a21bbab5fced0b7598dc42e3944c221e47f4fc896b940838b087c2b351defcde

Analysis

max time kernel
118s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4910c00dafada374e07428a5d6c590f0N.exe
Size

2.5MB
MD5

4910c00dafada374e07428a5d6c590f0
SHA1

5bf03fb0500d7f1e0d78057b7e9c7b1b93f3ff48
SHA256

a21bbab5fced0b7598dc42e3944c221e47f4fc896b940838b087c2b351defcde
SHA512

e986876f1d79fdc85493e5611d77387baee00e21fa26a7c5fd0687f20d7d623f67ceb65619c1919a0cf433be4aefa4d5155910f5846f3d7b8ee09b334896079d
SSDEEP

12288:RYVVENkY660JVaw0HBHOehl0oDL/eToo5Li2:RYVggdVaw0HBFhWof/0o8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4910c00dafada374e07428a5d6c590f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe

Executes dropped EXE 64 IoCs

pid	Process
1324	Kdgljmcd.exe
4252	Liddbc32.exe
1452	Lbabgh32.exe
2880	Mdckfk32.exe
2996	Medgncoe.exe
4632	Mchhggno.exe
4664	Mlampmdo.exe
3612	Miemjaci.exe
784	Mlcifmbl.exe
4568	Mgimcebb.exe
5024	Mmbfpp32.exe
3948	Mpablkhc.exe
1236	Mcpnhfhf.exe
4612	Menjdbgj.exe
4224	Mnebeogl.exe
4636	Ndokbi32.exe
4060	Ngmgne32.exe
5104	Nngokoej.exe
2340	Npfkgjdn.exe
3400	Ncdgcf32.exe
3224	Nebdoa32.exe
2592	Nnjlpo32.exe
3064	Ndcdmikd.exe
1900	Ngbpidjh.exe
3996	Nnlhfn32.exe
4836	Npjebj32.exe
1912	Ncianepl.exe
1660	Njciko32.exe
4872	Nlaegk32.exe
2280	Ndhmhh32.exe
2912	Nfjjppmm.exe
3108	Nnqbanmo.exe
2532	Oponmilc.exe
1556	Ogifjcdp.exe
4752	Ojgbfocc.exe
2456	Opakbi32.exe
4928	Ocpgod32.exe
1300	Ofnckp32.exe
2240	Olhlhjpd.exe
2528	Odocigqg.exe
3540	Ognpebpj.exe
636	Onhhamgg.exe
4216	Odapnf32.exe
2704	Ofcmfodb.exe
2524	Onjegled.exe
2132	Oddmdf32.exe
2168	Ogbipa32.exe
4268	Pnlaml32.exe
2464	Pqknig32.exe
4716	Pgefeajb.exe
4444	Pnonbk32.exe
2068	Pqmjog32.exe
464	Pclgkb32.exe
2224	Pjeoglgc.exe
1516	Pmdkch32.exe
2252	Pcncpbmd.exe
376	Pflplnlg.exe
3020	Pncgmkmj.exe
1792	Pdmpje32.exe
872	Pgllfp32.exe
2884	Pjjhbl32.exe
816	Pqdqof32.exe
5124	Pcbmka32.exe
5164	Pjmehkqk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	4910c00dafada374e07428a5d6c590f0N.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	4910c00dafada374e07428a5d6c590f0N.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4468	1632	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	4910c00dafada374e07428a5d6c590f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4910c00dafada374e07428a5d6c590f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1324	2992	4910c00dafada374e07428a5d6c590f0N.exe	84
PID 2992 wrote to memory of 1324	2992	4910c00dafada374e07428a5d6c590f0N.exe	84
PID 2992 wrote to memory of 1324	2992	4910c00dafada374e07428a5d6c590f0N.exe	84
PID 1324 wrote to memory of 4252	1324	Kdgljmcd.exe	85
PID 1324 wrote to memory of 4252	1324	Kdgljmcd.exe	85
PID 1324 wrote to memory of 4252	1324	Kdgljmcd.exe	85
PID 4252 wrote to memory of 1452	4252	Liddbc32.exe	86
PID 4252 wrote to memory of 1452	4252	Liddbc32.exe	86
PID 4252 wrote to memory of 1452	4252	Liddbc32.exe	86
PID 1452 wrote to memory of 2880	1452	Lbabgh32.exe	87
PID 1452 wrote to memory of 2880	1452	Lbabgh32.exe	87
PID 1452 wrote to memory of 2880	1452	Lbabgh32.exe	87
PID 2880 wrote to memory of 2996	2880	Mdckfk32.exe	88
PID 2880 wrote to memory of 2996	2880	Mdckfk32.exe	88
PID 2880 wrote to memory of 2996	2880	Mdckfk32.exe	88
PID 2996 wrote to memory of 4632	2996	Medgncoe.exe	89
PID 2996 wrote to memory of 4632	2996	Medgncoe.exe	89
PID 2996 wrote to memory of 4632	2996	Medgncoe.exe	89
PID 4632 wrote to memory of 4664	4632	Mchhggno.exe	90
PID 4632 wrote to memory of 4664	4632	Mchhggno.exe	90
PID 4632 wrote to memory of 4664	4632	Mchhggno.exe	90
PID 4664 wrote to memory of 3612	4664	Mlampmdo.exe	91
PID 4664 wrote to memory of 3612	4664	Mlampmdo.exe	91
PID 4664 wrote to memory of 3612	4664	Mlampmdo.exe	91
PID 3612 wrote to memory of 784	3612	Miemjaci.exe	92
PID 3612 wrote to memory of 784	3612	Miemjaci.exe	92
PID 3612 wrote to memory of 784	3612	Miemjaci.exe	92
PID 784 wrote to memory of 4568	784	Mlcifmbl.exe	93
PID 784 wrote to memory of 4568	784	Mlcifmbl.exe	93
PID 784 wrote to memory of 4568	784	Mlcifmbl.exe	93
PID 4568 wrote to memory of 5024	4568	Mgimcebb.exe	94
PID 4568 wrote to memory of 5024	4568	Mgimcebb.exe	94
PID 4568 wrote to memory of 5024	4568	Mgimcebb.exe	94
PID 5024 wrote to memory of 3948	5024	Mmbfpp32.exe	95
PID 5024 wrote to memory of 3948	5024	Mmbfpp32.exe	95
PID 5024 wrote to memory of 3948	5024	Mmbfpp32.exe	95
PID 3948 wrote to memory of 1236	3948	Mpablkhc.exe	96
PID 3948 wrote to memory of 1236	3948	Mpablkhc.exe	96
PID 3948 wrote to memory of 1236	3948	Mpablkhc.exe	96
PID 1236 wrote to memory of 4612	1236	Mcpnhfhf.exe	97
PID 1236 wrote to memory of 4612	1236	Mcpnhfhf.exe	97
PID 1236 wrote to memory of 4612	1236	Mcpnhfhf.exe	97
PID 4612 wrote to memory of 4224	4612	Menjdbgj.exe	98
PID 4612 wrote to memory of 4224	4612	Menjdbgj.exe	98
PID 4612 wrote to memory of 4224	4612	Menjdbgj.exe	98
PID 4224 wrote to memory of 4636	4224	Mnebeogl.exe	99
PID 4224 wrote to memory of 4636	4224	Mnebeogl.exe	99
PID 4224 wrote to memory of 4636	4224	Mnebeogl.exe	99
PID 4636 wrote to memory of 4060	4636	Ndokbi32.exe	100
PID 4636 wrote to memory of 4060	4636	Ndokbi32.exe	100
PID 4636 wrote to memory of 4060	4636	Ndokbi32.exe	100
PID 4060 wrote to memory of 5104	4060	Ngmgne32.exe	101
PID 4060 wrote to memory of 5104	4060	Ngmgne32.exe	101
PID 4060 wrote to memory of 5104	4060	Ngmgne32.exe	101
PID 5104 wrote to memory of 2340	5104	Nngokoej.exe	102
PID 5104 wrote to memory of 2340	5104	Nngokoej.exe	102
PID 5104 wrote to memory of 2340	5104	Nngokoej.exe	102
PID 2340 wrote to memory of 3400	2340	Npfkgjdn.exe	103
PID 2340 wrote to memory of 3400	2340	Npfkgjdn.exe	103
PID 2340 wrote to memory of 3400	2340	Npfkgjdn.exe	103
PID 3400 wrote to memory of 3224	3400	Ncdgcf32.exe	104
PID 3400 wrote to memory of 3224	3400	Ncdgcf32.exe	104
PID 3400 wrote to memory of 3224	3400	Ncdgcf32.exe	104
PID 3224 wrote to memory of 2592	3224	Nebdoa32.exe	105

C:\Users\Admin\AppData\Local\Temp\4910c00dafada374e07428a5d6c590f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4910c00dafada374e07428a5d6c590f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Kdgljmcd.exe
  C:\Windows\system32\Kdgljmcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\Liddbc32.exe
    C:\Windows\system32\Liddbc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\Lbabgh32.exe
      C:\Windows\system32\Lbabgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        39⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        48⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        51⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        58⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        68⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        69⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        86⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1388
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4236
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        92⤵
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        106⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        107⤵
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2032
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        114⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        115⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 408
        126⤵
        Program crash
        
        PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1632 -ip 1632
1⤵
PID:6036

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 6fdaa28fecf56b3a522441d1fe2f575d U+j0pQ9ZzEiOIzb7s1o/8w.0.1.0.0.0
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckijjqka.dll

Filesize
7KB

MD5
4545efd7def254955ddf9752a759bc29

SHA1
a740ff2d316e248c17c627227ce35b757479cb1d

SHA256
d34738b2167f9d6cc696c23ed445a2f7d32e4bc5677d8b949e14bb4526f97147

SHA512
645798cfbc923791c1ed30244d54a622c33afba6f3679be0b5ac3f7da48b913c7d4f1fba49db54a5c04243ccbb49ee4d4a323c8c3e961fbea7c36fe17e572288

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
2.5MB

MD5
10d35e5f380c2d8b374687a217e78f49

SHA1
272821824fbfafcb67828b1013acad43753ac484

SHA256
4384a12e665573e2ad9a784f397073d01b7661f7e92b39c8128c4f2065ef8fd2

SHA512
2ffcad5db48a83aa54aaff0943c8607fa16120286f42fecfa998177c49f37f438a26f1a737dc25cd291a3f007f45b18a17043c227e1f62a9c3a05395508a03bb

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
2.5MB

MD5
0d9a83b046029817f3a817e8be5f12cb

SHA1
95d86f0a2b0b13b1f31a4fd15b2ea4dc90326ff1

SHA256
3dcc2994d8e58dcc660f1714769503852558ed1c89536db4ad053360536c1b3e

SHA512
fc369018d2b6b1e0b63e5ac747be0fe568532bacdb56a750396900088cd265bce3938419cfbc31a061462de572c4a387c4423230ebc8d0b56c4e56490132a7a0

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
2.5MB

MD5
318859ec932a47fda23462fa318d26e6

SHA1
c5172391ad6faadc163012ee1d5dd45231289ee1

SHA256
0afec1c51781c0c8e6aadf2bdacb27401f77992cb40c35e89548a4f8660d58c3

SHA512
f43f5cc0a7d47f0e33c4d7ff1f86ec8aece3dce2152f53447553662055c68ce4060d78e5472f92631363021a22f00f5922c90b1f7e43249d64d177e91b58e626

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
2.5MB

MD5
571f5c96d0164e684a0da6cffe934053

SHA1
516d650506c5005bb550a02d00f9e782d86176e7

SHA256
fac2e4f3b0fc9024ff002458c7121ba586da186cc675bd1e794e3f918c66a862

SHA512
511b39bcb9de3d9f02d9b7b0c0ea7f8eb41ebf34a56559fa6665ab4e9da3fa2c56496967ae8fd369671f639371bba304b16602375431407d34aeecf8feebf090

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
2.5MB

MD5
1352c40e66cfa91e43ef5d27a4a26df0

SHA1
286710192677945aa0a766c31e11a62d8f97233b

SHA256
566d59fc7f75e25996cb638b6c722713813ed3763561fc65f9ead093e863b97f

SHA512
51bf2d7fdc38468e8d2d644cc84d4a41ede6b1ac0e069b7c26e475c8c47e7adb0eed942b5ee3e62333b3d33e9152363dc79eab9884e427f550b7895e5c1b44d9

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
2.5MB

MD5
a8c96c083a02c7df97d3368625e809ef

SHA1
9b63efd7f9567b5210d3026cfcec9783b541f867

SHA256
ebdad48975974bca9227825e9b757f9c70c061e74a2fd930787fe55bc8189e22

SHA512
a31a2623de93cfb4d764b3458a86d79ee75b74a19d751a3a7463adac2d25e7d8365f04708dd7cb24318949d83e6d74068c3639fabcd60253b6c5757a3737531e

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
2.5MB

MD5
73fcfc7753b513b531856f38da3bb00e

SHA1
8e407e821eedeadcad4dddae275f387146a0617d

SHA256
731ff8d0c6c3a4631b845cf006b9b0cd440462fcf42af91d4eabfe0df956aa9b

SHA512
eb81a3c1dae03a7f35bbd1625e0b4f2a9a5669e00dc3e2bc049bf2a993d24aac40500fb4b2a7a84e7708255f5dbbd34cc30e6e873d40ecba020ab648b4bfdc6c

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
2.5MB

MD5
0906033774dd7140d0b49b7184249549

SHA1
d59aa10b980af976b558701b6838759caf451f2f

SHA256
e6707602a16e06249cc86d5391afd541e9869c6cd093eb2b9cffe6d4e676d219

SHA512
d2ee2636e34ff2f42bc98bf96cdd2294e9b4bbdb3deb6132ecbc5de26a90d71f5a59677d56027063c114068a8fdee60523f44020771ebdfdfb7ac279f33a8695

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
2.5MB

MD5
2f6b6010d4fd352410f5bac4fe49b720

SHA1
1b267d230c542caabffff3660a57e0f1e7f21340

SHA256
7f722923eb0d09a7335976b7f30b2f0c727102d96c48fc587c0a7ec15e223d5f

SHA512
512c5dd3d5617bc73f3ef25ab33031947b4a11548339c20ba159933bef77ff53fac3d4247cb072c6245087707e19fa7c624b641a278cf7c156265916b5e16266

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
2.5MB

MD5
da310b6efdb5b0862a6642d6690b3c73

SHA1
5ed6702cec21785e10abbfcf112a8feb3ebc84bb

SHA256
0a05a983db12f66515be796bf3557fd76d556502ae07c1775c2474144bcaea8e

SHA512
8ee378a7754bdfda938d7824b0d0ee524b7e5415708344a936a527200d472ef9f6dad7462bcae257a128fca14bb20915cd525dfad3be2db10193d2b444dfe8a6

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
2.5MB

MD5
3abf9df0b752ff03124e9dd34aba255f

SHA1
a2dd835633d048a97d788c2546388cc7a89b40f5

SHA256
1253be9e6a8e0138d04d79c2e627403999ef43594881f68e502ef1f7aa054f16

SHA512
44f2e62f7a9e643168ae50389d18a7b2e6ab10ae1625bf68f2c0e5f0399f2655bf7b246e76836b6d6cce2718fd91aa0022aadc5da96bfa4171930ade34224055

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
2.5MB

MD5
d72bbbd7ead342cdcae7c59559757016

SHA1
8ca1779f8ed1f6a5a19d767bd22a2085b9316298

SHA256
a5d278b2dd01f84bd47d3eba5dcfffd12f748428e502be18e00f558cc89dd44d

SHA512
6679ba45abb4f6d2f068803e191b3e2f2d75ba64bf05dee2e0462254dddaabbebfe616c91cb83a0a2cd548ab307724b29493265e680bf140fc5f8469a3286ba9

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
2.5MB

MD5
9b81da196b64407f1aa6445a4e23bfb4

SHA1
68b4d66108b78b07f4690ccf8aa810339f1ce5b6

SHA256
c1b3d1811fc588b46900f34e0cc7d0c401e4ed47f9461abd7a372dee1be5a261

SHA512
8543f4478fa6c547d6ea1c23f3480c65dc7f50f2ebe9b867c0cc40cffa8b57412701927f0c158b0e53b55119528cd6e5d70060a78160787e935b083fc954633b

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
2.5MB

MD5
2d59ae0981764961bbab5135308b3700

SHA1
92d1c754bf7224abfb31040ad0b4d28b8a3b7bdd

SHA256
cd5bdb8f8829c1703309f183a16546a5bbb4410cb55956bbd7ccf28fcb951c80

SHA512
eaa43d6772ea415d96ab5fa87b45df31fa20dfdb7ca0c87d92587060b265864da704e4b7f2b20cb046e3a87ea2f1e8d2d359359e6b958a75044b29a7bcde6085

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
2.5MB

MD5
387de2334140e34a27f8d099d5b5aa9d

SHA1
c83ad901199820ce54dc5022c603e6eb31f08e80

SHA256
e3362e6487a1b1338f61d97ae5ad1911d2cf249256eab86f4fa15120d4c72c26

SHA512
7349a4de612caec39d515b50375828623eeacc67e07c5cbaf941075b428f4d450088a81bf04a562e45e2839ebe8da374beb904aa67c3b3157cf8186279c03f3e

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
2.5MB

MD5
8ee7c56d30299ef2666f5310fffd5357

SHA1
20ebe72e2477eb93fbb37baba1264a4a4d6fd550

SHA256
63e33abbaf830773a50196a3c520816bce3ea9f1d2a26e03b24804b2999d1bb4

SHA512
41875823572caa65190ccc4e2efa80c2463c29518710481ad4ec71fabc684d5899cb1a275265fad2974b87f8515194302580fff655ea96abbb8daceac0bb5bc2

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
2.5MB

MD5
ade7d6883595d3ced0d5bbb533556a40

SHA1
8b12bcf3fad0a7346385805aebf56a9aebca1d23

SHA256
e5b6f9f90d86bde45230fd960ac9196f584d7a03913654b25e3986a4fc3551b4

SHA512
ac5f7f80574e32a2f73cf5506ccd592b1475ea0fa4b5b0293539ffeada90278dba0ff2a4861e8850375a2ba620b0974b6970222e33860aa9a9fd585036156eea

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
2.5MB

MD5
220530c34aceb40ed5b4c4c73ffbf547

SHA1
8c0116b3a1a8374b43ad63c97a78f46abfa77370

SHA256
eb427860f2feef2214441f97eeb941707d3dfb962ad5af2191c54dda81b8a6a1

SHA512
ce5c7232a72fcac2e8ab5c46a10389cdce9383e96e448080ca5ae6eb00db057301e3840eb7411a282124164f890799721efa8aa541b142502aceb71675ea4b99

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
2.5MB

MD5
becf69e518d0d43b47656a7746485579

SHA1
302728ed39bf190947b9b097e04b0d69600ea212

SHA256
c75ae22c9cb126897a398e5b623a2c51657ad2b28a3a95579419f7d99f4a8cbd

SHA512
5ae09f7091e2bb236763a68167cbb4de42fb15156b2abada9a2437a816a3604866caed04393414ce9e71a74c83d3e8e73cac9fe5f74294821df9e00bb02687d3

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
2.5MB

MD5
3b18774add397922c61091dff78b25ba

SHA1
175b2f9f1261363e682ce0a5ad478399f3032eaa

SHA256
b224709ee9954b279e8042a3f6940333a17d940e5bef1f81d49bbf27614fdbbe

SHA512
30893b8ffcd8fefa47c09ab870aa6a8d2ccb9df07321c5162fd869d5a1ec73164dc62b469d0bd5017ebbad50ba30361dd10f659c873419f09a4d91dae83515dd

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
2.5MB

MD5
140b788f28ae42ce4d967e43da9a46f5

SHA1
ad84a8a8fe575f9a84712f977b2c247a8c5b5515

SHA256
ff023ada80704c66c5248792fd42494b296ca242f3d622397437b84536fa5997

SHA512
0d512df2e7d11d0b00ec23318c8a65094ae3b783bac8e1a967c78c1b2ef00ff35a0f009377b7e8d59015c3d353ae89814fce01d742b47b2ccd9eeb2ebcb0564c

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
2.5MB

MD5
5a7492fc476a84e98bffe10a26d2e6c7

SHA1
d12bc233b1f02384630d68d22e0da1cc63e8f9c4

SHA256
69ab6224c7808e06de639f50812ce2e393a371550d5a27f3a590ef7992b47fe4

SHA512
e62e5a39fb21a487c66a2fde2c73e3c7e4dfa29e08ccee1f5e69d0b13f2dca5445bf5c3c7c6dc5fa27f5bb040e30850b175cdd164616469b8458ae5a235d7bd4

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
2.5MB

MD5
97198a985d7a4bd7a48ac0309edc45ca

SHA1
32d6e2ac6f49a05faada8b527bcb652d9d49672c

SHA256
1b5251a91740c54a39f2aee37388a8a189e7d4856bdd57e39e6066eba7edfda9

SHA512
bb5f882debae3865ef2ad913724a3ef53a0dd270210f93be2a284e6cc03a143588d38500e3ba9b9ca95133609d7f1ee363124b43ea5fa4f980c1444b113f40b0

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
2.5MB

MD5
18f22f17a7d0bb1403a23c606f66ebfc

SHA1
7155c56684d35496110c4990f52ff5cfd2ffe8d8

SHA256
4df706bdc61b3b46b3865c510817c72ae96e2998eefe992b75d7e368b88482fe

SHA512
593db378fab6b873845bec3967174a695a32c1090899eabad06beac72cf4e627b763fe2419aff9cf611e59f107101a91869c9629c05c354d8f914dfbb1c68f97

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
2.5MB

MD5
1a09e46ba9d5ab47145e0c327d913392

SHA1
6f85de397c12fef2f9b1796028c757bf179adb16

SHA256
a55875871cf01f4bb69d222cae50209701639a40c418e124afba92793837ca52

SHA512
23747a70c23850adfa9e06595a35040ba33329923e1f056899893be3601dce5a9b7cd977db64e9198935a4146bc799ba2230a8bf4bbbe0bf7fa5c9dd102863da

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
2.5MB

MD5
594964aefb95db8d82e66dea3563e71b

SHA1
0c48955f551be00b2150dd70c1fd270598465696

SHA256
d1615049a6296da2151121c273d05322d3ed2d2538776c3fcfb602df63dc238a

SHA512
878c54c03fe6a1f4ace23ab5533866617e98f1e473fb0a133b4f86fb4ae97ae6d3245e3bb4af9f76f03147783e13f80e58527ffb08221b84b70ea8813cb826ef

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
2.5MB

MD5
8a45c2f7379c6904ae456531b009705c

SHA1
a537e74d2c4365ec42c0ec5db2885bf744627fa2

SHA256
801e19489cec5fc0151cbbb582f89b6579286ae90ccbc2773e86b6fa25cc51d8

SHA512
60f813d6d571b6e8e5f75764270389751ea3868ecd31f685613303113ca40d9ddc4880e235822458ac2f2dc07d89a685351447ac2aab88ec391730eb551961b3

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
2.5MB

MD5
dc3f09574393fc4e1f63280304884375

SHA1
eda49065122ef66393a788fe172bcf3f5ef6121e

SHA256
8ad0aa14a43ee44c5b92c251f452287272919ef7ba8c2c69eaf21dffa0e35de3

SHA512
a88f449028398aae2cdc104903c72becfe3f034c2575e82596107bf18251f33a3e143ca10d3b2c1bdc5abdb5df475d77b98666b64474a1baf3c12ddc830f1515

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
2.5MB

MD5
cccb0f1ddcaa8efbd080a1ad6997dbc3

SHA1
aef17d5109768cd53e64c5e113166e268c03f773

SHA256
9dd0c251d9b869f69f0ce48cda6d24c0776d2fe704f9824061a83c190b2b1ee4

SHA512
ef3ec9defba1a0157623bf4005704339c01f624b6550de6fb5f62c9ec0c275c27e523419a162c6a7d08ffca846c6b2590578d122922fe0f9f751e5e2ab8dac70

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
2.5MB

MD5
911f07567933e2ce7cd225a18daf0a7c

SHA1
bd4a1a40860a761fef6a03142f727a974aeacf9e

SHA256
7bcae8efbf12044b03d5d588468c80e99498e071295f0c89d44d21dce33faba0

SHA512
2d8cb53ddc8a5a5f609180397012c586484c811abb0423cc3c5659dc8b15ccd31ba61a98d5d9e578317e939871fca8f84c793ebbcdbff727dab074cd0ac1a2f9

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
2.5MB

MD5
443221a83e3594c970ce58492bcf330a

SHA1
e0f636877b9e374219066987b73cdcc3bcbb62ee

SHA256
302fbc38d53d67e22c7a6468b2ac681985c59a2e694756a99e6ad61a62da5c78

SHA512
fcb5ed217ff521875a11403ff8c35a5a4ac442a21748873aa067d9a62c2a5e54336620c83563d8f91d9d49409008f01e16794e1c0fb49861b39ef247b48b0a4b

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
2.5MB

MD5
98f92aa159ea183692c18e6e4328a409

SHA1
c4244c38267a2374a5f970e3f7fb090abe4a8a3f

SHA256
2ee70aef6bcd6e8e49ef1d99c370ad5528368cb8e50df7d91ee806150e3e389e

SHA512
8a0232b59d3d6aed7deaf594b5a4ae64ae4c8ce9700a6fd7dab72cd8dc3f9cc1626c244330e8b7ce41a9f4e81e899caec4b564d5b67d3dc50d458dc00f77063d

Download Submit
memory/376-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5204-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5364-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5404-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5444-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5484-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5524-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5644-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5764-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5804-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5844-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5888-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5932-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5976-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6020-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6064-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6108-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads