408304fd7bbe86c7b1e9807

SHA512
59e956d8d66235f90cb37d21198530398a97c172982efb93216849e77297902cd690806a47c778f5e7dd29e9027abcbd53a8468411e23b03756b3aa5927eb16f

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
94KB

MD5
b9c22f761255b4b6e2ebb9391c146827

SHA1
81c8318cfe87b7bf084ee4bc572a2e92644027b7

SHA256
68c144b695e2d2df9a83b8ba11b5d777c77865b556b5fec09550c1e14fff5fcf

SHA512
418b1484b7f8a12cea74898ea549eaa99b845036d99953a8ec2011d2e828fce918d7dd6e2e631994287e72f13808633dda6b75742fb00706c9342aab03961263

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
94KB

MD5
f1b62f5fe5e7e7963576d464c11f6f5f

SHA1
422805a879cbb420ef1156f35ca5eac66e486b2a

SHA256
af80b564391dabeccf37dc7e52fc5fb591862c2f71b57b2c4c8ed7b60b27d0d1

SHA512
0eff14541a2af5ffda732a6cc82fc2eca6a5f8854c5bed9bb8527b30df9b18b8e87aef06818a90827427c11a5c789ed6fe8d064315b793279bb3306272e4cd65

Download Submit
memory/372-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/436-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/808-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/812-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/876-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/876-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1988-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3528-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3736-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3964-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4152-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4484-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5172-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5216-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads