0ef89659687efec2cc4775295eb163f06ede8d5d23271efa8a8bb632e53e419d

Analysis

max time kernel
107s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 15:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

81578f355851d1745c0cec51f64ccbf0N.exe
Size

320KB
MD5

81578f355851d1745c0cec51f64ccbf0
SHA1

2a23c2b19582a4f67effe60420ca38c45e395468
SHA256

0ef89659687efec2cc4775295eb163f06ede8d5d23271efa8a8bb632e53e419d
SHA512

a5835b501b0c770bbd12864539024b131e35ec6b608d8348bbe1af9d0761b98fc9463987f2118d7d43c624ac58a003e8f00e362cb4aec499b0b6f1de238b6cb9
SSDEEP

6144:697g8q/QZxCoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5RV:6dqoN6t3XGCByvNv54B9f01ZmHByvNvJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	81578f355851d1745c0cec51f64ccbf0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe

Executes dropped EXE 64 IoCs

pid	Process
2248	Ndokbi32.exe
3344	Ngmgne32.exe
976	Ncdgcf32.exe
432	Njnpppkn.exe
3284	Nphhmj32.exe
1876	Ndcdmikd.exe
3960	Nloiakho.exe
4888	Nfgmjqop.exe
1728	Npmagine.exe
3244	Nfjjppmm.exe
2864	Oponmilc.exe
1520	Oflgep32.exe
3232	Oncofm32.exe
3048	Ocpgod32.exe
1680	Olhlhjpd.exe
3632	Ognpebpj.exe
1004	Ojllan32.exe
4516	Olkhmi32.exe
4176	Ogpmjb32.exe
2968	Ojoign32.exe
3220	Oqhacgdh.exe
4768	Ogbipa32.exe
4512	Pmoahijl.exe
4728	Pdfjifjo.exe
2268	Pfhfan32.exe
3516	Pjcbbmif.exe
3312	Pclgkb32.exe
3968	Pdkcde32.exe
4004	Pncgmkmj.exe
4860	Pqbdjfln.exe
2376	Pnfdcjkg.exe
4204	Pqdqof32.exe
2708	Pfaigm32.exe
3464	Qqfmde32.exe
1232	Qceiaa32.exe
3740	Qjoankoi.exe
408	Qmmnjfnl.exe
1240	Qqijje32.exe
1908	Qgcbgo32.exe
4400	Ajanck32.exe
3036	Ampkof32.exe
3568	Adgbpc32.exe
4208	Ageolo32.exe
3832	Anogiicl.exe
4952	Aeiofcji.exe
972	Ajfhnjhq.exe
5104	Aqppkd32.exe
4360	Agjhgngj.exe
4676	Andqdh32.exe
2792	Acqimo32.exe
2736	Ajkaii32.exe
3432	Accfbokl.exe
4016	Bfabnjjp.exe
960	Bnhjohkb.exe
4896	Bebblb32.exe
1448	Bganhm32.exe
3456	Bjokdipf.exe
784	Baicac32.exe
3060	Bchomn32.exe
4224	Bffkij32.exe
4784	Balpgb32.exe
864	Bgehcmmm.exe
4992	Bjddphlq.exe
4484	Bclhhnca.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5400	2652	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81578f355851d1745c0cec51f64ccbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2248	2908	81578f355851d1745c0cec51f64ccbf0N.exe	84
PID 2908 wrote to memory of 2248	2908	81578f355851d1745c0cec51f64ccbf0N.exe	84
PID 2908 wrote to memory of 2248	2908	81578f355851d1745c0cec51f64ccbf0N.exe	84
PID 2248 wrote to memory of 3344	2248	Ndokbi32.exe	85
PID 2248 wrote to memory of 3344	2248	Ndokbi32.exe	85
PID 2248 wrote to memory of 3344	2248	Ndokbi32.exe	85
PID 3344 wrote to memory of 976	3344	Ngmgne32.exe	86
PID 3344 wrote to memory of 976	3344	Ngmgne32.exe	86
PID 3344 wrote to memory of 976	3344	Ngmgne32.exe	86
PID 976 wrote to memory of 432	976	Ncdgcf32.exe	87
PID 976 wrote to memory of 432	976	Ncdgcf32.exe	87
PID 976 wrote to memory of 432	976	Ncdgcf32.exe	87
PID 432 wrote to memory of 3284	432	Njnpppkn.exe	88
PID 432 wrote to memory of 3284	432	Njnpppkn.exe	88
PID 432 wrote to memory of 3284	432	Njnpppkn.exe	88
PID 3284 wrote to memory of 1876	3284	Nphhmj32.exe	89
PID 3284 wrote to memory of 1876	3284	Nphhmj32.exe	89
PID 3284 wrote to memory of 1876	3284	Nphhmj32.exe	89
PID 1876 wrote to memory of 3960	1876	Ndcdmikd.exe	90
PID 1876 wrote to memory of 3960	1876	Ndcdmikd.exe	90
PID 1876 wrote to memory of 3960	1876	Ndcdmikd.exe	90
PID 3960 wrote to memory of 4888	3960	Nloiakho.exe	92
PID 3960 wrote to memory of 4888	3960	Nloiakho.exe	92
PID 3960 wrote to memory of 4888	3960	Nloiakho.exe	92
PID 4888 wrote to memory of 1728	4888	Nfgmjqop.exe	94
PID 4888 wrote to memory of 1728	4888	Nfgmjqop.exe	94
PID 4888 wrote to memory of 1728	4888	Nfgmjqop.exe	94
PID 1728 wrote to memory of 3244	1728	Npmagine.exe	95
PID 1728 wrote to memory of 3244	1728	Npmagine.exe	95
PID 1728 wrote to memory of 3244	1728	Npmagine.exe	95
PID 3244 wrote to memory of 2864	3244	Nfjjppmm.exe	96
PID 3244 wrote to memory of 2864	3244	Nfjjppmm.exe	96
PID 3244 wrote to memory of 2864	3244	Nfjjppmm.exe	96
PID 2864 wrote to memory of 1520	2864	Oponmilc.exe	97
PID 2864 wrote to memory of 1520	2864	Oponmilc.exe	97
PID 2864 wrote to memory of 1520	2864	Oponmilc.exe	97
PID 1520 wrote to memory of 3232	1520	Oflgep32.exe	99
PID 1520 wrote to memory of 3232	1520	Oflgep32.exe	99
PID 1520 wrote to memory of 3232	1520	Oflgep32.exe	99
PID 3232 wrote to memory of 3048	3232	Oncofm32.exe	100
PID 3232 wrote to memory of 3048	3232	Oncofm32.exe	100
PID 3232 wrote to memory of 3048	3232	Oncofm32.exe	100
PID 3048 wrote to memory of 1680	3048	Ocpgod32.exe	101
PID 3048 wrote to memory of 1680	3048	Ocpgod32.exe	101
PID 3048 wrote to memory of 1680	3048	Ocpgod32.exe	101
PID 1680 wrote to memory of 3632	1680	Olhlhjpd.exe	102
PID 1680 wrote to memory of 3632	1680	Olhlhjpd.exe	102
PID 1680 wrote to memory of 3632	1680	Olhlhjpd.exe	102
PID 3632 wrote to memory of 1004	3632	Ognpebpj.exe	103
PID 3632 wrote to memory of 1004	3632	Ognpebpj.exe	103
PID 3632 wrote to memory of 1004	3632	Ognpebpj.exe	103
PID 1004 wrote to memory of 4516	1004	Ojllan32.exe	104
PID 1004 wrote to memory of 4516	1004	Ojllan32.exe	104
PID 1004 wrote to memory of 4516	1004	Ojllan32.exe	104
PID 4516 wrote to memory of 4176	4516	Olkhmi32.exe	105
PID 4516 wrote to memory of 4176	4516	Olkhmi32.exe	105
PID 4516 wrote to memory of 4176	4516	Olkhmi32.exe	105
PID 4176 wrote to memory of 2968	4176	Ogpmjb32.exe	106
PID 4176 wrote to memory of 2968	4176	Ogpmjb32.exe	106
PID 4176 wrote to memory of 2968	4176	Ogpmjb32.exe	106
PID 2968 wrote to memory of 3220	2968	Ojoign32.exe	107
PID 2968 wrote to memory of 3220	2968	Ojoign32.exe	107
PID 2968 wrote to memory of 3220	2968	Ojoign32.exe	107
PID 3220 wrote to memory of 4768	3220	Oqhacgdh.exe	108

C:\Users\Admin\AppData\Local\Temp\81578f355851d1745c0cec51f64ccbf0N.exe
"C:\Users\Admin\AppData\Local\Temp\81578f355851d1745c0cec51f64ccbf0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Ndokbi32.exe
  C:\Windows\system32\Ndokbi32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Ncdgcf32.exe
      C:\Windows\system32\Ncdgcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        29⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        37⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        40⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        60⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4752
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        74⤵
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        82⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        91⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        93⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        102⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 408
        103⤵
        Program crash
        
        PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2652 -ip 2652
1⤵
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchomn32.exe

Filesize
320KB

MD5
f738846923451a780b0ad0d0359b1810

SHA1
b929b1dcfd3bd117c27a75c1e2ed98851a519b2b

SHA256
729529443893a29f2057ca3168e75a68db75f76c8369d02d0587e2b2c8e5804c

SHA512
2a9166adf505399430be29a8335163b0cc66d69cdc86eace98bd099d8f279a30ef1dc1c2a1d5c9793fe8d7496611d2004ed610b260ccebdf634e6cfb973d11d8

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
320KB

MD5
0829ad7d91d6a7bbffb9d2354e2e8340

SHA1
eac788dd78de95e4f9b9d3d8c738c4cdb80b698e

SHA256
15a94964f66590ad02a506d937a02d247c04fec0b6c6c432f975836c1de51327

SHA512
ae4717fbf22196b4b7ebbe50a7750d452f897ea993501f4020948fd4ce2b97b647a7632f629f2e22748c44ce409b92d048bffdf0f3570813b5db70dbf40ed232

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
320KB

MD5
05ff0d294f2552eaab8b0f3e9d50dad2

SHA1
d0c9ab1ee4812f038622dec48b4ce3ffe512a7a5

SHA256
0e81eb5b16f5488965f9c89a3f7c028a86d00c505bca43872c078ba4de5a5b44

SHA512
c593522f11f46930f6c076e5c7230c829ce86dbe8e7dab82a999edc1a8a5fa58e95ab1c5966f97b55aa4f0bdfb683e8a3a6334c7e908abb23f1c204a929e7799

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
320KB

MD5
e78f14e69a1f0058a2196208b3ea3f62

SHA1
d9b3b62c387d62a5ee3a20c15bcabd12107aa8dd

SHA256
dcf4f84f70d91006c022d0c01379b0747f4e8f86f365bc89c455895ac3a0efda

SHA512
da4e090e6f60055533d5f9bce23ae34bb64ec53b873ed2b75a5c1d822acbc15df6f35192d04cb42d054c6dddfafed670518abf1939208edbdc3494553377c3e5

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
320KB

MD5
bc328ad85fe4faf023fd6232fbf9d3fa

SHA1
2efa2743accb693589dd2659efe8677f969d77a7

SHA256
37018a4ad8cb2d01ea0c84d62c66c03f7fc2f3537ae0cde81e2b62fbe014a6c1

SHA512
7475c6f37dbf65ba7910fbb822aea060e46b4509caf873f3c0a257137186ac37d962f6d7bf879952a8bba4135cff3541823300705869e57911013e04ba89fa85

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
320KB

MD5
c3e08fbcf4275386b6226232ac2f032a

SHA1
2c422d56fb82b6b5b9411f3f035ca6152d602c12

SHA256
92d34138cc68935cd4ac2182d66187bd609497036f710e15b085ea65e6c9a584

SHA512
a3b56a92c92b0fd40b34019afdfd911945fbe44e7da8bb4899127b45fac03f622979a64a1d890cb1f468dae0de951bf91378a6e84eb1622c678046ea63b41e8c

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
00d814a937685287b5c36908c18bb7c8

SHA1
4b201337e47e186d010cb342ad5abb31a45b9b06

SHA256
a697efbbfb19885fbfcc1170995d5f40ccae70cdddf1c21adbaa338ea95731ce

SHA512
318f744d60eabf0c8bcd4020ffb5fbd089ee5dcb3a463f6e5559ad249fe4585908504267bd7540394736ca4fa5c7467b901cce22c4461eb2e26e53944de1bf96

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
320KB

MD5
2a3bfc95171e4f5ca1706304c8e08611

SHA1
01c996bebc51fdffbfe8761f7ffb1ef1f4f34603

SHA256
5e66405f1ed377632a1e5422a87331c0aedf82c99c3d2336578c212a67a936f2

SHA512
3e13dbd6b19a652bcdfe48f3a2ece039a099ca064ff7c261a26488281a84d465207ac77221bd4efdaafcf33113c127b85adc3b5446f878dea5ff637a2ce73bec

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
320KB

MD5
c4f63024b47f01324e32652e86b52e5e

SHA1
ee3d60762abe3d1e75c6b90c557cb8c0e6b8e685

SHA256
c3f5fecfd5bd3c2651f0fb80f19e469c05400482e8dfc22c0406a9fde3804e3a

SHA512
787f379095882fa64e5d95103fc6547caf93df5ea3569774418a740a2b5d2c6837024a382dc3e1909b16e62206d1b11c628790ecbc31f9f33f4c97c9081ea68b

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
320KB

MD5
6cea8469dddd762c2a576522da5c0ff0

SHA1
dd0635a18be19c19e24477858f71a7ba26f779f0

SHA256
54fccd08fd00ffd7b45cad442a052f3a6ce04adebf722cc7f25241999736fead

SHA512
d21ec2a9c260eda4eaaaeb7e6deeeb1cd9b4ae39b291fcbde4ff06c8a227f94648e46633c2f8e8e39086cc06616fe2d45fdcdda8a3364105c7170cb802b3ff03

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
320KB

MD5
20752933176978f7002f3685785e2cd3

SHA1
7fcc782a1176a9ed15b806ab2ed4001e92936392

SHA256
ced932bd6e726f1d261e44848eac11bb1d030fbedbd8d42bca678b85e237cde8

SHA512
511bde79d3ddf83b64e73e6744be0b047ee89c766fa3396118dbed44722ac0dae805af6c428e2d850bb18b28f6c56b54fa836beabfc2968206121d456ff34a35

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
320KB

MD5
4e00ea2984dee55f07b6bcae7ffbad6e

SHA1
6f84e75fa9cb6b00f20689cbf2a21835d80d6014

SHA256
aacac487f092f649c656557352e1f427a06a6cd0e01c8e94b738ef59409c85f5

SHA512
817c8d0353757a7653cb8bf99589fb20213f302a4d1b17bca460472b5fbc6e2ee32613b88d61e5c2ffa1e94cd0c4b5becec882c7d24ecfe88b3bb0757209f720

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
320KB

MD5
e578f20447a101f628c7a739f8428132

SHA1
1f7aba4e984527cb0d339b0e3b1d95d680201fc7

SHA256
93e1abe51fdb1144f6b3cf13825571f543db37297d7b5f2c7efb5a18054cff6a

SHA512
1a15083ee24644b4bdcde2b4e4b8081ba7db9d02e504395e01099715ec0cffd9c664cc3ecc8ee0a936b7538715f50b41f1f283ccf046181d10f480a8990608b8

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
320KB

MD5
7044e04d9cd1f3448a6eb3a86e4ba149

SHA1
0e1c70c96b700dff0bf35bb05471dea702e9b4cf

SHA256
350f06c9cebf2f4f06a5423c22d5e07ac5c56ee5747f70848fd23833eb56e149

SHA512
99b809f4896a2bf19d9a0a63c513b7f487a482db1c932c1bdfc813b6af1dff71d75d6cd91a5ac6a44fcf9bf895bf2c1f6294909330bbce998675850095df8299

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
320KB

MD5
fabd6a28be4c712826ebf6c2fe5b62d9

SHA1
a1e99a71d8c393b19979043329f26ed555e3f0f9

SHA256
728e2a66e9c74ccd66652c648a18b1d55512280ce84b7ea85981f9ba4f367dc9

SHA512
4509ffe5a0a72a28912e9e418fdab3336e8342f09af244c9302ca9cebf4ebb182d050b4d6944ea8f00bbd517e1911430fc9afa52d20d558f73eeec7a9c007c79

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
320KB

MD5
f51f78ba50df29073ab0f13178354bf8

SHA1
46f6be105af676a85c06946413bba06773ebe540

SHA256
841844908061506644684f6a60f56e03fe59c92d57f6d2d8bd1a855595fd2601

SHA512
97db7873dcca952a2c7a237ac8a5a5b52c77767f7bfbbaa6cf595d23ca65ece6879c39cef0e405659d8fd1af2214cf1ab32383e3dccad21fe60bd00c016c58d5

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
320KB

MD5
f5022e9cd73eca815f183d6fee4021eb

SHA1
f292124254418731216ae6faa0a98548b87f999f

SHA256
5bda99c3efbfa0a75a10a2a8a166dff4fd299d73f389dba9cda4f3ea950e103a

SHA512
be8da9998fbb9016d541fe58c86438d747fe1934f238982d45a020f60b9ce8d8cbb679d5256a57cf60529099a4d82a3995a98e68b991567b54ab9b1a9c9cdd3a

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
320KB

MD5
1f2968e516967b5cd1b20f37c11c1f27

SHA1
85cbc3da9879892b45927167b651afc289b8a566

SHA256
9cc37724d0692f125e9f88c7a0b68ca55b533476cfa259c0068e18dd9252a1df

SHA512
868f0149825505b4d3fc1631c38194e94fb55fb76a5352159857a5ec32f66f5991c51cd980a271553c39db66c0eb3ef0d31abe47f643800bef34d7c4bd97c4f3

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
320KB

MD5
add8bb185c798e6dbc4ed25794db934a

SHA1
63cb72c8b4211611d6a1b96c5318428a5171613a

SHA256
84cfca72c49122acc8404321157609926be816b00760983ee3a63c28f643000a

SHA512
60fa57e6e220d31cba04930157f81f8b0768a03650319ea9c2fc1e010ced3548835b89b6bc9d9413aba0f3231a2ce5270cf37dbe7d3a3b6cd3a15e56ff810b2e

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
320KB

MD5
5e0115028be0387c8fd511625c9851a8

SHA1
3df09f2868a187e3ac0296a89910910bad286499

SHA256
c204c8fcbb853d35ddb29aa7dc980d7f4d0f96ef0877c902fe9ccf6f394099dc

SHA512
f5bb71f10170b6f33d6016849e07dcfb167fa7052b449eff6041c77d5e9768cf8d00bda23b6227e39eaa9f9277fab5fc7f4310caf6fb9becf9203b0e5abab5e5

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
320KB

MD5
0962d041f3d4b6809b9076c00ceb5718

SHA1
31d15b7e4c93e488b872beba5069e3a2d537d3eb

SHA256
4262a132e9227c1ac503bce6dee22a0d61d93ea85ea60b5500cd904b5912d19e

SHA512
29f5c9ed2659d962c16d69861b1be2c3c4ac1e2c5933adbea6f7920610c42c4b051c5209fa486c8020ef4cd1cf03dd5509ffb6c2ecf72ff71539cb5d971ad793

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
320KB

MD5
9cc18fbd7c63087808d07250a5891f58

SHA1
5c7c8bc344a7d1942a420a1fe522e1c9bdfdb741

SHA256
d9c05011634443db9ee0545fc9481efa187e0cfbadd75bc67d7926d8b6e9c2e0

SHA512
d111b5960298c1779a6eb1e48e04978b68237071435116a0e15d9aaf11c4e60815a6c947c973126857bb777bfe0c4ba5f845c0e3d09440e38ca66d366441e9dc

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
320KB

MD5
f59dca321213e6e46f9823c4277ce8e9

SHA1
cd34980fb7f899716e7d43beca20d89127bc4734

SHA256
c529c44d8bbe3010f780e6a353220b5d85f253fd1d79551687fbb19219143e44

SHA512
a3b82b5127d8f43a4883b88dd96329fe83d9a453fed997119607669876eb36bf5847b41e53f4e5dc2d7a36c4762da2b1d354acab4f5f58315c678ee585dd1e31

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
320KB

MD5
6862778b79f11e3d77b68884ee966896

SHA1
10cb5d384c03d134103f9b7fb131de69bb82690f

SHA256
dae6dff4e8dfb33b2811e4c2620a4eb4dbcab3089127a71435f497737d592305

SHA512
4a989a9b971019ceb9389235d94b0bfbb9b7da70ae3043d62917b779b7faee49987660ce292eb5fb155a5684c25d32f5bdaaab7fb73f0b30b9eaaacde633671e

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
320KB

MD5
94a3bed8a70fd26ab7a0322f9365cdb7

SHA1
64c60dd58b1579a85c2019e396d1b2da6f834ae5

SHA256
388e87b5197cc141f5226c11f020ae58318b4cf5fca6814abd89f7c88de77720

SHA512
f64da8d470c55c9e1d5acf11108ab3d18fb07c1a647fe30b30ea7537d45a0ad422e56c8ca000571d16d050916135055c3202e2afea0bddf4c138d24b8a88237d

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
320KB

MD5
a6089faddb8150590642f03ca39909b3

SHA1
d3f61fecd23c0cf15635c0319cfbdbc2fa3bc5b0

SHA256
214eb26b5d6b1ccab648933e5c1647d388e173a2bb4461e08a0b9a3ff40b5422

SHA512
fe420a9a6e25b97bb3ab5fbb7dfa3c050d64ad2fd58cf265f1de2ca891dac2f41bb940df918a65a03c0b484b2658b77edc7c29a74bd187969a6ce8189dc1883b

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
320KB

MD5
5dad76b695eadb477465bdd9857ef432

SHA1
bcaf258f13ec7615c350e1b92ea697666a2777f1

SHA256
a1b36838724383253a69088678231e66e7a45a8d830ea7b92b78ebda613e1afc

SHA512
88d6940bcb546be1d30fe026e647677d9ddaf9eee6e35c865ca61a5879c7e3dd8fa147e084072b74d1b11cb1b5dde605976d33e513f415203cc056c5a0bd869e

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
320KB

MD5
9f6f591fe4b4797d46aea3cbda2f9e03

SHA1
6616563861c4ac27a6f53c58afca817b83338a6a

SHA256
6c051b6d9b55382af3d8b7719a17d0490f4f7827ffe510d8b4698e9d9d4deaba

SHA512
673670cd2dcfc13148f097da509ebb2a18a0a719dfef17a825ea0a8eec286f4d1909cfb8b09fd00962b4c9dca21ec2b09415d2a33fe2c0ba9e165982e3c22aed

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
320KB

MD5
0b0e1b8c1fb404999617586555b8c63f

SHA1
2753aa53fb9b92c19b2c13ae7f8ffcb936523d81

SHA256
ed56dbd0cb3963ca3faecb0e8bc447f02258026c62bb457354a731bf7590fcec

SHA512
5caa52ed0ff77266e26ce3b00ead234399c9636bc54c0df440b7a0f40c19386b5c5d067de9247f0c1c3241cc18fdd7432840be67c7e764d0f7077d12b47df9cc

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
320KB

MD5
d45c9430ff057d11ff9d82576e13807c

SHA1
60bf980daffa29b4fe8d8b0b24ec65b73b486df5

SHA256
3f9f8fde8432df8af4f7e9b87ee5ac83516b9fba4bc5564fd8a5af2411bfc64f

SHA512
59191085062656c644d93fa0c7c4f63f274f99a196f06bed942effaadb51e77e27c9673494c07ece3c7f3c7d9d97f4f9caf61cffbe39d5461d5c3350d58687f9

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
320KB

MD5
d4b2ab22f3877a4ab08a0bff9bed49aa

SHA1
3ed1cfdd7ee1865808bbbef0ea8ee5d8ec6c1342

SHA256
310f9b78f044bb14700dcf17e831f0172e178ea6f0dcc65d9a01215f2f431eaa

SHA512
8800709a58763d03a4f0389d6352d6e9c6f904cdf25e7907ddf671b41bb6d89cb2789393db048c10ae496b57574ad9f11dee768bc1062f57aba6711a5a203dae

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
320KB

MD5
e1465d03f569a9a853992acf672d4048

SHA1
af6d208b0a1ef659adfc64ce778f5033581a664c

SHA256
411624e08414456b7efc344c201abcf3123278f7bf1963e96b09c3ad8b3701b2

SHA512
af4037f31e4adfc863bb41f10d1966de82d4df1e679111c4916831275d781142a54ffb775e927d3f426cd075adde98131c3bcfe5bb8ab1e72cee35559d4499b7

Download Submit
C:\Windows\SysWOW64\Pemfincl.dll

Filesize
7KB

MD5
d43c2507fd88ebe2b750437b0de681bb

SHA1
f041d8fdf40c6a0e8e8568cc0aa92805f0dd3a96

SHA256
a569fd79546c3963f2eecc9e127dd644ab6f6610b3cc38e90c700d3bda2f2f32

SHA512
3b229c9dd82fee94f61f09d37fbef6cd9612ffaadfc3991f07bba8b00d26e9e11cc2bbf06d7b6edc102382a72a284bacaa42015fef49a157c49531933fdd5c5a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
320KB

MD5
7057cf0e24d03ff8a2b100df5e66e561

SHA1
c1bce12bd66509951db8950e196167353833d8a4

SHA256
775b3d0b496a8de67ed81a82eaafcf90a219ab08c142679aa1e5aeb327223087

SHA512
1b659b6cc158554264de2f31324807c277d973d103c4b8a740041111c4bdb52a6ce48bafe22dc45f7bff46addae71aceab791939dbbf5b8014fadbf37b1ef582

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
320KB

MD5
f76a6c10efb6d661010d7c6612585521

SHA1
9ee253ed8852c4a534d88d56dda5f881d0b745bf

SHA256
a29c2b626f9e5101d190275b8766feacc5c48149e7f1f30d8d2d79c2d78296b4

SHA512
9fe7d602a52caeb5ba071cd8b4a5849da819807480d597918e38d0c4e0213015089ed6b3adf863353404fae904649f3434125e2f723f3ed99416ca937f479594

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
320KB

MD5
ef3641d0c877a93f68856961506c4cc8

SHA1
3e2e2df438d905ee1ea310e93fad080e8c696bd1

SHA256
6d1a1dae1268d410a4836b3a760aa40041a2e92756742c39e739c0a3628896a6

SHA512
5a65b7bdcda0d40cb5dfcb8fbcae494d10eb735151a0b42a1c845a0fdae1a5baa91092b4b8ee3ff7edacd89ba26cb28a0c1f0cfba75680a6aded4c7b9caa9577

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
320KB

MD5
f29c7ead48b5297332970c1f5136769f

SHA1
755e2d14a0cf80fbf1fdd195618edd5a2dee99d5

SHA256
d37f6c290afe5c58eb1338b527154a98ac9f26957145267e0f98ba441d000e4a

SHA512
89ca06290c0843c78930ff967bc478df85a9a6c6ecfbe0ee00da62abb8a563b355fa80423372e7df13cab105f00ee7499869c6769d98143cd85c0e4ddad9fab8

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
320KB

MD5
df120deaeac282ab4e3b24de5d93abb7

SHA1
fa9ee7fb3e7b1ea42611a2845853c97c55092226

SHA256
db47655e7e45de922e1f19bd9890d140a3a56f36e2cf18e602ce4d80ff5e2858

SHA512
df4e6985503e3ad6dde6f1b6187a2fad512c71785a5147f3161e3148f75cea5c0290b7d35bd0efdb39fab0dca19a8dd5422bdbcc0e6d737cfc651c2f7867b908

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
320KB

MD5
01c8d0888a451cf3964398ac3bbaecd0

SHA1
8aa96a626c0fc474284d8f1bf63274ba32da310a

SHA256
a8472d711e31b3052a37dda29c31f36cea0396cde656eb0f8d551d6c40d07a3a

SHA512
b9d15fd97365446d7560d5e4fefa1be8acc3b389b08193e12a4a38a4f6b55e3089e10980a4be844e814e3e9a8a17f719e09a718aec69cf9098da48981cdf75aa

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
320KB

MD5
9e7fb3d657c8e461a255ae305ae919fe

SHA1
573c1057826a4029bf2eee5a1c1fc1a2ed5102a1

SHA256
5acaaf8fd31dd2669e4260a2354f06162cf461aef200e8612e1367d84bb203c4

SHA512
585532cd74e46e95a88f20ca00bc84105c4cae3d458e60b211e5b1fbccb3c4afd508f0f57c28b3ff07a0ec6341f08b24fd34c340ef1beb8d0497b5ca0bdb4f29

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
320KB

MD5
38d0b41f7098b5161590464f8eb1c7ac

SHA1
bacc4c8e2250009c10656f3d73739f2c44300b8c

SHA256
a1f09444bd56bcb1114d773d4a2bd6098065ab9f3ec2d4d871c84d2796744159

SHA512
a3d92b3f87a748dc46c44ed60434851eceb5be25030a359426c902bc0e8d8db8182d17b010a5acf6a369c2f3109389a2932561beb5d117d00258fc309431b7ae

Download Submit
memory/224-455-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/408-287-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/432-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/768-491-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/784-413-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/864-441-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/960-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/972-341-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/976-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/976-560-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1004-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1232-275-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1240-293-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1448-401-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1520-96-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1564-515-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1680-119-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1728-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1876-580-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1876-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1908-299-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2024-497-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2032-479-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2184-503-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2216-533-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2248-546-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2248-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2268-205-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2376-248-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2480-540-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2544-509-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2708-263-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-371-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2792-365-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2864-87-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2908-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2908-539-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2968-160-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3036-311-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3048-111-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3060-423-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3220-168-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3232-103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3244-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3284-573-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3284-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3312-215-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3344-553-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3344-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3432-377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3456-407-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3464-269-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3516-212-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3568-321-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3632-128-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3740-281-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3832-329-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3960-587-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3960-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3968-223-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4004-232-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4016-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4176-156-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4204-256-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4208-323-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4216-531-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4224-425-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4244-467-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4360-353-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4400-305-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4484-449-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4504-485-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4512-184-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4516-143-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-216-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4676-359-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4728-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4752-473-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4768-175-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4784-435-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4860-239-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4888-594-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4888-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4896-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4952-335-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4992-443-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5060-521-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5088-461-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5104-350-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5148-547-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5192-554-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5244-561-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5304-567-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5344-574-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5388-581-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5432-588-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads