b6e946b13ac20e8897bbf6f53b163285ffb79a5001f2ccc24bbca9cdd2418a90

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8c165c9afa29dd0ca02e6077d5e780N.exe
Size

89KB
MD5

5f8c165c9afa29dd0ca02e6077d5e780
SHA1

db96638e546a41e48f035fa8e09fae4956499e10
SHA256

b6e946b13ac20e8897bbf6f53b163285ffb79a5001f2ccc24bbca9cdd2418a90
SHA512

ae17992704801b60598ac1864be38e8304cd7f7fa513866d6b496e6eb622e3c59d054da66795e68af3a206de1282e0b81f0e3c5a99f169ec26f867e739a4dd29
SSDEEP

1536:Quz7aObPRVd8c2EZ0+EDAi7iZi7OccWvlExkg8F:Qup8c2NM6iMfcalakgw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe

Executes dropped EXE 64 IoCs

pid	Process
4780	Mlcifmbl.exe
1584	Mdjagjco.exe
3264	Mgimcebb.exe
4632	Mlefklpj.exe
1500	Mcpnhfhf.exe
3112	Miifeq32.exe
3340	Npcoakfp.exe
1404	Ngmgne32.exe
1376	Nilcjp32.exe
2640	Nljofl32.exe
3244	Ngpccdlj.exe
1360	Nlmllkja.exe
2752	Ncfdie32.exe
1088	Njqmepik.exe
5044	Npjebj32.exe
3380	Ncianepl.exe
3720	Nfgmjqop.exe
4984	Nnneknob.exe
4068	Npmagine.exe
4704	Nckndeni.exe
4404	Nfjjppmm.exe
1100	Olcbmj32.exe
1920	Odkjng32.exe
4744	Oflgep32.exe
3136	Olfobjbg.exe
1388	Ocpgod32.exe
4792	Oneklm32.exe
3252	Odocigqg.exe
4248	Ofqpqo32.exe
560	Olkhmi32.exe
5052	Odapnf32.exe
4008	Ojoign32.exe
2064	Olmeci32.exe
4004	Oddmdf32.exe
1248	Ojaelm32.exe
3004	Pmoahijl.exe
1624	Pdfjifjo.exe
4220	Pfhfan32.exe
3636	Pnonbk32.exe
5012	Pmannhhj.exe
3376	Pggbkagp.exe
2932	Pjeoglgc.exe
4400	Pmdkch32.exe
3916	Pdkcde32.exe
2544	Pflplnlg.exe
3516	Pjhlml32.exe
2152	Pqbdjfln.exe
1232	Pgllfp32.exe
3608	Pnfdcjkg.exe
2224	Aclpap32.exe
3788	Afjlnk32.exe
4032	Anadoi32.exe
3436	Aqppkd32.exe
3680	Aeklkchg.exe
4896	Agjhgngj.exe
844	Ajhddjfn.exe
948	Amgapeea.exe
4024	Acqimo32.exe
4752	Ajkaii32.exe
4532	Anfmjhmd.exe
2476	Accfbokl.exe
4388	Bjmnoi32.exe
1676	Bmkjkd32.exe
5088	Bagflcje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6096	6000	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f8c165c9afa29dd0ca02e6077d5e780N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aqppkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4780	2836	5f8c165c9afa29dd0ca02e6077d5e780N.exe	83
PID 2836 wrote to memory of 4780	2836	5f8c165c9afa29dd0ca02e6077d5e780N.exe	83
PID 2836 wrote to memory of 4780	2836	5f8c165c9afa29dd0ca02e6077d5e780N.exe	83
PID 4780 wrote to memory of 1584	4780	Mlcifmbl.exe	84
PID 4780 wrote to memory of 1584	4780	Mlcifmbl.exe	84
PID 4780 wrote to memory of 1584	4780	Mlcifmbl.exe	84
PID 1584 wrote to memory of 3264	1584	Mdjagjco.exe	85
PID 1584 wrote to memory of 3264	1584	Mdjagjco.exe	85
PID 1584 wrote to memory of 3264	1584	Mdjagjco.exe	85
PID 3264 wrote to memory of 4632	3264	Mgimcebb.exe	87
PID 3264 wrote to memory of 4632	3264	Mgimcebb.exe	87
PID 3264 wrote to memory of 4632	3264	Mgimcebb.exe	87
PID 4632 wrote to memory of 1500	4632	Mlefklpj.exe	88
PID 4632 wrote to memory of 1500	4632	Mlefklpj.exe	88
PID 4632 wrote to memory of 1500	4632	Mlefklpj.exe	88
PID 1500 wrote to memory of 3112	1500	Mcpnhfhf.exe	90
PID 1500 wrote to memory of 3112	1500	Mcpnhfhf.exe	90
PID 1500 wrote to memory of 3112	1500	Mcpnhfhf.exe	90
PID 3112 wrote to memory of 3340	3112	Miifeq32.exe	91
PID 3112 wrote to memory of 3340	3112	Miifeq32.exe	91
PID 3112 wrote to memory of 3340	3112	Miifeq32.exe	91
PID 3340 wrote to memory of 1404	3340	Npcoakfp.exe	92
PID 3340 wrote to memory of 1404	3340	Npcoakfp.exe	92
PID 3340 wrote to memory of 1404	3340	Npcoakfp.exe	92
PID 1404 wrote to memory of 1376	1404	Ngmgne32.exe	93
PID 1404 wrote to memory of 1376	1404	Ngmgne32.exe	93
PID 1404 wrote to memory of 1376	1404	Ngmgne32.exe	93
PID 1376 wrote to memory of 2640	1376	Nilcjp32.exe	94
PID 1376 wrote to memory of 2640	1376	Nilcjp32.exe	94
PID 1376 wrote to memory of 2640	1376	Nilcjp32.exe	94
PID 2640 wrote to memory of 3244	2640	Nljofl32.exe	95
PID 2640 wrote to memory of 3244	2640	Nljofl32.exe	95
PID 2640 wrote to memory of 3244	2640	Nljofl32.exe	95
PID 3244 wrote to memory of 1360	3244	Ngpccdlj.exe	96
PID 3244 wrote to memory of 1360	3244	Ngpccdlj.exe	96
PID 3244 wrote to memory of 1360	3244	Ngpccdlj.exe	96
PID 1360 wrote to memory of 2752	1360	Nlmllkja.exe	98
PID 1360 wrote to memory of 2752	1360	Nlmllkja.exe	98
PID 1360 wrote to memory of 2752	1360	Nlmllkja.exe	98
PID 2752 wrote to memory of 1088	2752	Ncfdie32.exe	99
PID 2752 wrote to memory of 1088	2752	Ncfdie32.exe	99
PID 2752 wrote to memory of 1088	2752	Ncfdie32.exe	99
PID 1088 wrote to memory of 5044	1088	Njqmepik.exe	100
PID 1088 wrote to memory of 5044	1088	Njqmepik.exe	100
PID 1088 wrote to memory of 5044	1088	Njqmepik.exe	100
PID 5044 wrote to memory of 3380	5044	Npjebj32.exe	101
PID 5044 wrote to memory of 3380	5044	Npjebj32.exe	101
PID 5044 wrote to memory of 3380	5044	Npjebj32.exe	101
PID 3380 wrote to memory of 3720	3380	Ncianepl.exe	102
PID 3380 wrote to memory of 3720	3380	Ncianepl.exe	102
PID 3380 wrote to memory of 3720	3380	Ncianepl.exe	102
PID 3720 wrote to memory of 4984	3720	Nfgmjqop.exe	103
PID 3720 wrote to memory of 4984	3720	Nfgmjqop.exe	103
PID 3720 wrote to memory of 4984	3720	Nfgmjqop.exe	103
PID 4984 wrote to memory of 4068	4984	Nnneknob.exe	104
PID 4984 wrote to memory of 4068	4984	Nnneknob.exe	104
PID 4984 wrote to memory of 4068	4984	Nnneknob.exe	104
PID 4068 wrote to memory of 4704	4068	Npmagine.exe	105
PID 4068 wrote to memory of 4704	4068	Npmagine.exe	105
PID 4068 wrote to memory of 4704	4068	Npmagine.exe	105
PID 4704 wrote to memory of 4404	4704	Nckndeni.exe	106
PID 4704 wrote to memory of 4404	4704	Nckndeni.exe	106
PID 4704 wrote to memory of 4404	4704	Nckndeni.exe	106
PID 4404 wrote to memory of 1100	4404	Nfjjppmm.exe	107

C:\Users\Admin\AppData\Local\Temp\5f8c165c9afa29dd0ca02e6077d5e780N.exe
"C:\Users\Admin\AppData\Local\Temp\5f8c165c9afa29dd0ca02e6077d5e780N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\Mlcifmbl.exe
  C:\Windows\system32\Mlcifmbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\Mdjagjco.exe
    C:\Windows\system32\Mdjagjco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\Mgimcebb.exe
      C:\Windows\system32\Mgimcebb.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
      - C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        29⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        31⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        42⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        88⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        90⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 408
        107⤵
        Program crash
        
        PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6000 -ip 6000
1⤵
PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
89KB

MD5
fb4004e3cdc95b8bf991b776ac9df860

SHA1
bcafe11d3e1d0315445ea6e6136570f7a3a9c99a

SHA256
4d9d7fb0108354a87b2082b2fc0c586e9b89497e6b764a30b7877d17d521b290

SHA512
f63cb74978273d8e9d9a2fdb65e4409671bfbb09c4e12ad5a23b85059531cb0e30954aad1511d8a3c02ed1fa916016fcb7041ee21197b7b0fc3bd87d8da9786b

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
89KB

MD5
c409dd6433df24e48188e102f3424141

SHA1
c28329a038ebf2e59a0c8d722b7e88d552ac8785

SHA256
274ec88b94eed20ce8ac749f6bfb6a47b7b3fbdf34253f2ded9edaa66768098e

SHA512
efaf245d7737b5a84f9f133434096eb17c443a07b57b213a8d6a5fa86aa8d045f81bf23f6015e937c6b0d22e7ccecad6c3751ffa5278dc18079a00ca7012ad66

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
89KB

MD5
4002b7fd05ef19a0af7f2e14ce07b414

SHA1
d4325f70072e2617a700ae16f610eb50b74c723b

SHA256
5ffc44fcc88994cd751e5ddd0eeab852fa4a1c204dce0914e6363c0df86ac4c0

SHA512
dcdfd5bc2d202c0d169f334f4aa0c7cbbec8b301127be37e8cea4dcf95133f07aefce6404d42bd2ae9256bcd4af276f4a795d506dc387305a6724ad73235be4b

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
89KB

MD5
8503886f0b0c2faa1135f74f45f45c28

SHA1
2999f21f24b768cea4c13e6db7361a1f3ea0018d

SHA256
3e84e11692cd9cb31a8f061dfdc723195f22020848b9edd6b1f57a2abb132ab7

SHA512
983e1ff7df6977a036f283d7fe796b99e7ea3ae8a4b405bec4702c0b5eb26aad1c4d031eb5e91b58d0417a2499d20d8d643b3213184c2f45fd6e82d6aa467d67

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
89KB

MD5
853605c9ef18f0456896f3882616e234

SHA1
695616493b5353dd7a08b8a02a1f90a5b11ce671

SHA256
efec046a1df2d8e28a9ce24e6930f17489ce45a2bd7415cf7ec0b1824d28fa37

SHA512
a7b5f0cd14136f2ff07dabb7e3acb62addd6dc5cef07f94102777260998d924074fae9b08244b6a43794d2653ef37f70fea817fad79bc75d2398a057ed95aa2d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
89KB

MD5
7151d2e7dadf6ff1b42c375a48109f95

SHA1
e6d22dd4ef08d1ef4f941a9c5894133700be3551

SHA256
84095b4d05cdfded259370ae71413820a4960784b809ee0fc9d27137fc8983d6

SHA512
27209331b2763337801e6514cd75518dcc315ae98b087c0d14cb0f98fa76f472ca4079668ebaba21d14b4f5141110f2da18b2f0eea9f0a062e5fc1aea8f3a589

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
89KB

MD5
1ddf029e82d1144edeb11f6ea36e5e91

SHA1
62395c3e30d293ff8521ead86ac752b3746562c0

SHA256
1e8350fc809d7381d27748da113c30db42dc5a31d64930e130348800d72180c4

SHA512
de8f9f295fdda633f187709d33f02814a7a8bf464786e6248170eba71e52b7d6c7e69b2bd8318432e5b0967dd6ceb39b4c7678e5160aa7ef0060e396052f2169

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
89KB

MD5
11e2ddb411390b5a549782765d0a2821

SHA1
23cb5b625a396949aec4f041884d1f27787c7325

SHA256
c81acda4cceb2b6e2a7a5acd14fd743dcd6de15459b1ccf43a5879379b7c5fb1

SHA512
7adab93754bb796cb5832ce33eab4df8cb008224d9d7a2593dc53d5b3b47ca3fff2a6ea7362b6823848f82334bf176becae19efa218476ab88c83d020e3a4fab

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
89KB

MD5
d6832ad35f865b8cc92d40f3c0c343cf

SHA1
224394cc8dec9c119d2bc7b7a5cd87820098cb99

SHA256
e4fdab60125dcc22033df129608e46831d8900ef2673275ca48193a41040d767

SHA512
b13fab8b8f97e5e8826c2b26795626ac961e35595318a5fb75fb28e217bcf3785fc26eb3b1c7b5e378fa271a838db8352199a8496b68e6ae7755ce4fc445d4b5

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
89KB

MD5
57b60e683b23c13a013ac1ab34df905c

SHA1
2c3ba89336a757642eb70ec1943aa9a7254f84c1

SHA256
3e6a56ff5f154ba8fe6cb4bfe1f928d130d80360e3869d9c19cd0e861a88a525

SHA512
3d92db7233773d76f154541633940222fc03bb69fb8977456bfde73a6af372dfabd8792f2a91cd0565f32c3b1c6658a73f8c0b8c24f02b611ce20e0d834103db

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
89KB

MD5
97197c9017dd543e6dc6375d99969105

SHA1
1a86846c44dde4aed79a4071642e0cb4248d5d18

SHA256
1751c1a56c1582e91402fa165ec9ea01ace2d25f19bf5dbf9c336d74f743db94

SHA512
0389dd8c1d2b9e916f6c7008c7e196b31d2cdb2a0ada68b52a80fa8129dd83f22d5569ea564fdbe3d680108c249cf008f692792c3d6bbf030080d239b77e1239

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
89KB

MD5
c119bc0fbf85e15105f254644fc425cc

SHA1
9e54cf1e7e7e4e619eb220f0b3fa212165f5c24f

SHA256
886efda5c9338104172b8bed6e76ef67395442a8a8017427d3638079cd3f31d4

SHA512
f7709becf8903fffd5b12530491c30738ee2c0b37346de5c92913b0ae8554688a16cc3324f45bdd9425e7510f80e3572a7df4a0b5e6bb46cf274c09cf7cf4504

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
89KB

MD5
88940df26ce7d49402273b4f99823163

SHA1
b6623ed7f2179adae28be07abb964a62b71e1ccd

SHA256
5ffa1453dbf3ac58483413a29aa032a67b2c6b8ae6c200085e513f561de5f4aa

SHA512
60b97aa3d82ce67fe1ac13d99912b458fbe343d17b78ba513134b5c55b49693b75db0c9256849a84afdbde1918f3e04a6764c45838c52b5174cbad9e6d8ec10a

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
89KB

MD5
9039f22ba00ffff2a8dcf05f1e455921

SHA1
2d2c0300a3052f27cf18be1a90dab283900af70f

SHA256
9d93ee7005306a0fb00aa5c660a6e1cf4fac6e3ce4e0559990b3a84fb6d2a100

SHA512
d13692ed4bfbbda87912ccfb7cb7ab7addd4eb2a5a591e2be684b346c4f6651c612b53ee22347c42bdbc40bb6ce81619dfc47bfe8a0a87ddeb16de0666c78033

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
89KB

MD5
58aaa9b092000d438f172e2b2fa58644

SHA1
f52c4f5f7d4f67dfa08a32f4cdb3c4ba7fd46723

SHA256
2064c2509e53ce4e2b5e9521cb72400ab1ba5e811b7e6dacf084a086b5f6d821

SHA512
3e300aadb0e3d046b5495adf5a0a114e51cbd15ae2cb1b1b0ff2a641c002fb0a337559ee5cc48e90dbd1ad8824e8fc4366548d46287fe919bbfe6da9b5d71fee

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
89KB

MD5
63fbdb3b71c54e01405fe2e8a83b37d9

SHA1
70e67db0d6255df899aa921747fdd0957a123f80

SHA256
da3636b8882b5aabf3c697b940263a28c22725ee5938c205eb3e0cfdbcb70432

SHA512
ba58d05058d4e2b545d0c88acfee3b6506529db21b2f5b78e12041f7063ff32b33d39cbd3d3989990f0e77191a731fd9f113b2743e4bb3536ecffbc8b59a533b

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
89KB

MD5
99533d58398fcaf86926dd2072fbec56

SHA1
aaf43af89184bfbfcaf9e8fe348313a6eedf0463

SHA256
c35c48fe6a2d11e39c0a23de3a36250bd7e236cfdd8f31c78c7c9281593f5dff

SHA512
35f08267b886809a48e06059a1d6d4bdb68321244c045dd38a2b0b7600fcdcebc554b1bb502d1961a0668b51358705ea813f2b82cb5411acf7dbc446c1f69d94

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
89KB

MD5
d5c85f9d959917164d420fcccb8fd68a

SHA1
a561183be0616a52ee009bf86129bfea26b305a8

SHA256
09b7b954536775d8caad11a05e23e5be7dd0b0d9993e89abdfa5b6211c283d22

SHA512
1b8a4f8b3c72d1dbe3e9213448920852a4be538da5d53ba177cc9c13ae1708b9fcee642cb15c690e8120b8a7173146644386dd16b7d484348cd72ac2938144ff

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
89KB

MD5
b342f9f6d503d1deced3f10ed4fa1da2

SHA1
d264086331c2adbce8ab35ed7f252dbeb62673a3

SHA256
e0461d726439d0211b9aa6ffdc0dabc821d16f40f951d7a34b08d6c40841c9f3

SHA512
5f5c9762ed89b9f46d5d4b69f619677a263838895963b64a6af671b704842fbc614694e94ef83223758d1c95a889e02797aaca7e512fdf18db479cf5074feb58

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
89KB

MD5
fa4cc6fb016bb90dbfd7badf5ec9225f

SHA1
fbd5cc254fe629bc5a9589bf6d6802f7d6b42299

SHA256
29ca7b245e8496f40a46b89ea5f036807e8e939e71170a1a95ead6c8c986d47b

SHA512
b82172f2eb7981c66b7627457e3fb5aa31595ae9495ec70b067a1490dd0724391bd760bf6e56ae6c84dd44bde6758338180de21ba563ae9b2b6783a51d7ee300

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
89KB

MD5
4db50ca0699c6e9548f93dd5ff133cf9

SHA1
954938ed1186d70656359e1f85f86629e32a8f36

SHA256
0c68505deeb986491cc15cafb661afe7377fd7da3e3cee4a8ffa59d8384fe104

SHA512
3a8de1777a8f3a949188aeee7ad7742997be75c18748b524a9bcaf89f5388242b6d10dedc8c6d9b196135535e481bc2955d264095d36afa926fe9e45888e05b8

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
89KB

MD5
09a41c1ee179a6dd54a553fc343eca75

SHA1
867fbf46b0c604a02d5555e8d273d71b8d1837aa

SHA256
d38c8ef57ed873921ae19f0bbcf767aa9def1d99de339a8be976d98594cfe5d1

SHA512
fd7071b36c64bca8bc756ec2b5bbe67e17895d367b079744ce4795db0de041a812ff4196a60496c7fcd66807847fe275f7971f7949d0c1c7f03a7e8da826ac36

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
89KB

MD5
1c13828471da11388cf2faa27352f08d

SHA1
f968f45f07f0943b1434331a4332ff72f7ba1f7d

SHA256
e62f9696dfd758c8efc66116f389741b193e7ffef26e44fc661e7b4da37cee4b

SHA512
2f12e7eb30cf9c48ee38186d37af16a34028e48ad671d28e3da2c2f9bcaf871163df52f04f60301dc880c01ab1bab16a4629c87b71ae0cccd2fd1aa827fabcdc

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
89KB

MD5
9d2829e3766026f992762a88ed93c01c

SHA1
45d5d85a2870b4f69617cacaeba171b7ea8e92b8

SHA256
71437e5ac760426060d86f2ac643a70f8cda2d9928496170927f21c9ceef5ecf

SHA512
cb64ae550c98772b5f90f225e4aa771f83efb1ad01496fddeec702affb517fe87d851b25636e8b67936b7a6695f9c714016de1828ca14be417ea447a705f789d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
89KB

MD5
bed89bc13a746da4ba62ea9ad52e2045

SHA1
2a132c34cb36416c827ebd72882b8c09fb8f747c

SHA256
830cafd68c3e6b92cd2bea40112b0699f0465c0f6010491f0c9d79c743c82172

SHA512
8c823658ce6da96926d630d15fa8f9962b39ae869f3c130790bf55bd53c2d796c501126d62a71406ba4ea79ede8adcfc67054173841b3815f583e15a147fcb2b

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
89KB

MD5
4c7d16800475833a36d89e51da587eed

SHA1
4bbffe062711b91bd1c1f9373cc450fcf34ebdc2

SHA256
b72fbf51abbac22e94b9e6836bbd4ff227037848b0145c18577ec6a69b558f8c

SHA512
bf3ba789ab7bad95f1053c9abea8abc40633ccc438db4a1fc84ae9d1ba2f0c5bb2dc5dc113f0ced11cfa717be477a101559c0391b8ba23647e44c6322caeab17

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
89KB

MD5
0ce70ce5fc46544afd6a24779e3b8d3a

SHA1
36c913344ef0859da2d88733f86e32bfe71f650e

SHA256
1daabe66b6676c5a3fa3b23fdbce5c7d3bf079b44361a7d50102f19f7c20cea5

SHA512
abf03437c9b26962ed31e216ec98af00521adfeb77444e31076117064bd6cdd675dedbb974ec38475b0f1101c807853e76bb2282772ee6b3499221ea2901bca6

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
89KB

MD5
dca4d2c10252881feebb42e39fc747eb

SHA1
adf455f2e3b98d68150e787ab644fde2213f4ba6

SHA256
55f866aec8069b172d44e7ecea9cba9e0c946e356a35fdb56fac575a688ede68

SHA512
e193d3b1c807e819f80bd937dfedf86fb37810f1644b127a39fae0a71585917622d12b7494f5d80d2654172da0a49c931803d641ff0bca4aee4b4bd11de63051

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
89KB

MD5
4272171a96455271fc58bea1153fc113

SHA1
d0b23334fe45530b003a0b9513acca8a5972df72

SHA256
6f35c3973e89c6d3b91e9c089639277bf01332ec36ee17537f9ce3aa8b6b7fe1

SHA512
0ce4fb9eb6a1354dafb22141900eef55ebfa1e42007e7392d1661c7477be245dc7690db1d2d81799d679cb43ab99503a490cf1e585b2270c721f727fc12abf88

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
89KB

MD5
e646751fc72243e283eb2fad52789c8d

SHA1
d24fa72610a4bc9eeaec8bbee88a397d0aea515c

SHA256
d805947adc0135adeb6508d14faaf8002401c8257df705f57a292487adb5d34f

SHA512
7835ab8094237a3451001e3f7ab6c89d35f38d5193f3d1d920ed3b57d4d770ac740aa2c668c50375bc0b059d28982668aff8d46eef70287348309927a0435c59

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
89KB

MD5
26f823a2ffbada832ff2b0b2290a9335

SHA1
a28ca1ea92a80e5578406b1bc18f60e971120bcf

SHA256
dbf58a8757a727416a90972fdde6d15ce477dfd24e01249c920ac529b47bc3c9

SHA512
74ff46224956a71ee12aa1bec416a035a17821fb21f5c955537404a6fafe75f40c9815eb7f57228e937600aca0f0b83a18ee84010027fc7d2806717a14642f1f

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
89KB

MD5
ef6dd1e29944f95b3c516f0d19ee6b82

SHA1
b464493a88cc57aca306c4b606743c466bd5823f

SHA256
98f3fc5fce6d8b7311c4f12cf11814680f1b5ea621ddb5a873f283f2db8a6f80

SHA512
40b563d89c478db3920afad31864c383b5ece123fb87a23732ac3d7433b0f2874ab8f81769c3082eb390388f143117a51750eabdc59b951bb982d28009dbaf52

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
89KB

MD5
c130559ce14ed2936857421c3a188a9a

SHA1
5dfa3447fe0f2a3765151aa1bd2d71143fb66132

SHA256
55aec7500f0c7503579d403efefc819cdce6cc2c5356673b1f31af9475607d34

SHA512
cc7b8aaba2b25896ad50f9d69e369191fc7325161781c13781f9258258f6c23ef01941f1de37d7fddb5e19e4c2adccd049e1d9beaaebded4efa6155c3a38a551

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
89KB

MD5
86b95caa88f49a6a77e9ea4037f53599

SHA1
00e63f96f9bd60d9bc576bce02ed6ee9dc0c6cff

SHA256
0d3161c12d5cd6cab1d701ae5f7e1e2cb6f7ec7e853fd60542fb2355845e67d2

SHA512
c3dcfa95fc5b00f78acf4282f2fc2950b72f4a8e5a8f8a7d157202a515ade31490b95fb29ccf2577bfe8763842bf8beb3263619be4d9b2dc53109e81c08187bf

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
89KB

MD5
20d97b6bc486cf64e00f614bacee4040

SHA1
547be410ac8eb80fa617d0d17d7a44ccb7ee0583

SHA256
77d2b47bf5ec61ce59e650612d76b7db185554ea39d193c325a3dac2a33372b1

SHA512
4f4cbf72a9fe8b5be4dbacdaf4f896b9894eeee4eb39b4663d61179bf8a2a78c3a2069886fce53393ee4437428041ae641cd6f6524970e71467c278101f810f0

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
89KB

MD5
febb7f08d667ade28be6d6ad8a9c4732

SHA1
a524d1a49d82c976cd69492790893409a7522470

SHA256
db144b6e674441dcbd987abf21cc8cebfb66d78502d5b8e8c8565f7820534d33

SHA512
cbbd9be2426662c52072e90a6b033f6ade5295b9b24833104a367cc5b2c21e4fa37c952fe207efd40bd8e03241482fbfbb2fd4d56301b9b5361bb05d6903482a

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
89KB

MD5
6a165f511808f732f62a4c96a179d48b

SHA1
96dee8e9dc5e2b52c8e85732d34b2c5c49025707

SHA256
994d0e68d4a965422bbea42eb72dbe914da7709854d402c68691b25252832829

SHA512
93abc3a88958ea179e960a65636e55b740188bd3337f15c0e5b23be2da0ee678094e695f08aa0a25c3a4b43852645da441729385a11f2260b258f567a977c68c

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
89KB

MD5
123bddcce1af021618d0d11181b72d93

SHA1
ce8db9cf4af08ce74e3bcf379c93f06bc309592e

SHA256
d2e0a0eac7353a2438e652188b2127dda4a547a99c3cbdd90b961ce22925f97e

SHA512
cf98c3e15c30c4cca2b0d596690beb25a48e20a28399a1970f6ea372b851ad6c905bb243c15ce6dda2301e8471b7116da5d7140033947f92b23d2465df9b79ca

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
89KB

MD5
2a90e5ecd62e13cd882e792f07c01660

SHA1
10af0d88c4dd1cd178e9cbc5d350b797aa08ea6b

SHA256
333872a383b9e9027f551ce97fbfb426313a526de10cd798f5326d672d327461

SHA512
7233ea1285edc0a964fdfec3c92f60fa05b49a7b9f9c9dcdf022d1a28b5082443c643fc0efedf4c43eeaa71947a49d514ff59478a4643d9daecd38221db0daf4

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
89KB

MD5
568dbd6bda7e44a6f3aee027499953c1

SHA1
8ce5390b63385e2a90ec92f220bd1c4b08d81a53

SHA256
5d713dfb3c9d50980beace3ceecc8500061f859ec44aef2ac58a2d4c4c9a5986

SHA512
e9da69d5e8b3e42f435b2182177637ca96fd01d204bcd395b84adf72ef3af5856f564167575dc08f3c3441e9058f165c2bbb80646ae48078d3a860a5dbcecd56

Download Submit
C:\Windows\SysWOW64\Onliio32.dll

Filesize
7KB

MD5
e6cb9031b2ddcb149ee1afbbf3dd1ad2

SHA1
35fa248dd41c2f9f7ad8314db91875cc80e4d7ac

SHA256
6ab78561dace4a06de8e203a5b697ef487273a4cefbf697a679b6034ee46d1ce

SHA512
2f8fabc19e27eb2b9bd8ae929ac5fc851eda3f5380eb7643144322845e3f899f704b3e61decdd6d73ac0ce80c434b1aa6ad1f430bebb1ebf5ea23b182a214d30

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
89KB

MD5
04fe567508377365b72f9b5fac9b4726

SHA1
f09dcab9aa0ee493393e7d93df3fd7314f167c20

SHA256
7206e73655fd48e527871319efc630bf4fd0e0453a4000d304647b310e3ad74d

SHA512
853c1740204029257fc983b24f2151c607a6c1d4fd8167ce1ae11fc53e41402b3be8cdd7eabae7a9d865327ae8228a44b556621498b83703cb0bbeacb2a8a6f8

Download Submit
memory/560-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/844-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1360-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1376-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5156-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads