0433f6d63b837d45a4e139322c6c613fa72c49102537ab1f471a0ea7085d6c73

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3878ae0f4056e7b4b1c66e3ea26a000N.exe
Size

88KB
MD5

f3878ae0f4056e7b4b1c66e3ea26a000
SHA1

85d58d77b02eae3bf7786727f6c1dbac6266ed23
SHA256

0433f6d63b837d45a4e139322c6c613fa72c49102537ab1f471a0ea7085d6c73
SHA512

fa71497381cb030f84f3e4bc58e647937366eb99badaa21af447fbe105163ab32e7dcb1fae297df19b4cc898f4b084b985c64ca50ef0f4821e79f238b2da79ae
SSDEEP

1536:RtAvUbv3HmrEoxvR6sa0Ue19Y42NtAgnJL3PUnouy8L:Rtxb/5oxvRbY42NtAqzPkoutL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe

Executes dropped EXE 64 IoCs

pid	Process
1180	Nepgjaeg.exe
1348	Nngokoej.exe
3864	Ndaggimg.exe
4692	Nebdoa32.exe
3048	Nnjlpo32.exe
692	Ndcdmikd.exe
3652	Ngbpidjh.exe
2504	Nnlhfn32.exe
2744	Npjebj32.exe
4584	Ncianepl.exe
3956	Nfgmjqop.exe
796	Nnneknob.exe
1400	Npmagine.exe
1856	Olcbmj32.exe
4652	Ocnjidkf.exe
2052	Oflgep32.exe
1440	Olfobjbg.exe
2200	Ocpgod32.exe
4388	Ojjolnaq.exe
2468	Olhlhjpd.exe
884	Ocbddc32.exe
848	Ofqpqo32.exe
4108	Onhhamgg.exe
4344	Oqfdnhfk.exe
2456	Ocdqjceo.exe
3216	Ofcmfodb.exe
2960	Olmeci32.exe
4220	Oddmdf32.exe
5000	Ogbipa32.exe
3540	Pdfjifjo.exe
3008	Pgefeajb.exe
4244	Pjcbbmif.exe
2080	Pmannhhj.exe
3192	Pdifoehl.exe
224	Pggbkagp.exe
3972	Pjeoglgc.exe
1064	Pmdkch32.exe
3176	Pqpgdfnp.exe
3572	Pgioqq32.exe
2180	Pflplnlg.exe
4796	Pmfhig32.exe
3636	Pdmpje32.exe
1136	Pcppfaka.exe
2968	Pjjhbl32.exe
3976	Pnfdcjkg.exe
4588	Pqdqof32.exe
3116	Pcbmka32.exe
1596	Pfaigm32.exe
1660	Qnhahj32.exe
4288	Qqfmde32.exe
3244	Qceiaa32.exe
1236	Qfcfml32.exe
3012	Qnjnnj32.exe
536	Qqijje32.exe
64	Qddfkd32.exe
208	Anmjcieo.exe
632	Aqkgpedc.exe
4068	Adgbpc32.exe
2252	Ageolo32.exe
3660	Ajckij32.exe
4476	Ambgef32.exe
2132	Aqncedbp.exe
3876	Aclpap32.exe
3208	Afjlnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5428	5208	WerFault.exe	204

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3878ae0f4056e7b4b1c66e3ea26a000N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 1180	4356	f3878ae0f4056e7b4b1c66e3ea26a000N.exe	84
PID 4356 wrote to memory of 1180	4356	f3878ae0f4056e7b4b1c66e3ea26a000N.exe	84
PID 4356 wrote to memory of 1180	4356	f3878ae0f4056e7b4b1c66e3ea26a000N.exe	84
PID 1180 wrote to memory of 1348	1180	Nepgjaeg.exe	85
PID 1180 wrote to memory of 1348	1180	Nepgjaeg.exe	85
PID 1180 wrote to memory of 1348	1180	Nepgjaeg.exe	85
PID 1348 wrote to memory of 3864	1348	Nngokoej.exe	86
PID 1348 wrote to memory of 3864	1348	Nngokoej.exe	86
PID 1348 wrote to memory of 3864	1348	Nngokoej.exe	86
PID 3864 wrote to memory of 4692	3864	Ndaggimg.exe	87
PID 3864 wrote to memory of 4692	3864	Ndaggimg.exe	87
PID 3864 wrote to memory of 4692	3864	Ndaggimg.exe	87
PID 4692 wrote to memory of 3048	4692	Nebdoa32.exe	88
PID 4692 wrote to memory of 3048	4692	Nebdoa32.exe	88
PID 4692 wrote to memory of 3048	4692	Nebdoa32.exe	88
PID 3048 wrote to memory of 692	3048	Nnjlpo32.exe	89
PID 3048 wrote to memory of 692	3048	Nnjlpo32.exe	89
PID 3048 wrote to memory of 692	3048	Nnjlpo32.exe	89
PID 692 wrote to memory of 3652	692	Ndcdmikd.exe	90
PID 692 wrote to memory of 3652	692	Ndcdmikd.exe	90
PID 692 wrote to memory of 3652	692	Ndcdmikd.exe	90
PID 3652 wrote to memory of 2504	3652	Ngbpidjh.exe	91
PID 3652 wrote to memory of 2504	3652	Ngbpidjh.exe	91
PID 3652 wrote to memory of 2504	3652	Ngbpidjh.exe	91
PID 2504 wrote to memory of 2744	2504	Nnlhfn32.exe	92
PID 2504 wrote to memory of 2744	2504	Nnlhfn32.exe	92
PID 2504 wrote to memory of 2744	2504	Nnlhfn32.exe	92
PID 2744 wrote to memory of 4584	2744	Npjebj32.exe	93
PID 2744 wrote to memory of 4584	2744	Npjebj32.exe	93
PID 2744 wrote to memory of 4584	2744	Npjebj32.exe	93
PID 4584 wrote to memory of 3956	4584	Ncianepl.exe	94
PID 4584 wrote to memory of 3956	4584	Ncianepl.exe	94
PID 4584 wrote to memory of 3956	4584	Ncianepl.exe	94
PID 3956 wrote to memory of 796	3956	Nfgmjqop.exe	95
PID 3956 wrote to memory of 796	3956	Nfgmjqop.exe	95
PID 3956 wrote to memory of 796	3956	Nfgmjqop.exe	95
PID 796 wrote to memory of 1400	796	Nnneknob.exe	96
PID 796 wrote to memory of 1400	796	Nnneknob.exe	96
PID 796 wrote to memory of 1400	796	Nnneknob.exe	96
PID 1400 wrote to memory of 1856	1400	Npmagine.exe	97
PID 1400 wrote to memory of 1856	1400	Npmagine.exe	97
PID 1400 wrote to memory of 1856	1400	Npmagine.exe	97
PID 1856 wrote to memory of 4652	1856	Olcbmj32.exe	98
PID 1856 wrote to memory of 4652	1856	Olcbmj32.exe	98
PID 1856 wrote to memory of 4652	1856	Olcbmj32.exe	98
PID 4652 wrote to memory of 2052	4652	Ocnjidkf.exe	99
PID 4652 wrote to memory of 2052	4652	Ocnjidkf.exe	99
PID 4652 wrote to memory of 2052	4652	Ocnjidkf.exe	99
PID 2052 wrote to memory of 1440	2052	Oflgep32.exe	100
PID 2052 wrote to memory of 1440	2052	Oflgep32.exe	100
PID 2052 wrote to memory of 1440	2052	Oflgep32.exe	100
PID 1440 wrote to memory of 2200	1440	Olfobjbg.exe	101
PID 1440 wrote to memory of 2200	1440	Olfobjbg.exe	101
PID 1440 wrote to memory of 2200	1440	Olfobjbg.exe	101
PID 2200 wrote to memory of 4388	2200	Ocpgod32.exe	102
PID 2200 wrote to memory of 4388	2200	Ocpgod32.exe	102
PID 2200 wrote to memory of 4388	2200	Ocpgod32.exe	102
PID 4388 wrote to memory of 2468	4388	Ojjolnaq.exe	103
PID 4388 wrote to memory of 2468	4388	Ojjolnaq.exe	103
PID 4388 wrote to memory of 2468	4388	Ojjolnaq.exe	103
PID 2468 wrote to memory of 884	2468	Olhlhjpd.exe	104
PID 2468 wrote to memory of 884	2468	Olhlhjpd.exe	104
PID 2468 wrote to memory of 884	2468	Olhlhjpd.exe	104
PID 884 wrote to memory of 848	884	Ocbddc32.exe	105

C:\Users\Admin\AppData\Local\Temp\f3878ae0f4056e7b4b1c66e3ea26a000N.exe
"C:\Users\Admin\AppData\Local\Temp\f3878ae0f4056e7b4b1c66e3ea26a000N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\Nepgjaeg.exe
  C:\Windows\system32\Nepgjaeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\Nngokoej.exe
    C:\Windows\system32\Nngokoej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\Ndaggimg.exe
      C:\Windows\system32\Ndaggimg.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        27⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        31⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        33⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        37⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        41⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        52⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        58⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        67⤵
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:996
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        76⤵
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        78⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        81⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        84⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        86⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        87⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        101⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        102⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        105⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        108⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        111⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 408
        120⤵
        Program crash
        
        PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5208 -ip 5208
1⤵
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
88KB

MD5
3d4ddc7c57caf8786ed40b8e7c1eed3a

SHA1
36eacb7a8fc911eab57a68c94ffdf70aad8fe2d3

SHA256
b5007ef6a13b5d7f9c04d0083442609bad1e665098710234a6e7b75ada460150

SHA512
f5af85c00fcde9822f66c846fad356ccf46c71aff3e57dea24b94db8ee3ac27cff85373e26959934bbb62162b0c353efc77fabaa4eb3f15aad9ce0ad9425edd1

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
88KB

MD5
5c14cc7b8a7c74999c3d3f5f98f38f9c

SHA1
36c506f4ca403bae7e95eef5c2a996db649cc344

SHA256
f0a0453c899163fdd9685fb96c2ccfdb472ea32804468ed87ec5cc9b76636d6a

SHA512
9e1c526f56a350a0ec1aa3f7418f0e62103810e38894239d525ef456675aab65afb158e1c2c619c30a63f493721415ef51350120abe8c5db5744ba72d0d46556

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
88KB

MD5
07c5e8c8fb7279d562295def864a18b4

SHA1
751572b8a35c03b98ed49fe80f2b4ab6841ec9c1

SHA256
8d62312ea37ef7ed06df4fbe01647d10808a7afd63741d863a29fc65bda4ca1a

SHA512
5b8af90ec976866b16a467871bc5fe91f8f312433d7b9cdf973d45d87d1b13a194a889ddc65bdc39e406f16386597c5288a9d414469c75f15af1e7f5e9573bab

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
88KB

MD5
e0b31672f8b24a1c6529472f09b26aef

SHA1
3873a6027380c070a31806f9506bfbef6f7572bb

SHA256
e075e6590916437cb57a1ecbcb716bfb58f08768b5d75fb2ddb2d21d422d2497

SHA512
72a9ba71db3228b9da07b050b48fe395269d251f16325b2a9e475532c18d043ffb8c5c6387e9efcac034330ad6c806ee995ea77b2d0c84a119fe4c2194a2f93c

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
88KB

MD5
acb878c5da188a5d4451723e55b19981

SHA1
bf97d523386eb4426e2d3017503a119df4170583

SHA256
f664141ea95e107133fffa1f61d4997145aea5c047ec8398d44accc0ad3cfd6b

SHA512
12f5067fcaac34e4b76fd714bfe1fdad4e5b070df633970b19f26b2380b342805214c9628ed47931cf0413596c824c22c332ea3a9dbfde32a114b912c1407cb2

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
88KB

MD5
05a4eaa2c32f7c51a6ca5b1242432fbf

SHA1
bd0a9bd1ee1f2ecb54d666bfd87806d2286cf0c1

SHA256
e2cc8295c2204fbe0e5b1ba27d67bc55772e5bcd3322085be8e7e5995bfc739a

SHA512
1b58663d8938fbed62cf7ba31a60c9126ecdeda8ccde1374dc8f06b210eca704522d37bfeb092c4433bd7e36a9530c6172565dd18370bc4f34c26660b91d4048

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
88KB

MD5
38df3915ad0952d025223536df9e4fac

SHA1
c1de0325fa8a238a95266d5e6e9041a791133b70

SHA256
4eb13e4eea874df5df8ebc55f60bef734d547c758b5d86e61fd3827165691030

SHA512
ae33e59f57856d775892b54543970d43adef27d0d34a2f47bb36bdd62aaf8328c3a3e025c7984abdaae356ce754ea726f0b559b89eea9c5a2f3b4ae6c6fa888b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
88KB

MD5
018d82c9988a578a0e777f76e32d0034

SHA1
11deba0ec8eefb5a6f2807c59a589cfbc3720a43

SHA256
b4ddb81e2c9d33337883d6ad817f4075628a347b2ec43288da35ead8bb967673

SHA512
ab9b344764188473725fcdd604514afdc023f775ed207696f005b0e4a1996f0ff22ab06c00f2fb8350678c7a5f5cd3ceaa94c58829113d3733ff4ab1f2ae8a88

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
88KB

MD5
328f6cd08d434d27c50da985d517c1a0

SHA1
75929f43cd00f8e77e59c7b54c92543e5b49ee04

SHA256
91a8f5e54d43ef5ba4dfc6f83efe5d408b46964947551cd1056627102a9545bf

SHA512
8828d8d2659f7e67499825359380fb3b93554adcb76bb48a1c3724e80dbbe77080ccedf8bafceb40b7cd80c64ea10ff7837c277cf5a6bc81fe08265d6df859ef

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
88KB

MD5
1fd2ef674940947cce5366f3dc3a8fbc

SHA1
7393ec4c14a1bafdfba89c69b3614212af3b93f4

SHA256
4f9c2b6b703de884c625394434139d7f16b5f3982e31f33ee7eaafe94d8615f8

SHA512
9076ec4e3299964f621ddd922c6fad3cca4641592df625adcee24074acbc2cf06132fb28cb467bf3d67029adaa0995a7a2ad9b0d7f97ae4eab91c152eeb9773e

Download Submit
C:\Windows\SysWOW64\Gbmgladp.dll

Filesize
7KB

MD5
17c77cb57c06306ec830a0f84d21f043

SHA1
dffbebe590a72c709d892d84209fb6bcb6af47a6

SHA256
7af3441b5294637908329c9f8add5153964a99f17f4df10e8efa0acbd9a09290

SHA512
5d87c0a351b4a425505361fa1856c352ca5daf3b1acda7bbbb91dcdd735574996761dac147b3467c13d8e6ebf087228ed32d17d6df5cdaea6956fb9f537bce07

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
88KB

MD5
7a2228b5e9566617c87df52717ca2942

SHA1
b13c2d6bad6bb6b1cc231da009eba219bed59cac

SHA256
90dbc1643bfdb4149856eaca85ec7ea91c35f4ec24ed54765b8fbdd1c58e0105

SHA512
a48c1f439c3485968656921a24eaa5bf7b3776b993bdec7360695ae88e5e1349290b2bd4295f4dd0ce797c48edae1e7c97e7bc1bc74074b6b2b142c432dd844f

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
88KB

MD5
c217b78b2d1e5b5ac3046c6640148abc

SHA1
fc6aa2e1879aa84d52ee16994d83a838a2d6558c

SHA256
86cba7a4bf420cb4f71cb0aaf2a7e97b54997d34f1d93aaa3e6f82ff6facbd08

SHA512
3d34f22dc641ba3de5c1ab7d024d0ba433fa22e9b288cbbc378c273d2631aecb7325e249c5603584cd5438fc21b73d270331d9a93a89f4405185be2918514f51

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
88KB

MD5
797104e46674cd178999506651fdf738

SHA1
3d477fb1e306db0714977e19d4c74f068745039e

SHA256
23d6392c447f92675f4002aeea3e8f3bfae03fbc5b9e756279bdfb6bccdcac8b

SHA512
e54e35342a4d6d79e27fe351a1fa2dfaba7178d3dea810f5aa80d0ec9f6fcc3f83778f5895839e41f12320f58dfcf2e3cef57c77b3bf49f64c7aaa4f5e8cbca0

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
88KB

MD5
4114f82b3105cc97bc9b3a1846699912

SHA1
38863b32f7ad8e2242b0195381a2914789de80dc

SHA256
4346f0c77d3f80f919a5ca339d4b22dbd26a5663a97aacec58e26693f39bbd1a

SHA512
f68f6684e4b84fb9f2db9e9be594c080ee9eacc2163c5b4561fb4e1c214552437311dc30521dd2e48cdb4065a845f973a435d91b0b12464599545879d663ea17

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
88KB

MD5
9af7b3eed7bd4d1792bdf29433b37970

SHA1
7d74027f396a564dd955d9777333d6a6d79daaa5

SHA256
4b2f8ab23784ff5e258081dc6c372b42671c58ed096b32315a6e73c8b3740a6d

SHA512
be709306af97142aae46c1353f8cb3306885807d7399f127d26facc2ea638d07bb8e886d3daeca3605b804e639626544cd5163f8c4530280cb917d1f4fc4b9fa

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
88KB

MD5
ed6eeee9a4f697371d72807380ba3a59

SHA1
56ddaf5986d2998fdf7957671467e6b2a9849f14

SHA256
68d4cc162cc704fdce6324b6ad182cf8a1d1ef70587fad52efe534bbf0a274f8

SHA512
632020916975415a8426b42587bd524b173653b0858795af649b37215f97875556dfaafb75ed2f5b85d4888fb410bc45e3dd9edc950e56d9a14b82f175cff823

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
88KB

MD5
28aeae498092a0b179423ca9ca4e403c

SHA1
54e452726fb8ec25e6b281aaf8507198a8c80629

SHA256
4111fe6700f6f450f929bfe9a9a0d3ebd325c46448679091fdb2a872bbe352e0

SHA512
719e5346d1848469c12bca4399d54fb577d82b7e59d168ebd2b7b1e8e9e49f8b020ba071e58864cbea887e2ee5b701d4ca9b13af13e9a546da868b7394f26d23

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
88KB

MD5
3a68771afdf77c8c85da5e6c1150a340

SHA1
33a7d349a7d02f4f4f5b4116b2d52024e7515486

SHA256
2d83017a61435d14ac032c2bb4cb13f283a36bc31d57a61ae3a06316dcab7271

SHA512
f1d0b978d3eef13f20be44a45dbebcb5c2c5fcba40784d085e697665e4d1cf03685174a38e983a412c0330670268247335f9bb2a1816870c44e64bcc22cfeb3a

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
88KB

MD5
d3def571faee6abf3e6c5111099c12c0

SHA1
34ed21ff1f4a4206172d57fadd330d205e20bbdb

SHA256
851244a0c3210fdc4fdb838529ad2f0b15aa1c83cc64f898e20fe44ac10bb892

SHA512
ca98a941caa5cfff1371e69342f927edb5d840518099f2fc29ddf8165f091196d85059e1ae975bfcc2b4bda44f2ae409c1ec0ff5f3eceb2ac963f389c6bf555f

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
88KB

MD5
16052f6d6a54622108bdb620e45f57df

SHA1
0c39686c8a06c4c7960c2d0c74cef40bde63242e

SHA256
8d85629824411548a14904b6ebfc5f0e4e9a819e501c5ea394d3c7ed89137272

SHA512
df019204adfbabfced7b4529bd6c1dca85334fd2fe1957e457590e1c6da014f14fba53224f16904b0e8f1244daf4f13e699c4615f012b2df8c3515e89eb4803c

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
88KB

MD5
c7d32e748ff787a4d23c0113cc30f433

SHA1
aebd8b5cfbf767387c2cac09beea2af563d87e7d

SHA256
b13d1a68ff3ecda8c1e7c3242946ef18c849db6fe7a2a2ee10c6afd815254043

SHA512
deb692a51cf76c5d407a2c42e2ef149ff6323835d03c6d506c0a5b1bf79d12a888c860a6cfadf2435b647dd8b6dbfb8dec2fa9c36e3e1e59bf5b5a5361031277

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
88KB

MD5
fd82110a0de142ae5910258cc973886b

SHA1
cc67c0bc1c0e22619d77d407cc05a57c801febc2

SHA256
9a9262eeb06ab9de109dcb5d8d0a97ae0a74ee770643037cb95bb9c0ad9511c2

SHA512
900ddda23bfea3149c9559f8a605ad8ad28816f7832d4f4bf8dc0c5c6dcd08c09760cbc472a80b93ea9ae7e99435f941692d194a2a3215d09a5b167f0817790e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
88KB

MD5
bfa4484f5a26a916d2ad646209b80114

SHA1
0a1fbca03a214b11d7270c88d2470fd4174ad597

SHA256
bceba1293050c4c4834f3aeba7d45d188b94eaeec432a11d2bae36ddf80499f8

SHA512
bdf4cb79474cff5f47a0623c397d81ce7d791e954dba2541313167053f20aa62d2a0db8c531029c6d713e93fbeb1e945eff9cefa5223d1a9d5e929ebe147d8c1

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
88KB

MD5
b949120cead628c12f588cd680c9ea68

SHA1
7b09f38e79505c1fcc456479032674cc9212e69b

SHA256
795358edc088ae116fed624b8eb24347dfcded04d69996b185b527449f323e29

SHA512
23e265e7d91308eefe7d7195f6a5848f9298630ff148b0ceb4002886a0c137153ca1be7a2664de673052190a8520c0057dafde0f04175e004a85054f670491ea

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
88KB

MD5
855b92bea7b89172863e71364c163889

SHA1
ecb2ceb864365c1f0cd5f9990426a47b7d79c6d4

SHA256
0a921b9f08f7b673ac3bd2e081412c9caa3803c2a3334f6565917c19386c1125

SHA512
33bef49e9170530aa2b4e59ecf4728477270490f5c0bd21f0c52fa6c55e65560c96307804e839d196da888fc3080307ae527eeee91d5299f6d3cabac358cb452

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
88KB

MD5
e9ebf9341de98ac058018a6c46cb76b2

SHA1
763ea70d5007447b35d723ed5838aea8ac5ab076

SHA256
9e5573a7627e60417e3dd4cad0754e3f1098f2681a15eb9992533fd7804c28a7

SHA512
d762fbadac8daf9fc1d14cc8aa13e49f679f8dfdbfc9ee7ad7e8614f8a93d99dc69e119215efd00aa1313d1f68b1af4495ff8b7f68ecdda7dd1cde8737225cc7

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
88KB

MD5
d3c2cb3ba173d1f0bdb30f958d443935

SHA1
19ba0a8368b974dd441ce7198a25a6c75d68123f

SHA256
2eb517117ee49768a1a11ad9a61bdd479bf209378d58f92c1fe78ee9588b264c

SHA512
02350bedc9ca2773a5a1abf0bd18795254155d127bd901ab27d3a10e1855425138fb34b298ae9b87e489202af5197d8d84a824bcc247c10f5a8f60e650d81a48

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
88KB

MD5
6224fe985b8a36001b23425930521bbd

SHA1
ee790607be5ade0611845e6c82a8c75cece65848

SHA256
fafd63747b9c9f9c91d900c3c2b0b50d8d43b11fe7175afc102b8095062e50f6

SHA512
3948287b47929b8e3d81e5110225682d60628649ed6618d4d9ff3cc682124c94a17c57027c6b484daa48f125c9352b96492082be30aed2494c7724b1a3d61fd7

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
88KB

MD5
9b0972d5a0ae9b9571a076ba4fc4847f

SHA1
220c5c001e0c479f9b08073d4e0b810e4231d291

SHA256
773d18d2d3984bebce03c4d10b52c8cc3ec9eb62f71f1899604bdf7037de3308

SHA512
9aea7bf20cd0342a3df437df1585a53ed6a1827137602712e991547f5663a608712b0e26068835b0cd3d7b5e990a0d58a8f8a92271d275e57d8bfaa59df80398

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
88KB

MD5
980eee02f6b13686a1df4ca23a079e85

SHA1
ae5d87f79d1101e660ad94e1ddfb8dde4c36af8e

SHA256
c581514360bf7bec278d003cc95e6be4392931ee5b9573d48d2123d2e0f8b327

SHA512
926742d26d20b4f85eae889aa05140fa55fdbc2a335bb1eab902a8464ffe790e342c65a280d3a1ec5cbc3bd68e30c76d8165f45994fc3b1a6019b662444cccf4

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
88KB

MD5
dc34c7beffd55924e82bddc24a8b979e

SHA1
9828add387fb80afa46729f196658002da22bd3e

SHA256
27c136ce54b31cc0622272f3e23560dde9966be0990a1a4c1c00bab992e60544

SHA512
f5e939f336db29d9dc735801ff7d59e8121abe69c236b2bede6cce305d53dc140d0591c9e6e17cf7ff2301752ce13f4d43f13024c4dddaa2d8e57fa4e93a87d9

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
88KB

MD5
6a21045bcb5723e154de8541947dc065

SHA1
e79d39e11711028b080315a09bfb70e3f2b6598f

SHA256
0f356a17e45fadad79335db0c2359f5996e0f5c17bdd9c6d8f74b41b619c5cec

SHA512
9273bc073684d218c9ee493efc8b472dd7e3594414872d46ef9def190885dbe3839fb12be8a642d495b9f8907f55d97d281f255ce45396847b0a1a6542d00b51

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
88KB

MD5
7ecced6593f09af48274aae7ebf08375

SHA1
b8d0ca67546435a6bfe4ae3181cac2c1bde5457f

SHA256
9d518a716e7a6528dbb7dc0f1703ddb632e991804d220d8fa6e2506146d46595

SHA512
31729f77c32779a381415f85b9faa50978a642fb2f9056b397c3ab8ed0b9eadd2c64d719d28a18464a4423c512a804afc52370ebea5798473a82d7ad41f80dab

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
88KB

MD5
9b286c4801676ed3a6ca3ffa7527f00a

SHA1
b7e1bba50902a05259bc40debb147778650fc593

SHA256
0de6afa2de1406c920fa8e05d40906160d8d974de8b26957c8b4bef924b48f10

SHA512
3d8bf9b37131cf734c0a6bc17c6549181686ae4f7ea19e0b845f7d3be867f87624a79912659b916e2bbae24820452c983134cd22e822895509d45fda4bcb7e46

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
88KB

MD5
97526b10d1165d7bb484c307f58e900c

SHA1
aaa24855b6668deaf090e69d27f3382d66cc5dff

SHA256
902ed5704996a5ef929bfc358730bb46b9223888b7088e7b267d578c83a7f5c8

SHA512
048e0b4288feb2a0664527b67d7ded2c0ae01c108baa2a877b7d3e7c9040041c01652b2de92323c2453165030cfbc59c9eed5626a508bb3b5adc3bc52c840453

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
88KB

MD5
6a00faa1e9708a20da579382a463e37a

SHA1
573fedc70065218ab7646eed2416676e67b17b68

SHA256
0f0b44a5ec36591519fb389eaefaee85a1b1d973fb2b3d24f39c2dd8b1c40fb2

SHA512
3f5e84b57f45cc7d0dc2d934ab63fed702e450663e01aa70f216f1a3bc53cba018c75351368fd3dd488a9074e069721d2907043b57ec6379a6496e99bb887611

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
88KB

MD5
c8641a779fd3883cd30c8994b12c6e4b

SHA1
0d39ee4f96de534a214b7dd9114aa8d68d7df109

SHA256
85b13d9989a3afb6859b1fecf88dae352553a9b747be26021e1bab0e2ff5cb2f

SHA512
9da6953ca3ef5b8ec51c58612afda278ac0cc89c17ad625bb6122311028652421814cc7b7e0b970e51e1fb1cdac1fb8cc3a919372216f21c19d9a61692b8621d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
88KB

MD5
8af6498242b205c78389c44bbab05b65

SHA1
37ffc003955aa128ebb182918df5a31ee5b68def

SHA256
9ad7701e60cf217a8e69123b381b303a9d98d7623e68e80d981169d36aa3772c

SHA512
8c95f2a51b8aa5221e36d03eb26e0edb0d0edd7de98705aa45c7b35b7c854b1d30e2116df034f99d1968c4c46b86c190ee09b1024ca909eeea4f065cf1cc5976

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
88KB

MD5
2d3cdf617462ba9a7a1f58fcdd7a85db

SHA1
3740775dec45c24bc1301e57beb9b563136d9a07

SHA256
6f8d7c9bf7f65c30231b5a0b0788c0570d7d1da98706af28753c6d667e299064

SHA512
37fdaa1107cce7e75213b71471e876dae4e9878078d05a4753afb30b09e6f6f20f26fbdeb44ec1a204a43277d909481dcee4cbf821588e4d156900cb4baf521f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
88KB

MD5
2732fcae9414cc8f5b944fefe380c6ae

SHA1
7f727eb03b569eef986fc45c4c8be1911bcee3db

SHA256
48ec45315fd7ac9d4d248312d268a93904046fdf1ffe4b2fc70567f3c69606bd

SHA512
3598bb8a76679a505ebfe6e17b359afa62d06a90989d44f1da56179ed6a9061b57fe8ad7f4296f45871ba060cf1f1a00415b2bc208d7593f7eaaf1dcfd55e0ee

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
88KB

MD5
4e90129b512ef010c55fb0de4ec0ddaf

SHA1
942bf23fc1d9d13189034eba1e94454b7ac79f78

SHA256
f577dc403b6d6f2aa879ea0e6bf52885e79796c6145c8ba01d41494c51dd460d

SHA512
836b0e0e10289e45261e7da71f7cc8b059d0b57142fd340f61d017c84bd977ff9d6b1c353067947c26c52196d0867db065397216c091c093d94fa19a4fdb0e42

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
88KB

MD5
effbc37374ec4f3898843780d7b10c88

SHA1
afd63929bfef6cb85492bdd15e421402330550cb

SHA256
0a0f01897e6edc3baefa0cb559d3105248a0e05d8f398c41e49adc8317691548

SHA512
1d79f62f2eb47878b5ddfb4b4410f424f3af1e182830b285cba62588781adfd12f6b750f453c1535b5425afe437d6d2cbcc3406311e375b6daa220c42d64dd36

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
88KB

MD5
d5dcdfc286a01f038281a90c8f582746

SHA1
cdeca98a13b241300ca316e773aa2989eb06e25b

SHA256
80209db4087ea6ecbeb2a7f7954b8a081873abdb88a8684095eb1875e875dc2c

SHA512
3306a0200721225085e21e5334ea40d691726aa014e43531fbc5fd2b065b399ee5dbd7a00d7b737ce600d92de2c2dc84d9e045ee2260465452d1fb7ae5f9a233

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
88KB

MD5
094fb369256fdd15d8deae1639843aad

SHA1
592fc858a1ff1b742f16e42088b74f188af225b7

SHA256
55e3c8f12df599bf12f317b0287aa7f5fae19217206a231e9ecbe2ea6a41dd88

SHA512
94d05da86ab572906a84cad3502ab1eeb3fc1955c42e38f486732b0368e610f3780b9d6b6a241f62940956ec5208e6a7826dafe5c06a17aec98737d353634107

Download Submit
memory/64-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-832-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5332-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5376-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5508-861-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6052-810-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads