93b7cf2d80300f3e78ca3532750a101921caa03619f0ef91536f7a34df751a5b

Analysis

max time kernel
103s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6a152f7f752c4528a62d219c49e5230N.exe
Size

347KB
MD5

a6a152f7f752c4528a62d219c49e5230
SHA1

e721c17fe10687b827008d8858feb2cb0c6675b2
SHA256

93b7cf2d80300f3e78ca3532750a101921caa03619f0ef91536f7a34df751a5b
SHA512

06e786283e249ad52675b46c05e3d3474e1bab7b2935f94029a60874a6b05b49dceb593d384b9224673829c8729067d40c70312121bc5e700ba6f1c70d455255
SSDEEP

6144:+a/Mi5kx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:+iMDx4brRGFB24lwR45FB24lEk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a6a152f7f752c4528a62d219c49e5230N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe

Executes dropped EXE 64 IoCs

pid	Process
4384	Menjdbgj.exe
2296	Ncbknfed.exe
2060	Ngmgne32.exe
940	Nilcjp32.exe
4876	Ngpccdlj.exe
1044	Nphhmj32.exe
5092	Neeqea32.exe
4472	Njqmepik.exe
3208	Npjebj32.exe
5048	Ngdmod32.exe
3292	Npmagine.exe
4912	Nggjdc32.exe
2272	Njefqo32.exe
4416	Ogifjcdp.exe
3048	Opakbi32.exe
1788	Ojjolnaq.exe
3012	Ognpebpj.exe
2872	Onhhamgg.exe
1952	Oqfdnhfk.exe
3060	Ojoign32.exe
1324	Oqhacgdh.exe
3648	Ocgmpccl.exe
3352	Ogbipa32.exe
3540	Pmoahijl.exe
1884	Pqknig32.exe
3420	Pgefeajb.exe
4460	Pfhfan32.exe
2924	Pjcbbmif.exe
1384	Pcncpbmd.exe
4968	Pjhlml32.exe
2736	Pdmpje32.exe
5108	Pcppfaka.exe
2732	Pmidog32.exe
3076	Pdpmpdbd.exe
5024	Pcbmka32.exe
960	Pjmehkqk.exe
1052	Qmkadgpo.exe
2364	Qceiaa32.exe
3728	Qfcfml32.exe
4576	Qnjnnj32.exe
2460	Qmmnjfnl.exe
4752	Qddfkd32.exe
784	Qgcbgo32.exe
5052	Qffbbldm.exe
3364	Anmjcieo.exe
2032	Ampkof32.exe
1352	Acjclpcf.exe
3964	Ageolo32.exe
3708	Ajckij32.exe
1396	Ambgef32.exe
1012	Aeiofcji.exe
3760	Aclpap32.exe
1976	Ajfhnjhq.exe
1332	Aqppkd32.exe
3092	Agjhgngj.exe
1896	Andqdh32.exe
1240	Acqimo32.exe
4732	Afoeiklb.exe
3296	Anfmjhmd.exe
2292	Aepefb32.exe
3900	Accfbokl.exe
2624	Bfabnjjp.exe
4816	Bmkjkd32.exe
3968	Bagflcje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5932	5612	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 4384	892	a6a152f7f752c4528a62d219c49e5230N.exe	84
PID 892 wrote to memory of 4384	892	a6a152f7f752c4528a62d219c49e5230N.exe	84
PID 892 wrote to memory of 4384	892	a6a152f7f752c4528a62d219c49e5230N.exe	84
PID 4384 wrote to memory of 2296	4384	Menjdbgj.exe	85
PID 4384 wrote to memory of 2296	4384	Menjdbgj.exe	85
PID 4384 wrote to memory of 2296	4384	Menjdbgj.exe	85
PID 2296 wrote to memory of 2060	2296	Ncbknfed.exe	86
PID 2296 wrote to memory of 2060	2296	Ncbknfed.exe	86
PID 2296 wrote to memory of 2060	2296	Ncbknfed.exe	86
PID 2060 wrote to memory of 940	2060	Ngmgne32.exe	87
PID 2060 wrote to memory of 940	2060	Ngmgne32.exe	87
PID 2060 wrote to memory of 940	2060	Ngmgne32.exe	87
PID 940 wrote to memory of 4876	940	Nilcjp32.exe	88
PID 940 wrote to memory of 4876	940	Nilcjp32.exe	88
PID 940 wrote to memory of 4876	940	Nilcjp32.exe	88
PID 4876 wrote to memory of 1044	4876	Ngpccdlj.exe	89
PID 4876 wrote to memory of 1044	4876	Ngpccdlj.exe	89
PID 4876 wrote to memory of 1044	4876	Ngpccdlj.exe	89
PID 1044 wrote to memory of 5092	1044	Nphhmj32.exe	90
PID 1044 wrote to memory of 5092	1044	Nphhmj32.exe	90
PID 1044 wrote to memory of 5092	1044	Nphhmj32.exe	90
PID 5092 wrote to memory of 4472	5092	Neeqea32.exe	91
PID 5092 wrote to memory of 4472	5092	Neeqea32.exe	91
PID 5092 wrote to memory of 4472	5092	Neeqea32.exe	91
PID 4472 wrote to memory of 3208	4472	Njqmepik.exe	92
PID 4472 wrote to memory of 3208	4472	Njqmepik.exe	92
PID 4472 wrote to memory of 3208	4472	Njqmepik.exe	92
PID 3208 wrote to memory of 5048	3208	Npjebj32.exe	93
PID 3208 wrote to memory of 5048	3208	Npjebj32.exe	93
PID 3208 wrote to memory of 5048	3208	Npjebj32.exe	93
PID 5048 wrote to memory of 3292	5048	Ngdmod32.exe	94
PID 5048 wrote to memory of 3292	5048	Ngdmod32.exe	94
PID 5048 wrote to memory of 3292	5048	Ngdmod32.exe	94
PID 3292 wrote to memory of 4912	3292	Npmagine.exe	95
PID 3292 wrote to memory of 4912	3292	Npmagine.exe	95
PID 3292 wrote to memory of 4912	3292	Npmagine.exe	95
PID 4912 wrote to memory of 2272	4912	Nggjdc32.exe	97
PID 4912 wrote to memory of 2272	4912	Nggjdc32.exe	97
PID 4912 wrote to memory of 2272	4912	Nggjdc32.exe	97
PID 2272 wrote to memory of 4416	2272	Njefqo32.exe	99
PID 2272 wrote to memory of 4416	2272	Njefqo32.exe	99
PID 2272 wrote to memory of 4416	2272	Njefqo32.exe	99
PID 4416 wrote to memory of 3048	4416	Ogifjcdp.exe	100
PID 4416 wrote to memory of 3048	4416	Ogifjcdp.exe	100
PID 4416 wrote to memory of 3048	4416	Ogifjcdp.exe	100
PID 3048 wrote to memory of 1788	3048	Opakbi32.exe	101
PID 3048 wrote to memory of 1788	3048	Opakbi32.exe	101
PID 3048 wrote to memory of 1788	3048	Opakbi32.exe	101
PID 1788 wrote to memory of 3012	1788	Ojjolnaq.exe	103
PID 1788 wrote to memory of 3012	1788	Ojjolnaq.exe	103
PID 1788 wrote to memory of 3012	1788	Ojjolnaq.exe	103
PID 3012 wrote to memory of 2872	3012	Ognpebpj.exe	104
PID 3012 wrote to memory of 2872	3012	Ognpebpj.exe	104
PID 3012 wrote to memory of 2872	3012	Ognpebpj.exe	104
PID 2872 wrote to memory of 1952	2872	Onhhamgg.exe	105
PID 2872 wrote to memory of 1952	2872	Onhhamgg.exe	105
PID 2872 wrote to memory of 1952	2872	Onhhamgg.exe	105
PID 1952 wrote to memory of 3060	1952	Oqfdnhfk.exe	106
PID 1952 wrote to memory of 3060	1952	Oqfdnhfk.exe	106
PID 1952 wrote to memory of 3060	1952	Oqfdnhfk.exe	106
PID 3060 wrote to memory of 1324	3060	Ojoign32.exe	107
PID 3060 wrote to memory of 1324	3060	Ojoign32.exe	107
PID 3060 wrote to memory of 1324	3060	Ojoign32.exe	107
PID 1324 wrote to memory of 3648	1324	Oqhacgdh.exe	108

C:\Users\Admin\AppData\Local\Temp\a6a152f7f752c4528a62d219c49e5230N.exe
"C:\Users\Admin\AppData\Local\Temp\a6a152f7f752c4528a62d219c49e5230N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\Ngmgne32.exe
      C:\Windows\system32\Ngmgne32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        23⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        49⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        51⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        66⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        80⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        89⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        90⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        100⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        103⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        106⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 416
        113⤵
        Program crash
        
        PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5612 -ip 5612
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
347KB

MD5
5241ca9576a1e705050432a0789399cf

SHA1
8c308ce3d90ec55bd28d549318f86c628c3f4973

SHA256
82e89feadfdc3cc21a0d8cfaf9f8427640d5085dcc62a107d68e2cf507a95c3c

SHA512
fb36ad20ec7e84cd6ca77c088bc2b11a074add4d21c1d42177eba8cb3b34aeb6e8a9fcddf77fa1fd366b9d09c8e89d5b5cc38395427805179a0f0a1e52e7b1fa

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
347KB

MD5
dde2c3bb1b46cb65a239d46f12f50024

SHA1
de08112c4c4eccfff3f1608673874023b1573ff6

SHA256
188a750884b5bad23089e47d3eb999ade57abbc068f17c23bf6863e45498879a

SHA512
e5c239c4259bac804299f7ee0adfebe038a41e934c33cf2b9897022a6063b36dfce129784294d05ade49b5f6de9bc0c2c710d3d78bac3e3ad536e8b00cddfb51

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
347KB

MD5
5ace90b223df4e22c466bfbe8419c17f

SHA1
f3316fb2b17fb567bded4152fcb489612f864bbd

SHA256
37c5051bd6885b0c3de63b481a5af21257b384ee0f92f9f609dcf956b411d00e

SHA512
44a1361c9ae34c4e0ad3f2d6f94852e56e3658123065c3e5b533c377916483308f62c88b076c4697d5658d433eefd6721dc287db7ef0fe4e71582a1413f7c09a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
347KB

MD5
ce79b385a38e551589be810260b0be8c

SHA1
05fab1a12e4aaaab7e09e92ce7985dbd9fb7ca50

SHA256
f0ba1aa13118786ce0ee1eaa51810e385030f5f42e9230a99c4344cecebce928

SHA512
7e7ade696a334d4e957e01f3ae1343505029b72cfbb87cad255bff89b73036f75aa5f36039fb5787267a3b72b2ba0869cc250297fb65d0bd92d4385211f46765

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
347KB

MD5
f6fd74ef990e265ffc4166d48e521bdb

SHA1
196725c7c79c766f8153012ac0a26f548e1a0585

SHA256
a5a233f446c4b1aca54febb0b0f97ce7f5410fd2eee467b7d46ca9f52ebd30e7

SHA512
53d9e75c4c909f0e383e0bfa2fc6f13533ca435ffa976c397474a3047b036c1279b6fe5855991cacd0914a23a982c2d47cc3efd0bc15cc715a8cb2a245051fe0

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
347KB

MD5
9ae651416ae68fb2ed4c660e1ff6ff97

SHA1
26e38a7b5c1c4907103b77e9cb46fdc23d7d31e7

SHA256
c005ffad0c113cbd40ac27fbe404d8c6493cc52f7647743aaeddda3a3fa9dae4

SHA512
8b32089cb66b41a77efbdf92d6f0c6df5661e4f6bd88fd1bac2b640d3d98b08006aee5ad5a40b8d37a79cdf7ce266c1c902d7c464075a4631d7979dde6cede5f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
347KB

MD5
8fc45906b4c7d260ab109cba8bce35e2

SHA1
61d73c012541c6d198f5d65ffc05c8fd149dce37

SHA256
cc36be2551640411289c158cbd22c5c4f127b2063d5f42ec3dc6c627eadae250

SHA512
61ec66d8dd6e46b167b86bb34f436c4b315a1c129ca85f73b284e39d6ae2d14315a718eef979621a77823b5dc84553b470c874cb7664b3111ef68e6ae5e44a77

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
347KB

MD5
916590c0035e451ecab1fb96979abe44

SHA1
82b593d959ede523628aa5c62a88775fe47b18fd

SHA256
a676467c82e432e46d064a7eae3b664f412e12818ed026dd0966a4c726d15b99

SHA512
b6e18ae631c61f5ce29a19e0300d15af69a37b3e40543a21ae67e1c7277add0b260278ba83fadc956c337ebf8fa52729c3ce8188060ec4045ca5d02e957ddf41

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
347KB

MD5
2f882a9e473745e24c6cd9c4bf2fba0d

SHA1
2a75455cd45725c7fd86c3ea2a5251048965191d

SHA256
ab2f6521291a1747cefc337522953ff185233f25f4a0c881b568292f41cd8ff0

SHA512
9ec9117c31f6bc9f61b2475127250e6905fcb4f15a7aa4ac7aab1305fda9cf38d0aaba82bf36efa846ad9f576409d6ff3ac3001db26b8a64de3385d2dadb434e

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
347KB

MD5
93077c3ebd4b31e63bd45d057e7871af

SHA1
5c67ba648a3975ca4dd16d1625cd6b6948268284

SHA256
92c5caf44e5c6dc1b86992af593f281205f1bb8c1a03da4c43a836674d602ca8

SHA512
88d742b0d74a28e4554225bdf95255430e1be3d5c4344f4912fa48a48b88f1ece033e1b0e59a11b6386cdd6816849cb2b5d05607a4882d28b8da8010e5cf7728

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
347KB

MD5
61ea3254aa8f16b38faaf7d91f5cde26

SHA1
01ba4cda666627876e9b6f519708a0ea35147d41

SHA256
d5fd20b48a814fdf5ce16356a65df0ecb0e022734e240ceab42c8bf4b01cb4fc

SHA512
1fbab5b2b55575d35ae669047d75924fe6e96c9d77ca2c9d0a2811163056785da09020ea8810f10076aae9c46db3ab2ae84e949cbdfac4e578c0dd3a92232669

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
347KB

MD5
177a5d6ccd6f947e27f71d6cda27818b

SHA1
fd51f79baf3d1933a9470d988c3efc41bbde33d9

SHA256
3d3139f4df745f1a422ee34e9d9c64b3c2161f5422d06a0c2f7dc2cf20196b8e

SHA512
e497f5c9f564f892255ba83769947281f5f0159c5415cb64b39d2e06e9b9b67e9b5fd545cf5de9270c720fd95b5bb6c9cf55c3abf48ea8f4d6a4f74e3a1ca07d

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
347KB

MD5
daf8872e05b9836ea00d6018fc8b836c

SHA1
cd70ea8bc4f947300323e8f8cf1dc8471edcc9e2

SHA256
a9b473171977c4a886aac96d3d7cdb014c96e2293495af6a46a13c9aeea9ff77

SHA512
3518601f2b1fc882e412a45f503cbfd9a9c85c4fefd8550c515996a591f7bb50ae2dc2f81e0034c0015061b9fad5afaac1bd90f4be3d00899aae26ec67b649c0

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
347KB

MD5
3579da266cff6bb97524a83fd978248c

SHA1
2a82826f2a6f721c32edea8536bc0c44895e90a2

SHA256
8b0834ecbd09a1166f0c5b0505efe9c3f219eb6d6f01f0302388e84ec445b909

SHA512
8500eef2d6f8e1b6891a3b65091c9f12ad80cc33d6b1cc0f3f1b093259415b74cb704b1f2b813e0af9c294a6246915289e7bd35de2a34f03ca08df3a5f201ada

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
347KB

MD5
46f6e5fe708be10bbdf070556e4e18b4

SHA1
c7a7383f4a6f2aba328122d8a14cab1bb13c0036

SHA256
d5011316626a7365b2b89119d0caf45b72a9cf54f72a08690f6e144259e8ff98

SHA512
c13d2ee7df881ed72ca9a36958208f6d16caf2ae27f299929e8c00b00685db54ba9d7fc6788be47426e1d994858b834b5f334b86005de60f55ea7799f3c60f08

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
347KB

MD5
1fd05bf049e0477937dbeef9a36dda6c

SHA1
ac4ce099b50b1c2a4396b3a595e1feaf90c69b0f

SHA256
3132c68eaf745e132c10e32eae6699434fbaa03b6c83c0917db6d3288853c694

SHA512
02a49f392577ad5c883f743b43f74dacbee1eea1de0cf31f9f93cad3cbe0a21bb3cac0e771f59ed1d682d4e3bcb9f9f56749197e90a92bf1967e787c7ca07c88

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
347KB

MD5
84fc7ec6d2a44d0820e87d546f0a44fc

SHA1
a511a38f35e226e71bafb71ab57710f82cca2be8

SHA256
08a76cfa475a2bfa68b49eeac2ad956018cb3c75ff24a38d1362c9f8c6ef0526

SHA512
474076287d47d1e7e17a1d4162af047494a5cb1278eb7a618c6097112866371ecc591d524e7ec818c5e197b1ed5a9f7e09b89d2e8162a2930d3b4c183f9305af

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
347KB

MD5
e772667b951b64b58ff919b24bded63b

SHA1
af016d39d78e03497d7be365cad5f640cc10bbf0

SHA256
1d64953c555c4cceb63fb19fbf46671e752f1ff9b45b84da273f7c9ebb0e899b

SHA512
5e52ed491900d6962507ba27083b6255b7fec95d10a29bfb7853a56e536bcffe0b56a1a8bf0e40c94c128b06c0a9cfe9bf78ff886caa3f082a000b1321732c5b

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
347KB

MD5
f36d4c9269f8d518722e60b6e2165fec

SHA1
4d71cdaa66fecf9d479eb001026565b7be1f366d

SHA256
21f7d18dbc9ada0a94fa513c74fca3db1af5618a7c05c160022d90969b54d521

SHA512
bd501383d99a41a5c2144a9f62108cb99180cb404b5ee2ac8bdba29bdca2a3eb1dd1f50c3b81f8ff186c3586831214329261a2f5b9b79b9cb1f99a7f41450744

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
347KB

MD5
1351fd79f763a7f37ecb603cb4dece72

SHA1
fad2296b7ca647057f6f011aa58e742871b02aad

SHA256
e19300e46511939bffa30a531750d1068e3670ec34517079423103560fa7195b

SHA512
00605a87fdf1bc29dd1800cf9334d8c63a40195ef9e96cc8504c0ad2234ae13c9c9109f9524f006e82b38342b5fd6b92aa0073387fb780efd084d6e18dea2226

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
347KB

MD5
fb6493294d675aaf1e68240f9399d200

SHA1
138de4c9114c6f98c06099a759b23ea9b1c77622

SHA256
091b0e69976130cce5a3500dab4d4dd8eba374005d165c6f941ec21342d36510

SHA512
edca5bcc8ff0a26d6bcbe75bcbe669fdcb2fde72d972755669499f0a4cfce6f350e2bcbd51e658e51e9c88738c5efb6bbb08ce1d91922ed4516998a4e0496fc5

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
347KB

MD5
067a5b41049cf662889d8d4849dec96e

SHA1
2b815bb71a38c837a23776021249a942aca8491a

SHA256
398f5556fdade63558a5e686d11e2542f58d564ecda9e6ede6d394a4dc185293

SHA512
6a209551ad8ea4d1b5f9793eb0ed258db500c2cdf25e86b46529b2e8e240a089dd47d00ef659c12ce5cb7bf30c2228e516e3145b029756fb3b4e68768a22bbd9

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
347KB

MD5
6ea5c32260bc4923c60ac63f165de753

SHA1
2881c03f7d25c0ddd429ac3c210919f781ae347e

SHA256
4d567dbb94cdeaad7c6ec939ca20f7413e29c00055abbf045043221e8df727f4

SHA512
74f23e67680123b7b071c4d518f0de474711727839adcf504a9d1dd2419c6b3e5dca4f2a76d23e444b7888cca89911a0f88c82fa9f900ea7ecb8e559f568d51d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
347KB

MD5
8a2e5f617dcf7497f73b473bd156c39f

SHA1
4b50ca33ae829c970e60683ea53b3bc67b777963

SHA256
54ed98c2a7a3045347f5bb5f31e9e9ea4105a8d2c295d9944252bc84027c4cea

SHA512
817042e6c3c11960d9251aa7ea0d96eba3db12a7c391a57fa26f114f2e14bf172646c0f2e830148c477a88aafb031eb7c0c749b5d53d668c927945144dc94de4

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
347KB

MD5
92d27739784e5c6a5a8ad2756a0ff402

SHA1
96695472e875714dd535d9ebbc2f6775da615edc

SHA256
a5e052b627f6de86ea641555f41a6380174aba3b70d5b9bc59eddf38a1a1d657

SHA512
50ddcfd3007f7c9af31c90eec23bb865f300feff5a5787e4766c6f81c967f6a014a12c76ebb7ad3eb825c6d204bdaeb20d392f3eb92bb67e242e32de7aaa2777

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
347KB

MD5
d260f552fa689d3f77bf6d9c975b6150

SHA1
cc4de39651a4d725ea225e7c38a3415b636e5eb0

SHA256
db97119e40cebdd43991f23eb82aa5d61053859371c6f1a36915c7cd060ca023

SHA512
a7d5139108a3be92eb64f6a060a9a275c571ef24ba36a47d8c1f70f69256afec86ef2ce31b82a09fe12b9912a850264dbc74615ed2a6f296ecd7428512d88c08

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
347KB

MD5
64cf472a07232339602fd14c54dc9c0b

SHA1
87faafde76e7fbc407898fde2fc94f0177e528f0

SHA256
1110b40f1514a56e960fcb05f35cc5aa350b31b0e2704fa1db6d983c8c2665bc

SHA512
f933a3fca1456fa59bbac1a4f6579eb7e43b802e620395b790e20423c28a63918ffadf17f99c3660dd0d5512bf41b7daedd1336d69fe2d143855a5dd8a9d4d67

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
347KB

MD5
7cc9984e60ded802c2b97a683a7c91aa

SHA1
59a69bff403cb520fb2dd44dfdc6ded74ce14e99

SHA256
5afc9dccd83b7bd14f5eff6dfefa2a5889a293df71ebe7bedb29fc87727e9ec4

SHA512
3da0015a46cd11b123d279cfc6fb91953466955a7e1186ac971f4d833ed8c11c0a7d1f0b57420bb6c10c98332c65e79e1b63a371db26989c5ad268f673ab2d4a

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
347KB

MD5
3968cd4d8b508d18f6825311da210e84

SHA1
ef4d401781374916ef68daa75cb535f3c42cd0b1

SHA256
83f4d5a3cb535422c80fda5297410604bed3e0a9ee512ec25dd00b73d644e1d2

SHA512
cacdac74ad5566361990c7d3ab99beb8ee9b7ed63ccafdb833505f73b890be3af31c5182388df8b9afea1f7a96043017550b20e32a0ed64ea1ce1cf8e486d007

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
347KB

MD5
248f61a1f01d6ebfdddedf975279117c

SHA1
af59cd513ac23af2fccd35728be1216800201974

SHA256
7032b669f239f42a2461433df81f4e2fac243978e999d33bf0e68f5f90f2e995

SHA512
873a9c49761201bc1782b96acda7f1b403844eea85c79e20a9ebbfc787623b32b893348699532fc5d1e297db3093f6c5cf3521ddad19685d9b21ae365d91083f

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
347KB

MD5
0d6f125b8060b8da0cf15211a80ffdf3

SHA1
241162eed13e3b33f254a281241346e3f84275e4

SHA256
a7716666e4d4fe2be85c6c01973643e5ebb938d1799fd8233e05d9c0d067bcfe

SHA512
703d0a15207ede2c3ccdd31197b8626931ffb2f7cba472dc11469a2dd26406ec976141eb3317308a01c9d544cc43644869c6955527d27d069328810b00b79d81

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
347KB

MD5
e07cedfb10ceddb4ba43ce842dc58bdd

SHA1
3b4a54801928ee6616d94f6219b2af4ca4113cc6

SHA256
68d348bb5d0070bfd80059f2bc53ba556253a01c64f9e1b0db5a543f3c5464bf

SHA512
4acf8f9ab32448f74928a6e7df7a87268ff07b49470cfff1e90c97802928bfafde284c88a962675451d7ddc50b7e29065e053873bb215f9906b18893312fd3fa

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
347KB

MD5
0517cf708a6e358d1b3575fb2a258609

SHA1
8cfebbcf98d25e1c311dee00b87a15b2e52967fa

SHA256
f5a80c7e428c5535959aef5f969e7c878c1155b542aad3bb55f70ba54b86fa65

SHA512
4fb18e421401b779968839f4c14429e477ac60327d14bfd5b00071be4baa0861ddc415669dc5f5f2e79433511348b6d0728d0125ae55350583044df68361924d

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
347KB

MD5
7e8a954d1de54ad876d3e8d79745554b

SHA1
bbce5a46da1fba344650c87074902ec3eb5710e2

SHA256
dfc50ff5d26257c8b828176f17ba01584f55f1484fbef06b187373b10eede6dd

SHA512
7af1844f452ea47b43d0c4e63736b3d3480c0f1692191989a5f4c2d6e7778e31a90491508c0da42b6774f2a9f93d9878a531e555d192148e0bc28c4e71d450b1

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
347KB

MD5
21e4c761ca11467bac840aaeae0cc477

SHA1
7edf34e027221fc12c43a34f048aef27770f0579

SHA256
7b63037886ca5077d225fc54cfa6972e34a12f3c88dbc4b977eba85a715555b5

SHA512
cb9b722da1c44cdf8fb57085e02664dd41cb13b3d466dbc299069d5b4d8ac552785dc4a2384d4b4085d1b88f647a62ef9b1fbec26d3b003911b04bb3be02ebce

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
347KB

MD5
067b333ce85e2946250474b99d65e78a

SHA1
8e1a8958585a69a46233d152bbd0d65c4a51538c

SHA256
6f7de2d64a2a7b46294b877fc6b6874d382cb39e2333724c09d12bdc48ce5391

SHA512
b452cc516e2467c4db4a1582f5773a5958f2097e7cb11e5b350dd0bb791c4b0acf7ff429f4a04145c0d5ea068ad79316668994a33c81278f9c656cfd27f03b92

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
347KB

MD5
0e839489fd2a37163fe0fed50900c64e

SHA1
497c46de052e526c7d42f1bfee325d9a4e48db95

SHA256
7ebf2446e44c2dfb57cadbff9924d39cea1b8cd356bf5a75d56bcbf0ff3e5e2b

SHA512
b7a3dde993175c8a30754deda38f5dc4e944695afe719713791364371bcc983c2675ba937e65f73d4bbec147a4856300a0f9c41f3b9724dd8042e2f49bae2b4a

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
347KB

MD5
b84614325008dae739df1fa33696d0f9

SHA1
3746d49370bcffd54a44b45477c7e5a5007b0d87

SHA256
a9ffd7443d2726f16494507681974076d6ca0f980cdfd6df15306e9cd1af5058

SHA512
042076cb08a6e3652c467eb377aab2107b02fb4d89a14663f60539ca43491241f310a680a55dfa887bc06c02a9a36bd2bbc83e5aafd03500a353ba5473494670

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
347KB

MD5
7fc39df2be2a2f197ef30725ce943845

SHA1
15220582b344db0c15552e75816a2a344c83b5ef

SHA256
9444cbaac6ee65d289a98bac573693b52e220535445402677e3417870c338f56

SHA512
31a62a463875cdd34fd68c0f8cc1de51d871c56b71c097ba0b8d6e7fcb92aad54f11506c901703c39a8d1b6aa3e10f8d81a4f0f283adfe4b34db8d7a0abbdb3b

Download Submit
C:\Windows\SysWOW64\Qjkmdp32.dll

Filesize
7KB

MD5
c7fcb9e0140723ec3159f4ebfb5c62d2

SHA1
2b237d2bb1f324affa21a6fafd63a92d4a623600

SHA256
01b3bb243f9af7bbb45ba926054ab7b0b8fae0652edceabefaa5bd44dcbcfee7

SHA512
dcd5e018fa567b06707c310d2e0da407198484993c1e2274b14f2e573cc27ed4c142847e0a330bce439608f47d7449d25d542d595f504f37676717b7de2f3408

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
347KB

MD5
628e4a6ee42337c55998287342a3254d

SHA1
49d38aed9f5f7aa764baf1840843fa4be5940de5

SHA256
751ba6bd282307d1a576376477aaaa7ba4edce291f9dcbf82087ad11e9825b1e

SHA512
e0d71e27322376e3d68bc49995ccd14bcd97898bbf564b7424a5831537deb1f9e59c691d02841337bd486370cc8559840e097351a0973fc29aab28c686aab5f2

Download Submit
memory/784-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/892-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/960-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1052-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1332-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-522-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2624-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3012-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3208-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3364-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3640-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3760-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3964-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4732-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5092-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5092-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5140-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5212-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5252-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5296-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5340-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5384-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads