77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9

Analysis

max time kernel
143s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Size

64KB
MD5

ac6711c1207b9406e9d5381c7d25f479
SHA1

7337431b9eec76382bb1beceb47946d708ba6c3d
SHA256

77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9
SHA512

9626d925861203396cf33f31dd17e1c8dcaaacbab8192e468868eab063b16661d2743ef5bfcb3d0f2bd16145b8eeb8360c9f1e44abf87757886be013454b73c9
SSDEEP

1536:kiYDt+cfiobWI1kxok8uax1ce9TS8s8VbfI2L+rDWBi:kDzi4ixoTY8Vbx+2Bi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofoki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe

Executes dropped EXE 38 IoCs

pid	Process
2896	Madbagif.exe
4556	Mhnjna32.exe
2884	Mafofggd.exe
4824	Mojopk32.exe
2488	Mdghhb32.exe
4856	Nomlek32.exe
1444	Ndidna32.exe
2180	Nkcmjlio.exe
1644	Namegfql.exe
4776	Nhgmcp32.exe
2116	Nfknmd32.exe
3876	Nconfh32.exe
2292	Nofoki32.exe
2132	Ohncdobq.exe
4420	Odedipge.exe
1692	Ocfdgg32.exe
544	Ofdqcc32.exe
1268	Obkahddl.exe
4840	Oheienli.exe
660	Obnnnc32.exe
2328	Omcbkl32.exe
2024	Pdngpo32.exe
4160	Pcpgmf32.exe
2964	Pdqcenmg.exe
2320	Pkklbh32.exe
2260	Pbddobla.exe
4064	Piolkm32.exe
2892	Pbgqdb32.exe
2584	Pkoemhao.exe
1376	Pmoagk32.exe
2004	Qfgfpp32.exe
1608	Qckfid32.exe
1420	Qihoak32.exe
4816	Qcncodki.exe
1496	Amfhgj32.exe
4532	Acppddig.exe
3448	Afnlpohj.exe
1104	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Debaqh32.dll	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Lbnjfh32.dll	Nconfh32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Oheienli.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Pdgfaf32.dll	Namegfql.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Oheienli.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Fflnkhef.dll	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Namegfql.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Amfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Mojopk32.exe	Mafofggd.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidna32.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Obkahddl.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Pdngpo32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Nhgmcp32.exe	Namegfql.exe
File created	C:\Windows\SysWOW64\Nkcmjlio.exe	Ndidna32.exe
File created	C:\Windows\SysWOW64\Gipjam32.dll	Nofoki32.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qihoak32.exe
File created	C:\Windows\SysWOW64\Acicqigg.dll	Nomlek32.exe
File opened for modification	C:\Windows\SysWOW64\Obkahddl.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Gkhikf32.dll	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Nomlek32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Nofoki32.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Pbgqdb32.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Pfqdbl32.dll	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Jgedpmpf.dll	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Pdqcenmg.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Pbgqdb32.exe
File opened for modification	C:\Windows\SysWOW64\Nomlek32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Mhnjna32.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Obkahddl.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Ndidna32.exe
File opened for modification	C:\Windows\SysWOW64\Nofoki32.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Mafofggd.exe	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Ndidna32.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Ohncdobq.exe	Nofoki32.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pmoagk32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mojopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Namegfql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdejagg.dll"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mafofggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjdppe.dll"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjfh32.dll"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoikj32.dll"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Odedipge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2896	1664	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe	90
PID 1664 wrote to memory of 2896	1664	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe	90
PID 1664 wrote to memory of 2896	1664	77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe	90
PID 2896 wrote to memory of 4556	2896	Madbagif.exe	91
PID 2896 wrote to memory of 4556	2896	Madbagif.exe	91
PID 2896 wrote to memory of 4556	2896	Madbagif.exe	91
PID 4556 wrote to memory of 2884	4556	Mhnjna32.exe	93
PID 4556 wrote to memory of 2884	4556	Mhnjna32.exe	93
PID 4556 wrote to memory of 2884	4556	Mhnjna32.exe	93
PID 2884 wrote to memory of 4824	2884	Mafofggd.exe	94
PID 2884 wrote to memory of 4824	2884	Mafofggd.exe	94
PID 2884 wrote to memory of 4824	2884	Mafofggd.exe	94
PID 4824 wrote to memory of 2488	4824	Mojopk32.exe	96
PID 4824 wrote to memory of 2488	4824	Mojopk32.exe	96
PID 4824 wrote to memory of 2488	4824	Mojopk32.exe	96
PID 2488 wrote to memory of 4856	2488	Mdghhb32.exe	97
PID 2488 wrote to memory of 4856	2488	Mdghhb32.exe	97
PID 2488 wrote to memory of 4856	2488	Mdghhb32.exe	97
PID 4856 wrote to memory of 1444	4856	Nomlek32.exe	98
PID 4856 wrote to memory of 1444	4856	Nomlek32.exe	98
PID 4856 wrote to memory of 1444	4856	Nomlek32.exe	98
PID 1444 wrote to memory of 2180	1444	Ndidna32.exe	99
PID 1444 wrote to memory of 2180	1444	Ndidna32.exe	99
PID 1444 wrote to memory of 2180	1444	Ndidna32.exe	99
PID 2180 wrote to memory of 1644	2180	Nkcmjlio.exe	100
PID 2180 wrote to memory of 1644	2180	Nkcmjlio.exe	100
PID 2180 wrote to memory of 1644	2180	Nkcmjlio.exe	100
PID 1644 wrote to memory of 4776	1644	Namegfql.exe	101
PID 1644 wrote to memory of 4776	1644	Namegfql.exe	101
PID 1644 wrote to memory of 4776	1644	Namegfql.exe	101
PID 4776 wrote to memory of 2116	4776	Nhgmcp32.exe	102
PID 4776 wrote to memory of 2116	4776	Nhgmcp32.exe	102
PID 4776 wrote to memory of 2116	4776	Nhgmcp32.exe	102
PID 2116 wrote to memory of 3876	2116	Nfknmd32.exe	104
PID 2116 wrote to memory of 3876	2116	Nfknmd32.exe	104
PID 2116 wrote to memory of 3876	2116	Nfknmd32.exe	104
PID 3876 wrote to memory of 2292	3876	Nconfh32.exe	105
PID 3876 wrote to memory of 2292	3876	Nconfh32.exe	105
PID 3876 wrote to memory of 2292	3876	Nconfh32.exe	105
PID 2292 wrote to memory of 2132	2292	Nofoki32.exe	106
PID 2292 wrote to memory of 2132	2292	Nofoki32.exe	106
PID 2292 wrote to memory of 2132	2292	Nofoki32.exe	106
PID 2132 wrote to memory of 4420	2132	Ohncdobq.exe	107
PID 2132 wrote to memory of 4420	2132	Ohncdobq.exe	107
PID 2132 wrote to memory of 4420	2132	Ohncdobq.exe	107
PID 4420 wrote to memory of 1692	4420	Odedipge.exe	108
PID 4420 wrote to memory of 1692	4420	Odedipge.exe	108
PID 4420 wrote to memory of 1692	4420	Odedipge.exe	108
PID 1692 wrote to memory of 544	1692	Ocfdgg32.exe	109
PID 1692 wrote to memory of 544	1692	Ocfdgg32.exe	109
PID 1692 wrote to memory of 544	1692	Ocfdgg32.exe	109
PID 544 wrote to memory of 1268	544	Ofdqcc32.exe	110
PID 544 wrote to memory of 1268	544	Ofdqcc32.exe	110
PID 544 wrote to memory of 1268	544	Ofdqcc32.exe	110
PID 1268 wrote to memory of 4840	1268	Obkahddl.exe	111
PID 1268 wrote to memory of 4840	1268	Obkahddl.exe	111
PID 1268 wrote to memory of 4840	1268	Obkahddl.exe	111
PID 4840 wrote to memory of 660	4840	Oheienli.exe	112
PID 4840 wrote to memory of 660	4840	Oheienli.exe	112
PID 4840 wrote to memory of 660	4840	Oheienli.exe	112
PID 660 wrote to memory of 2328	660	Obnnnc32.exe	113
PID 660 wrote to memory of 2328	660	Obnnnc32.exe	113
PID 660 wrote to memory of 2328	660	Obnnnc32.exe	113
PID 2328 wrote to memory of 2024	2328	Omcbkl32.exe	114

C:\Users\Admin\AppData\Local\Temp\77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe
"C:\Users\Admin\AppData\Local\Temp\77c685b1c2c47800018cacb72f027caecec9137ae2c18310170cacb2a24bf1c9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Madbagif.exe
  C:\Windows\system32\Madbagif.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\Mhnjna32.exe
    C:\Windows\system32\Mhnjna32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\Mafofggd.exe
      C:\Windows\system32\Mafofggd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Madbagif.exe

Filesize
64KB

MD5
32b9cb386a66b2178605afb554027190

SHA1
2aa8608ebee6e8f903c94fce82ae5f2214788064

SHA256
8b21d166d55e02a17aec54dc5e6c1c2ac95bdbe57ca601bf036d247bb8fab289

SHA512
73d975a7d2ac0ce74a36b2ce3c9ad7e860ba33dd8ee267fe96403a470355024839d0d7c6b20b091b265caeb9c71c53c1295a0e9dbd7531eba3c77803738e0828

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
64KB

MD5
68752e010ff7f4b1112a0e621821db3e

SHA1
5c78ed5b80c08e5f88838bc7b6a47c113b1dc065

SHA256
b5ff7a4f62f3ffc2cc4d15bc975a6027a97fe93d94a5e5e1241726c5f1b4a3e4

SHA512
e2f097812b62c3ba8684344d95e5f31253d43c46b995ba13687fe5f8476163f427b11f6712b5dd08d3fba5e879f8b6ff2b634aa6e14b189f3bc73bf48e231b9e

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
64KB

MD5
84f4ae1e61d029025f25d9c911d2ad2f

SHA1
d04086e45fe6c96e816703f2479f4d1a14034fe6

SHA256
9fb67bc886bf4d24119bac47c3af09c72bc5bc66f41bb206a3464ed4ba54af4b

SHA512
f43a2fa22f4892f345112bd1f52ed8373f2818dfa7a8cce569bdc7764608e89b82f4523f922d9c9ba0a79379eefd25620a0ee9f2b5e5b9f07e15276f62c32b46

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
64KB

MD5
d049ff0adfee67ec8629b5e92ded9aa6

SHA1
6320629df4796a3cdb51447a51dfb783f476e058

SHA256
8b7749330bf43c598f0c065beda660d620ea5eba8ed965bf63a0389769a891e3

SHA512
4c7db2605cffe670fa07539a3361670e898030b36ed1d08c5a10d64a9953dff5bdd82d9f7f8b089689f7aa0fc421aa523a9c7871edc8480d6085eac7829baef5

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
64KB

MD5
d879d8f2c38907f8e29c040f66ca1e6c

SHA1
5ffc742cc9a2abe83aed2dd76a6a5cf0ae1226d4

SHA256
884c5ca5dba192d67769574ee4c77c491ce7f494e0e1ad8aadb835b4b6844df0

SHA512
54e3399a7ba38069f3d11da652fee05383685faf8bd833458ff81106d627caacd975f605d1a3a1a924bfaba7b0306b052c6253a9e4b3734849f75add6502ca4e

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
64KB

MD5
01bf3f9e6fed9eaddb782fe8f8d4223e

SHA1
ff5199842802aacf688f52c83569574887e31333

SHA256
bb44202ab0e1b6ae36a544bab9bbce29adec1e5a5e8805bc61ec7132ab71f93c

SHA512
dd7e7c19ceb3c1a75d815a001e36739f91c294d6871dbd12e8399c67b482341e5ff758d6c530012f7ed07f4839722b50789ce3d809b7d83a370246e781c0b1e4

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
64KB

MD5
bf9069070b37dffec6e9a4a1f1f677b6

SHA1
5cbc113f8b2a740f38ef58762e716399913ddf5d

SHA256
67cd4bb653b988767175f24f1d849f2bcb06c43e05645f2729fea69d1d75818b

SHA512
1d1a42ae5edc3660f05730cc433f10d3529365c3a223a30e71f27e0af89ab7d847398092f2f3db813fda99a0eef02e1b7497a577401d0544e1ca8345b81912f1

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
64KB

MD5
591086d5ed1e190da10f6b42f332bbc4

SHA1
7f788ce1f55625b820ea02af3955d19cc6d6141a

SHA256
8edccd564ae58f2ff2f15e216f9f42789825dadc079ed6365ad6f00db37ce46b

SHA512
9d79c88ba9b3051539eff5e95e01882bc68909b182012a514d8597dc9d5c576f9032b68f555eb604ad8a81a42d7e6ee1a812b4dcefbb698712fdc8a89f40af3e

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
64KB

MD5
db90792b506c1917e12a7f35eca66d06

SHA1
4a6768c41c35eca1edc948b2d5c1483ef98dd2a8

SHA256
11eeb65a2c86561f6eb318663db9371ae98516a3fff620654f2132d96470f44d

SHA512
d59d51699932546563ccb6aa2141ab3e0c9c6406c5faba96c8af37b09d981dd45637415929793d86290c2b83241bbed253dbcf87e3bd7cc7c9ad8823ef7e78bf

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
64KB

MD5
7c53148cf6a288270af0c38bf9b48b1d

SHA1
26f340e818a2b574c5986f1ac0a739d87e66f329

SHA256
03e10e54bf3f5f988e5426cbbec58fa30b2dfaa01cc75c4d0cba308257e408ed

SHA512
8ac43a247ef124952d4df583ae5cb0a633c4555eca17aef67341cd46e73c7a15548843df00463ef392f7f277e95e259caab159b2595f223665a10bb36083c1c1

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
64KB

MD5
690f2c0c2a12cac460b4f30846e40b9d

SHA1
9fbf171aae96dc121aea3e1222cd5bd24eeb3d39

SHA256
c6e8879b77fc524a5a1d352d5be99450e0abddfbf11666f2c826e736a628b28b

SHA512
63724f25dede2ae5ef1b3b614ee275966b7f60d115043337fccdd5f4e2ef2c0459ac757df803846741e006ec40d42d74fb8005ec16dc259bc7e60fc768e8f1db

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
64KB

MD5
62a2b084bb9b544c5be201075bbb0b6e

SHA1
ca9d36841ee522b22cfdb20f0fb39403848864ee

SHA256
6e14fdf777a900359faa334dc0ff067f7f8ba7f544c823b3e59c97883bf1bc40

SHA512
b698f9e48a5ab72f09443fc5fa242ae1ed856407ef0bbd6000a732d2ea3b7f9d062d893e8f7d3fb7e9d37d9dd8fc3366e9f476cca337404cafb84d7d45267a81

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
64KB

MD5
2ca77c0c8c6285a60a368ca91915a19a

SHA1
0f2bf00484bc9fb861731fbd2b7986aaa243ce79

SHA256
2736bbddda6c1115c888bdefff672cac2e885b637f4ca2190a47fc2cb5a087f5

SHA512
d9c32e24fa927dc4e3503b1ea27e07f742782dc75e259ead893e400f883b054e08068c6e19f27da98d985d810107013dfba7d07ab25a6d3c15d29943921ef28f

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
64KB

MD5
7eece69c25e651484425a7986adaff46

SHA1
0d68ab36f6faae3dfb0ddeec20800f076323a9b1

SHA256
3bf39171f2512c24f33df612ba49f56ea2ebf23579e95d85be645d71254d7f43

SHA512
e5fe2625b369fb0e927e2cb45fc48bc134071576ad64006b39cc329f6f7551b4b8c5c4211b44f8e2b6102f0f8b70a505611e06cff16387df6e048c820adf88ad

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
64KB

MD5
b36c338cae405c3aaf65983d7596db09

SHA1
3a3cb2da683a5b3d07c05c711c72c63da3589fb1

SHA256
17c5f513f8fb958726e4c700ca9510c1cd0be61bfe75eef4395c1a35a3ae0a4d

SHA512
0b6c3edbe51df4a28bb4452c333a8454ea7c8c817e6fc1c29fd41ae64d5948b11a6bbfe6f084b8205a49c4465395cf56831a558892649ad2d8aa076fb4691cd0

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
64KB

MD5
22717390914e6ea98e43e8745dc73671

SHA1
750e521be0d7e5e8284ba8d6382c56c075db2c1e

SHA256
ba1c464208c35e99159420b608247a5b1dd04c74db3f74d5dba55c8f479a7981

SHA512
f829c4c3ed439cb64565a113a1a87fce3d9041157e44cc86aa98adbe35ec36249428a410d513c6aec0f5a6fa5f65d7ff6b73f586129895e1b38fa53e11863519

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
64KB

MD5
473ecc62b2d61c45f66caec4531e3069

SHA1
92652a4dcb190e2205a24b8078bb3ae42cb84b34

SHA256
41c31f97486cb0f8eef7e7d01832d37b00e4593d02c453bd2dd9a9069d6a5305

SHA512
2d9cad6f64d2b23e037ac45c77694b14c327e6f1fac41bd1a0f3619f04227e0272a6c3c25d90f39e5680ade01152d944d9f6c875d2793ca49b090ee64016e398

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
64KB

MD5
6252e00044e81cefd764c769d9bf3300

SHA1
471449fe1626b38a70e31259f25d4bf0682893ea

SHA256
357b4c1b75cece1e529eea345174982e6979ead2a38921a32cab9824ddf45177

SHA512
92b58acc7303e15358dbbabd67dec30a001749bb72adcc2f88231f7d295cb575e5e5ab81e3890cc4726bf1b620fa9c28d9602b53f431791173f79d5da4c38479

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
64KB

MD5
a3142eab83db93489cc6b15fca6eb32b

SHA1
cb6e07f129521a6a8b679b81a52a38d080dd9565

SHA256
690338a8b6933775ae92abcda32c9a5bce0bfd0d17dc697d9143e4862acef2bb

SHA512
42cd4f4a4ddfd1b461535fd1a276319be3365e715370f4838c8275a4e6d17e3bc80fcf1f5b875bc135d4979a0afb3d8c2643cea5e4b6a9895512aab0b5e15f1c

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
64KB

MD5
ed8d2629bc6083169ebb53689e14e387

SHA1
84c9ee8ffc4ee02bb0d0c0992f31a126c90e6027

SHA256
358d1a15b0e6b581a370b341a88e87a1a8f4668fd3ff5c22412d28e8cbf0386b

SHA512
4a37fc38dc96f7442a78fba56766ed13a1d363ffbddfb992f1d22d0ecd546e614767154d4897edc0e2e20fa13a3134cb43410e4a29f649903297ef98c8842d46

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
64KB

MD5
171ef41b3205cf456c370c8c1e147963

SHA1
1ad820a868a58609399ba82c10d9204ae0133f1f

SHA256
ca65acf70f2ce78127729755a32925f38acd428ec8ab04570d77040b8f817b61

SHA512
4768a195606dcdd0e8b849aa59ff89a5c3fe3687690e338145440b3f1bd11c903618545c90eb7156f9cbc35cb36966d362fa5664bf847adb1e3dc9c9dce81fd5

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
64KB

MD5
d7bc5e8a0eb4d68ed4d8867b7341af93

SHA1
606642f0650235c7eeb6d92f06cc35ba4e806b4b

SHA256
7ec2aa818ece959044e707f8716a69f68c29179476151bc45492073ba01d31a0

SHA512
7fbfb188a98f635d73503aa8ff0804da12a2ea9fd8abc7ef4b768024c8d85f99dc09d4cfa92f8c3e71eecb77c9e49e301fa75de33e16579b2ec5628863f31885

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
64KB

MD5
fea3fd27ae2688e00d07f4d967235e43

SHA1
2afe98a786cc8500d2f9e852ae8d8508185083dc

SHA256
cca8a58301e303d4f90b8c2a86536d70229c927ab80deaa9b818ab6c67e762d4

SHA512
6282c0a3f8e38253ee440829ec8687e88c4099cb6d945cafb45ad791099ed4e996e3a3b333867f82043836ca8551638352f5a52e7f667b371a568c3f3c00a77c

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
64KB

MD5
7a9303daa9ed7eeacd6bc705164be79d

SHA1
365cc016b067a9793625e30020c87ca86adc03ce

SHA256
ffa1618c16ab936471d0e8f22517c5009f7d9841dd93cba8520a2d2df46933ad

SHA512
19ed02c8c9c6bb6dc194f88bab8a8a12f170c7919589e3579a2564130e2667fcc83bf6f5817f4bb4ab9e3412fc4894b14d7a0f41d5e4f040acea329a08de5d6e

Download Submit
C:\Windows\SysWOW64\Pdngpo32.exe

Filesize
64KB

MD5
94fc1c8caac3c5744af976c45c52cd4e

SHA1
6137a2092af269f572181aefb2654da00dd72126

SHA256
77dd29df971d76c0e678bf85768cb31cec73980be2599966b5a763bcbe0464c8

SHA512
cae3a9d986431da65cf4c0937bc91130d425edad25848c1aaf28fcfe72c132195287e3e9f5cb87ada96af028fb782a1ca0f57e889aa5172575f958b7f3375533

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
64KB

MD5
34a93e4fc64979ae0f92c8c99d594ffc

SHA1
5632550829e10f42afcc21ccaf61abed1551d718

SHA256
bce429ffb6cc243daf29772ef5cb533b6139f39869809f6a5f73afccdc12636a

SHA512
d2fcb79b3661e2edeceb3b93a17e48f118045166041a82299ea3b5fa08f9c76858b19778b6f6017474d3a861297e75973445a6a26499e1f04ea085095dc76835

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
64KB

MD5
c01587ac9143224929173b70fa75f78c

SHA1
fbd2273025fb74c5d674933e8919af33d22f5754

SHA256
97b587959bfe97f075e864efd764fc43418a505c04e3d9843db013b13ebd86f8

SHA512
715a816072928831d45876aeb885ef2ff8891ea61fec17d0fd2b48be6718437d32a75ba7bac471617cc0d14cb2669511a5dbceb545665f41422500fcd214c9d9

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe

Filesize
64KB

MD5
036db0b54e3661e32551c358fb103e05

SHA1
b7c7332694079c04a68eabd8a89f3b2aaf0cbe8b

SHA256
e0bea460236aaa8f6858c61ebafdf0e7b31aadbdc59d1f426c6a5fb54ff4eadd

SHA512
dbf9e82cad462b5912971052dadc90adaa656c20af7bd6a737927bb2cb7683944208892e6303e5ca13470ca54e92b65500ef8762aee742913de1c7049b8b8d75

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
64KB

MD5
3861fda9c9c09f501796e9e514468e5d

SHA1
fe98bdc5ad11aa5321f78bce4c8884e8b7a9c6f7

SHA256
c664aea76f61d5894b6fc059289894e69ae51702e05439b9d88262ea337b1dbc

SHA512
f49b6aa02995c8d5a3f6cb372d39e3bc7727f74f2a95fdcce6397d5a0844899325ee2d1ffb09c524339e2d00098c603f725ff95f531d250e34a3b1a3ff5e2e09

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
64KB

MD5
1f10ce9a0969701415167c6564e55a76

SHA1
d637aa1451260cb9ec196d7f8437e578798849e3

SHA256
a1764aefa3043f5e464e1e53e60f54852548b4338e6d2594888accdd002917ee

SHA512
e442a44249c00c441bcd0c9d742568f6679e73bbfd8ce6794deea0e60c997894dbec76db7ed18eac4010baa043a12e8c4cf718a87631164810fc232fd2cb5188

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
64KB

MD5
40438df7f7b4dc4ad8982ddb11b7fde8

SHA1
3a4e909ec30d3c3ef52aac042ab0fa30264c947b

SHA256
68d2a8415dd943d9df53a3e2dffd1a8defe86c267df7216dc94dd23ea0b18c3c

SHA512
2fa349986a9c5e809595f11331b0ea29426b6e8f03d13bd748f853c91918f6ee88fa89d0b2f29cbfb57c5ea0ee5f79ca10b9f9c026e0d0585283b7c46ac24756

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
64KB

MD5
b2177ca748bd8b6f51c1607eb7aad4c4

SHA1
8e0b9d07a9c51ab6220e22a833112217e2e1ac0b

SHA256
606b18253667a14e32eef9b5f607e48594d4ecbc3489f02039e12873eb5e17fd

SHA512
6f813fe0c2c16150ee4139419f2e13447e720fc7cf9ab541b03e1fc39839cb81ffcbcc4791a224111fc66f9eda8ccf73e69b97b252671190a31991715ef6d47f

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
64KB

MD5
35769dc7222142688087ca7176d95202

SHA1
c2af940a88751d34ecd045fe558bbb41fe165e85

SHA256
6aa1e74dd24f2fb350e0258eb2bb710d7e48ccc462079c290a6caf8d1d337b87

SHA512
bb63d1a00501fec99c7a691f42e31d95713a053d2f76fe8c023b580715acd2620f29ada82d1bd1b04efc03756bf7059df2597fabe65c2709fd2ea5c13ba37880

Download Submit
memory/544-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1692-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads