92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9

Analysis

max time kernel
107s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe
Size

512KB
MD5

c6b771e3d393ba83dda217acbae0b8c0
SHA1

0838d86631f642f1b005402a70f98df2527d700b
SHA256

92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9
SHA512

f5fbd1b30f6d196006a31ea468befdf5d2de24211a8bf25c87cadb79312cb263f7468b0e3a1d822b3732ce72c45376c36f1057c4ee1db5b5ec8d47afe894402a
SSDEEP

3072:nbxMofHVeOw10/YUur6GRYSa9rR85DEn5k7rC:1PHoOEmYU86G4rQD85k/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe

Executes dropped EXE 64 IoCs

pid	Process
1232	Pncgmkmj.exe
2940	Pfolbmje.exe
2360	Pnfdcjkg.exe
4232	Pqdqof32.exe
4028	Pdpmpdbd.exe
5064	Pfaigm32.exe
4700	Pjmehkqk.exe
2120	Qnhahj32.exe
4444	Qmkadgpo.exe
4740	Qdbiedpa.exe
1948	Qceiaa32.exe
3916	Qfcfml32.exe
812	Qjoankoi.exe
3136	Qnjnnj32.exe
1960	Qddfkd32.exe
2304	Qcgffqei.exe
5020	Qgcbgo32.exe
1400	Ajanck32.exe
4576	Anmjcieo.exe
1424	Ampkof32.exe
3868	Aqkgpedc.exe
3568	Acjclpcf.exe
2684	Ageolo32.exe
4884	Afhohlbj.exe
2620	Ajckij32.exe
4024	Ambgef32.exe
4660	Aqncedbp.exe
1908	Aeiofcji.exe
4220	Aclpap32.exe
1944	Afjlnk32.exe
4292	Ajfhnjhq.exe
1848	Amddjegd.exe
2984	Aqppkd32.exe
5112	Acnlgp32.exe
4572	Agjhgngj.exe
2892	Ajhddjfn.exe
4412	Andqdh32.exe
1636	Aabmqd32.exe
5104	Aeniabfd.exe
2316	Aglemn32.exe
3052	Afoeiklb.exe
1696	Anfmjhmd.exe
4252	Aadifclh.exe
1984	Aepefb32.exe
1040	Agoabn32.exe
4748	Bfabnjjp.exe
1836	Bnhjohkb.exe
1628	Bagflcje.exe
376	Bebblb32.exe
4436	Bganhm32.exe
5128	Bfdodjhm.exe
5168	Bnkgeg32.exe
5208	Bmngqdpj.exe
5248	Beeoaapl.exe
5288	Bgcknmop.exe
5328	Bffkij32.exe
5368	Bnmcjg32.exe
5408	Bmpcfdmg.exe
5452	Beglgani.exe
5488	Bcjlcn32.exe
5528	Bfhhoi32.exe
5568	Bnpppgdj.exe
5608	Bmbplc32.exe
5648	Beihma32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe

Program crash 1 IoCs

pid	pid_target	Process
6832	6744	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 1232	3200	92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe	84
PID 3200 wrote to memory of 1232	3200	92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe	84
PID 3200 wrote to memory of 1232	3200	92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe	84
PID 1232 wrote to memory of 2940	1232	Pncgmkmj.exe	85
PID 1232 wrote to memory of 2940	1232	Pncgmkmj.exe	85
PID 1232 wrote to memory of 2940	1232	Pncgmkmj.exe	85
PID 2940 wrote to memory of 2360	2940	Pfolbmje.exe	86
PID 2940 wrote to memory of 2360	2940	Pfolbmje.exe	86
PID 2940 wrote to memory of 2360	2940	Pfolbmje.exe	86
PID 2360 wrote to memory of 4232	2360	Pnfdcjkg.exe	87
PID 2360 wrote to memory of 4232	2360	Pnfdcjkg.exe	87
PID 2360 wrote to memory of 4232	2360	Pnfdcjkg.exe	87
PID 4232 wrote to memory of 4028	4232	Pqdqof32.exe	88
PID 4232 wrote to memory of 4028	4232	Pqdqof32.exe	88
PID 4232 wrote to memory of 4028	4232	Pqdqof32.exe	88
PID 4028 wrote to memory of 5064	4028	Pdpmpdbd.exe	89
PID 4028 wrote to memory of 5064	4028	Pdpmpdbd.exe	89
PID 4028 wrote to memory of 5064	4028	Pdpmpdbd.exe	89
PID 5064 wrote to memory of 4700	5064	Pfaigm32.exe	90
PID 5064 wrote to memory of 4700	5064	Pfaigm32.exe	90
PID 5064 wrote to memory of 4700	5064	Pfaigm32.exe	90
PID 4700 wrote to memory of 2120	4700	Pjmehkqk.exe	91
PID 4700 wrote to memory of 2120	4700	Pjmehkqk.exe	91
PID 4700 wrote to memory of 2120	4700	Pjmehkqk.exe	91
PID 2120 wrote to memory of 4444	2120	Qnhahj32.exe	92
PID 2120 wrote to memory of 4444	2120	Qnhahj32.exe	92
PID 2120 wrote to memory of 4444	2120	Qnhahj32.exe	92
PID 4444 wrote to memory of 4740	4444	Qmkadgpo.exe	93
PID 4444 wrote to memory of 4740	4444	Qmkadgpo.exe	93
PID 4444 wrote to memory of 4740	4444	Qmkadgpo.exe	93
PID 4740 wrote to memory of 1948	4740	Qdbiedpa.exe	94
PID 4740 wrote to memory of 1948	4740	Qdbiedpa.exe	94
PID 4740 wrote to memory of 1948	4740	Qdbiedpa.exe	94
PID 1948 wrote to memory of 3916	1948	Qceiaa32.exe	95
PID 1948 wrote to memory of 3916	1948	Qceiaa32.exe	95
PID 1948 wrote to memory of 3916	1948	Qceiaa32.exe	95
PID 3916 wrote to memory of 812	3916	Qfcfml32.exe	96
PID 3916 wrote to memory of 812	3916	Qfcfml32.exe	96
PID 3916 wrote to memory of 812	3916	Qfcfml32.exe	96
PID 812 wrote to memory of 3136	812	Qjoankoi.exe	97
PID 812 wrote to memory of 3136	812	Qjoankoi.exe	97
PID 812 wrote to memory of 3136	812	Qjoankoi.exe	97
PID 3136 wrote to memory of 1960	3136	Qnjnnj32.exe	98
PID 3136 wrote to memory of 1960	3136	Qnjnnj32.exe	98
PID 3136 wrote to memory of 1960	3136	Qnjnnj32.exe	98
PID 1960 wrote to memory of 2304	1960	Qddfkd32.exe	99
PID 1960 wrote to memory of 2304	1960	Qddfkd32.exe	99
PID 1960 wrote to memory of 2304	1960	Qddfkd32.exe	99
PID 2304 wrote to memory of 5020	2304	Qcgffqei.exe	100
PID 2304 wrote to memory of 5020	2304	Qcgffqei.exe	100
PID 2304 wrote to memory of 5020	2304	Qcgffqei.exe	100
PID 5020 wrote to memory of 1400	5020	Qgcbgo32.exe	101
PID 5020 wrote to memory of 1400	5020	Qgcbgo32.exe	101
PID 5020 wrote to memory of 1400	5020	Qgcbgo32.exe	101
PID 1400 wrote to memory of 4576	1400	Ajanck32.exe	102
PID 1400 wrote to memory of 4576	1400	Ajanck32.exe	102
PID 1400 wrote to memory of 4576	1400	Ajanck32.exe	102
PID 4576 wrote to memory of 1424	4576	Anmjcieo.exe	103
PID 4576 wrote to memory of 1424	4576	Anmjcieo.exe	103
PID 4576 wrote to memory of 1424	4576	Anmjcieo.exe	103
PID 1424 wrote to memory of 3868	1424	Ampkof32.exe	104
PID 1424 wrote to memory of 3868	1424	Ampkof32.exe	104
PID 1424 wrote to memory of 3868	1424	Ampkof32.exe	104
PID 3868 wrote to memory of 3568	3868	Aqkgpedc.exe	105

C:\Users\Admin\AppData\Local\Temp\92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe
"C:\Users\Admin\AppData\Local\Temp\92e1c52f6b3e189a076ffd334f7227cd2a51f69c848f5c94cb57ce62738b53c9N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\Pncgmkmj.exe
  C:\Windows\system32\Pncgmkmj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\Pfolbmje.exe
    C:\Windows\system32\Pfolbmje.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Pnfdcjkg.exe
      C:\Windows\system32\Pnfdcjkg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        67⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        71⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        79⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        85⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        88⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        105⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6304
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        110⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 408
        118⤵
        Program crash
        
        PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6744 -ip 6744
1⤵
PID:6808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
512KB

MD5
2bdc863a58272c07cf6c9da73e3d23fe

SHA1
d1d7ff2f2d603df8c5b85e867a470b7c127aba43

SHA256
a14c1492736e315c46305a7e85136ecf3d196ed8c6ad3ebea95f005c1cce0fc0

SHA512
9015271e3c71b1d44270624340cdacc15c93baadb278b0be0690fd2a8e204c2f5b52ed2f99a2aec9aeed9952c1bec92033b008281c3a103dbd3015d477a60af4

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
512KB

MD5
146071023db76b177671e0fc46c0c167

SHA1
270f8c23910b5acf1c3610579910ebb640efce56

SHA256
9fbfed14ddabdb07c1bc0a4587dda556f37395f30bb8b046dc10ab878fb59b77

SHA512
6fd4fcc8439dd86fd1ad79992f34cb02c45e41c45171d1bb29bb153509d150b33a318731c3f437c2297fe7b17d25205fd324a01077c5d084dcd003fe5048fd7a

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
512KB

MD5
928e6e7164be474ef0b94ce68624fd9a

SHA1
4661a6f2c431eaba96c067bdf9dbbaae15a0d787

SHA256
2aaf201f727cd169274c5d567cc12dd9e320ac43361d24ba3d26a50ec21036ca

SHA512
f3fb60b15db082943df837ac4dc79f8b5fa82023ad59fe3af360e3520892c5f5ad377825151f4b17ced0111bee10951734ddbdd93f8d492b323b6669be678f11

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
512KB

MD5
c5242e3dce6d40881a5e4faf4b57251a

SHA1
e3075703fdf392c97b33078055dd5176bb340d84

SHA256
cc5b4e9d2cf88c4a6a16a3e17a1bd3f11325afdb2af4ddadf911499ff851f0c6

SHA512
833f830bdd1455d8c61bc94cac170d82801b9221d74c03284254fe3009ec7fdb08f1bb376c85ba0bfecc3b79f60b4abfa0758c8adb711882ef2c7ecad86d6747

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
512KB

MD5
589a1e4905d1ba1ce39b8f3a33b18455

SHA1
f8e4917762c99905c45b0019751522093a3bbf62

SHA256
391deb8f8d695ede95fc35aca488427fca21517ef6090e63ad31a15c01e53abf

SHA512
555bee3513e0a8eb61cbaced7acb781f23704fc911574c6843f7d1b3e6ee6ca97e242a7c575dc2b61760d7912822309ebc65712daf67117a37489c46794149a6

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
512KB

MD5
6a354a8150c5592e2035064d51773171

SHA1
f7d5a3d418b1a1c5ffa3cc3ba3563ff4f9e7bdee

SHA256
27c0f0bef1ffec2b7c286ea69eb60cf30ae35e601cf3c2c7f064de5c638c2a90

SHA512
2a89fb8ca5f2511cba9a268cd03b8b2bf56784353a466a046f7a7a99483991f55a642948769df8439e06722c97add84b4bcd68afa56c5e28e049b02b7a3b2df1

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
512KB

MD5
103b6534c47f92b2554276a33c85159a

SHA1
710e34aa304ea87e78d513aa3ac07a4d2dcf5a88

SHA256
0152c38037792a553004c48d9cf5782fada9502e556fec04baf8506fa1c06f68

SHA512
1f7baa3f53ee4a7259a70a3c3e3e5ea7425f5f9cc4c79273ec6ed40edf4225613738fa8b85f7006a0f7ed0a98302fbb168a0d1379ed340f0f6effc747c1f9d4b

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
512KB

MD5
05c540816850b31c89d88e7343c725cf

SHA1
987aeca6ce1688c5cf3e1608b19d26d17761d99e

SHA256
a64e267e5e3d83cbf078d3fc695006e91f9610473d2f016ebac5bc5e5e1cf0c8

SHA512
790102ae9b016720b55631b962cf1025423a8a6433393e9fc7d8d9385b93ebcc12443dfa0dbdfde67170621909ad2e0dee37e68f1900d65a472eab6805dedbfa

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
512KB

MD5
77d4d867331633ab82c7f16caf80b925

SHA1
d5ba7483db3c2a720f9748d5b00010a1f73ed8eb

SHA256
663d49257847d4c8267ff0a9e82942f1e5b55c748b41ebd268108c5ac530fcd2

SHA512
7f2369bf458e2c2328cb18bd038302353b17c778c970c30de62e9716a9e499ab633b2378b51708fbc7fec3cc3d7572c9ac6450ab89c70dca9c881ae090ddcf44

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
512KB

MD5
55d1852db988af3aaea8f1e0a08e3e58

SHA1
b5061bd52474bc400d886c01c456591bce83d2c2

SHA256
b501fed84d8e9fdc994d9f24568de7190e68f33a48f2231158335167811a69e0

SHA512
1aebb58257dbb0a7ee45ffaa816fcd3d3817a24ac07f16fdf9f2f372f4ed17fcdb91dec6be42f5c5acec00a6979adfc77c705c176f64d6819675487dff3433c4

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
512KB

MD5
5bc8c1fd7a557ee23be0d62c4d94f24f

SHA1
0367df425b21521b4e511ecf82f25fb1f24696fc

SHA256
c2b25abcdb78948b18b5f57a059d3ab523e665daab2b55c49c02f562c223db79

SHA512
05b7e5a4b5febc9ac59259f561aff7f38a799a2263921c598760b7eca747dea23a7ae2be86bb4d5259d0bcaacbe7260f87af8bb1e32d3212f1d29559137d5c59

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
512KB

MD5
c2bdba6b63bff11cd27e48336a8d6df9

SHA1
92b35911876e886f95f79ed98cc4bcd0b036a274

SHA256
b38a2b07d2bfeeaf30932d04fe40d313143b6923a715b1a87980d4db682ef911

SHA512
591225188f310976e80355697766acba1a8dc0916f4d299ced3103f779b604d4035c820d2f97028dbe37719d3fb3ebf6e704d0d8070186a2a5f7455f49bed86a

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
512KB

MD5
8ef3f67e5288c40cb94b283f763fda34

SHA1
5d744c91e9ccfc1d1fe35f911eae4ad739573376

SHA256
3c317691a2d27477d1574ddeef8ef7c0a4b2b356620418273c05e376bc930247

SHA512
6904caad3df5251526968fd9587d1d68d7258c21b7e2e6deaddde99ca670b1abc9c792e4bff41352e192976307b1569afcbb5c229f8dbcfc46ab27888ac91f65

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
512KB

MD5
8eb4c54c0ef7774a27a8f55a6a737d5f

SHA1
923bcd05439ffc96b157222908987f845955d09d

SHA256
0ca7f59caffb70eb67a440baedaea9e3ac81ff439e51a10de96c023a3a002839

SHA512
70c886dc21d6d32f3843048b5d1768551be022b9b3655fba133b01091992d62e51f37ef0fab9a56c2d7443cba6f3b9256937806e80dd0ffc78b3425a6a75f967

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
512KB

MD5
2df887115261ee2ee482fb23b7fad58a

SHA1
fa4bc4b32f32a8a131316321b5c29f151efd3ec9

SHA256
8410c55ee33c81476c5bb800b03903accb70e171e468154954e37d79c561d45d

SHA512
c6a2cde49432d1e63eaaf75c6b8126dcfb833ed0518dcb656bf881adbe92a50d96f5205f95be4ecb3158112785c34cfe41c997c99b77b05a8363c60847662e1e

Download Submit
C:\Windows\SysWOW64\Jpcmfk32.dll

Filesize
7KB

MD5
0a5cbdebd7886872cd58a78b039f4d3d

SHA1
42466fba4fd5bfbd6f129104ac33f0a7f0e81a24

SHA256
239d9c800108ad7bd9c5cdfe89e04c7078c91f3b14fefd4fb36ec93b663a52e3

SHA512
5e99fd585cc4a0b6a955b97f8f10c37b6d0b8afd1ec38bd9c5162f3f69887477a6daa06fb7fb2e13f8542f866748b1cd1c637e087973628454e538239b5e0568

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
512KB

MD5
43025f1b47bf45167419f752c29bec46

SHA1
44c70208af5515ed0134e275ea7e74acd6335c54

SHA256
40205dece03b0a5b82f02c5fb4981bd37acf0addbdcb74423de2c64b0405d54c

SHA512
66544179e5b65745fbeee6cebc4c15a82b13c966b43e891f95f7218f06748f81abdbd4c5566fa189e040b38045ac059d6183a67a7208a5caa014329fe1b56888

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
512KB

MD5
6938155c03e46b2c77aad9ddaac53811

SHA1
9809fcba6b59878fda10b5b4a1ff5a1d96afe316

SHA256
5e86012b280eaf7f3bd490490af29de6e68eb06d3fdc5add172875e97d934fef

SHA512
bb3a1ef2e3f708a48eda40a47d8727c83ed617c5ee4ce1f231ee7aaa39978e75d479c1b63f2dd52be6333ef612a725a77b7d15736c6e8f6b6c1aac178d7f45d3

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
512KB

MD5
01f8d6c4f666629f0b22bed334e4daee

SHA1
661ed09bb736d3d3dfd412a36082b4d97cb75ce0

SHA256
42e5e90c66daa8a57d5b1e9fc50c887c67787518cf39f317202543340d16cf65

SHA512
d1c25b94780df56e3da6c7ca376151f05ea18a030cb82e93639aa90563bb0f369b85c68ae1a933d3d5fba3ede79bfbf2406edfef8e111d1871154841ec0d0934

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
512KB

MD5
7899c277de78bf1c5cf74f5b9dbe2a96

SHA1
bc88cefeee49dc7c64eb4ea553afb2e896a8e692

SHA256
6a63e546ba91a501e01cee9f447d142459d444dea74bbb008ddbf18ff58e1c92

SHA512
8a483346a0522ed13220e688581978c703f4bb3d5ba5f3929708099d0716e7ab5272db8279526285d72decf36b54ce34e5abe4d35feda6d319443a005209f8bb

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
512KB

MD5
96825ce9f9689c8b4cb9052b47f769bb

SHA1
ff984aac51bb49133c7d97e7c5bbf9c205b656c5

SHA256
906e7f6e5c86e95173f3167c02206a1f48a09da6b6e149f7d23516a3abb733d7

SHA512
085cc5f746e3f7148db733c549de634612eb14571619476ffbe61905130f85ea3a7ae30fc58c25b94d571e0d8a6b508f5b753dc66b25c2a60a2012fca9c62c3e

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
512KB

MD5
98dc990e0a15cf23a0118a98836a07fc

SHA1
2919df9209bfbd6b5eaf831bdf2113b7e8e331b4

SHA256
d3b6ed1eb6ce61594bfc65990aadbfe1960ad6c74e4c077ba5df4b90c90301ff

SHA512
a0506f7b4c4a83e8b2067e079086adeea70019c08555afe3f57504bce9cad5222c1ede018514144d93608238a73905f22812835fc75071a9b0ed69993e872db9

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
512KB

MD5
9921a5cb43a1bc16045f8ece4aed029d

SHA1
4d5c1b4521a2b160ef2743a7208e3320fc60a45b

SHA256
060d7e990ea7a163c67f456c17b9a78bedb32fc1ef0337a94a1116f9d2eafd4a

SHA512
7607be8760b4c51b1fd21bc48f853875347891fd90ba6db875a8c620c2ef979b659c2cd6607768b0b45f6fd9abf88feee6b738dcd358e65c7563234838caf2b6

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
512KB

MD5
877e3a8cb2e2fe50468555ce95d6eadb

SHA1
a00a9174beef945b140fdd072e941889c31056c7

SHA256
139464a9768c050a2dda51c1f6e9ba39a894c0c894f4d63910cad63b280df2a7

SHA512
d000ca1ccaba74d1d36a606d4ef9369c042499bebb104cc4c4c8ad179125407d438b4b5b29ef683df2674d1c572c07badb792000c2191fc2f74aa4808e75eb63

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
512KB

MD5
47843d4e579c76959e49c68e60493be5

SHA1
61c3aa09d87b3da947ebf87060d46bbbe5245e05

SHA256
a501f65e2529ddb047125309adb1823f8aa271630c18950394e7e026d892d5f5

SHA512
9d99fa67b9b74e10cd73c5bd4aabce6fc3b79d93d0216c15c81fe5939f3d18d977c1ecfb4e618d1f1f642aee75aff0fa4894682a62b9b6ce5046504fc2a9f915

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
512KB

MD5
c03c3873e3083f0de293581ad5fdddce

SHA1
ab071ef6de1e9107572e09991a8e6b49c392d091

SHA256
3f831665ca86260d40967a115ea6b9f01841b92e333f947201695e26c3bca0c3

SHA512
dca18a0fd5f1aadeb3917b7c258552ab63dc032c3afa571a1ac03acf2340a55b4bf00190952e0fc39eaa723ad37be1e2442892f62616b687660b609b4494dd0e

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
512KB

MD5
e3b5402a79a5bfbfebd242a758e8d44d

SHA1
d50ca31936570d15d704731d34a634f48b64e028

SHA256
38983ca3b2a1873cb9f9340d4d4b105b08b37a86ca7cc8c37cf1624c64542c50

SHA512
2c360bf237d6b040251f77940043337074e87bee928c02522e12ab0088a38039a4d1dc7ce4e3f125b8e7df081479511c9800004c1a6e282f551505e280f3ae0c

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
512KB

MD5
2eeb1791ff4772d23e4d79bdd34fc38a

SHA1
14146bf90830a50de8b6bdb003f1e48df742d685

SHA256
29ba9f001e645dee80a9a5c85f63447eba879b6e31dc3d9ed14be19b0ed0005d

SHA512
80fb65aaf03d765e9ef1459521f77d0ade47e3aa6d146706f31e529669f7b8d9ff6eca52fc1f0e434b60c6527c6c620b904d39b511f9cc63867728645d691f56

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
512KB

MD5
c3afd32aeb6943aeca8984a08dd42d82

SHA1
5c14fab91333a3700064a5cc799a3a92d03d128d

SHA256
918c50e6ab91d751db68447ae546e61d824f74a4a4cf62f05dbfbff16549d833

SHA512
a0a7daafe4c8437f0bd4717472dd4e83e76075930822168aa8e6e9b11c5eb4e226a752c5a1723f437cfde5b1f986dafba200dfc57425d38b23d3e79123c86cb6

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
512KB

MD5
ca1914fb4de34b5bb7282533008bfd3d

SHA1
639a7f0ad43cb2c67dce5a48ae1dc1df2055d68b

SHA256
b14bf115c5552443ea69c9590761633eb4d69376f473e4ef8afade874e9af5bf

SHA512
34b1375cd8605138f99478c00e3fd52561af1221bcbdcbe82b6b1f23d6c1341edcf9fe9af8e9130b6f04941e2f4fcbc45f46816bfb1ab7b982eadb41d899f923

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
512KB

MD5
f5a9b67da2175949598620c66961ce82

SHA1
fc5a1a53be7c250f04df40b82f5dec9358303a49

SHA256
b0a693884148438d409f1f4cc81b01417d47811d33f476e0ab97979ccb8e089a

SHA512
06ab8545bd1155e6df2c45783a1081c707ca1489b3042851d8ccd8b054376694665a52a42619df83c968043a4ce31b3f1fa5e328652f5a8776a7a23fa3cecc55

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
512KB

MD5
db2b15d39c23b15dd482002d21e612ae

SHA1
a29a086614e1aadf37fa96cdabb0b0fda582d50c

SHA256
af3626253c72d5ce27d1c49d49e535099d86d96dee22ecf9fcea239cdbff5c8c

SHA512
16a037fd49090c0bd8bf1013b5851472d2aff848647e2a2319918af4cfd2eeadff10929efcca291cd357c14f86025fed8a84ab9c8d59baee4fad87b8c613d1ff

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
512KB

MD5
7a96e9b838d7ddef9fcd5bf5646bb1e0

SHA1
3ab59550139b5549a394037d71f664ed3cb948b5

SHA256
7852f666257d10cc22f62568fafd2577dd6337c767d38442ec3229fdb3e4843d

SHA512
2aa6abc7b3ca33e43b1ef392fbfbf92faf35fea9a86ab14d367241393b398d2dc01c9dc1c58921b78b1a7bbaa0f369b38f27d196c272e34db13cf986286b660a

Download Submit
memory/376-367-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/388-559-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/624-552-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/812-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1040-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1068-541-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1232-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1232-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1296-547-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1400-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1424-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1628-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1636-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1696-325-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1836-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1848-265-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1908-233-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1944-249-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1948-95-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1960-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1984-336-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2120-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2304-137-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-313-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2360-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2572-571-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2620-209-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2684-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2724-565-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2892-289-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2940-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2940-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2984-271-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3052-319-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3136-120-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3200-84-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3200-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3568-185-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3868-177-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3916-104-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3920-577-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4024-217-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4028-44-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4220-241-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-35-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4252-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4292-257-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4412-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4436-373-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4444-77-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4572-283-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4576-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4660-225-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4700-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4740-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4748-349-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4828-535-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4884-200-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-587-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5020-145-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5064-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5104-307-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5112-277-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5128-379-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5168-385-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5208-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5232-589-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5248-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5284-595-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5288-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5328-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5356-601-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5368-415-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5408-420-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5416-607-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5452-427-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5484-613-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5488-433-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5528-439-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5560-619-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5568-445-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5608-451-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5648-457-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5688-463-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5728-469-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5768-475-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5808-481-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5848-487-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5888-493-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5928-499-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5968-505-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6008-511-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6048-516-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6092-523-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6128-529-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads