3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
Size

64KB
MD5

1184a726a41d8c633cf0bbc0c509a3e4
SHA1

d8d5f2a372a55d6906a2cdf40efd01cc147f51f2
SHA256

3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73
SHA512

859d8446a4cbdc04b38d26d9cfa747e3298be632fc81f615733bed1695dcaa3ad71438b0512a784466c94727f7c6dab8b22ba2840926fe0c69736f613d2d4c20
SSDEEP

1536:ZVKmt/v7ntztknIjC+qunqlWzUyXUwXfzwv:ZVKM7snIDnFxPzwv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe

Executes dropped EXE 64 IoCs

pid	Process
5048	Mdmnlj32.exe
3988	Mgkjhe32.exe
2472	Mnebeogl.exe
3236	Npcoakfp.exe
2176	Ngmgne32.exe
3368	Nngokoej.exe
2388	Ndaggimg.exe
840	Nebdoa32.exe
3020	Nnjlpo32.exe
8	Ndcdmikd.exe
4056	Neeqea32.exe
464	Nnlhfn32.exe
1476	Npjebj32.exe
3672	Ngdmod32.exe
4568	Nnneknob.exe
5080	Npmagine.exe
216	Nckndeni.exe
2784	Njefqo32.exe
3372	Oponmilc.exe
2676	Ocnjidkf.exe
3240	Oflgep32.exe
1104	Opakbi32.exe
768	Ogkcpbam.exe
3620	Ojjolnaq.exe
2292	Olhlhjpd.exe
1460	Ocbddc32.exe
2916	Ofqpqo32.exe
3608	Onhhamgg.exe
3724	Oqfdnhfk.exe
4204	Ocdqjceo.exe
3424	Ojoign32.exe
3500	Olmeci32.exe
1324	Oddmdf32.exe
2140	Ocgmpccl.exe
2416	Ojaelm32.exe
2756	Pmoahijl.exe
3840	Pdfjifjo.exe
3144	Pgefeajb.exe
3696	Pjcbbmif.exe
2612	Pmannhhj.exe
4992	Pclgkb32.exe
3568	Pfjcgn32.exe
1624	Pmdkch32.exe
2960	Pdkcde32.exe
3688	Pgioqq32.exe
2564	Pjhlml32.exe
3048	Pmfhig32.exe
404	Pdmpje32.exe
3348	Pcppfaka.exe
4936	Pfolbmje.exe
1244	Pnfdcjkg.exe
4980	Pqdqof32.exe
4956	Pdpmpdbd.exe
3024	Pfaigm32.exe
2328	Qnhahj32.exe
336	Qqfmde32.exe
3992	Qceiaa32.exe
4188	Qfcfml32.exe
924	Qnjnnj32.exe
4844	Qqijje32.exe
4292	Qgcbgo32.exe
1564	Ajanck32.exe
2420	Ampkof32.exe
3248	Adgbpc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5300	5448	WerFault.exe	223

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 5048	3460	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe	83
PID 3460 wrote to memory of 5048	3460	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe	83
PID 3460 wrote to memory of 5048	3460	3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe	83
PID 5048 wrote to memory of 3988	5048	Mdmnlj32.exe	84
PID 5048 wrote to memory of 3988	5048	Mdmnlj32.exe	84
PID 5048 wrote to memory of 3988	5048	Mdmnlj32.exe	84
PID 3988 wrote to memory of 2472	3988	Mgkjhe32.exe	85
PID 3988 wrote to memory of 2472	3988	Mgkjhe32.exe	85
PID 3988 wrote to memory of 2472	3988	Mgkjhe32.exe	85
PID 2472 wrote to memory of 3236	2472	Mnebeogl.exe	86
PID 2472 wrote to memory of 3236	2472	Mnebeogl.exe	86
PID 2472 wrote to memory of 3236	2472	Mnebeogl.exe	86
PID 3236 wrote to memory of 2176	3236	Npcoakfp.exe	87
PID 3236 wrote to memory of 2176	3236	Npcoakfp.exe	87
PID 3236 wrote to memory of 2176	3236	Npcoakfp.exe	87
PID 2176 wrote to memory of 3368	2176	Ngmgne32.exe	88
PID 2176 wrote to memory of 3368	2176	Ngmgne32.exe	88
PID 2176 wrote to memory of 3368	2176	Ngmgne32.exe	88
PID 3368 wrote to memory of 2388	3368	Nngokoej.exe	89
PID 3368 wrote to memory of 2388	3368	Nngokoej.exe	89
PID 3368 wrote to memory of 2388	3368	Nngokoej.exe	89
PID 2388 wrote to memory of 840	2388	Ndaggimg.exe	90
PID 2388 wrote to memory of 840	2388	Ndaggimg.exe	90
PID 2388 wrote to memory of 840	2388	Ndaggimg.exe	90
PID 840 wrote to memory of 3020	840	Nebdoa32.exe	91
PID 840 wrote to memory of 3020	840	Nebdoa32.exe	91
PID 840 wrote to memory of 3020	840	Nebdoa32.exe	91
PID 3020 wrote to memory of 8	3020	Nnjlpo32.exe	92
PID 3020 wrote to memory of 8	3020	Nnjlpo32.exe	92
PID 3020 wrote to memory of 8	3020	Nnjlpo32.exe	92
PID 8 wrote to memory of 4056	8	Ndcdmikd.exe	94
PID 8 wrote to memory of 4056	8	Ndcdmikd.exe	94
PID 8 wrote to memory of 4056	8	Ndcdmikd.exe	94
PID 4056 wrote to memory of 464	4056	Neeqea32.exe	95
PID 4056 wrote to memory of 464	4056	Neeqea32.exe	95
PID 4056 wrote to memory of 464	4056	Neeqea32.exe	95
PID 464 wrote to memory of 1476	464	Nnlhfn32.exe	96
PID 464 wrote to memory of 1476	464	Nnlhfn32.exe	96
PID 464 wrote to memory of 1476	464	Nnlhfn32.exe	96
PID 1476 wrote to memory of 3672	1476	Npjebj32.exe	97
PID 1476 wrote to memory of 3672	1476	Npjebj32.exe	97
PID 1476 wrote to memory of 3672	1476	Npjebj32.exe	97
PID 3672 wrote to memory of 4568	3672	Ngdmod32.exe	98
PID 3672 wrote to memory of 4568	3672	Ngdmod32.exe	98
PID 3672 wrote to memory of 4568	3672	Ngdmod32.exe	98
PID 4568 wrote to memory of 5080	4568	Nnneknob.exe	100
PID 4568 wrote to memory of 5080	4568	Nnneknob.exe	100
PID 4568 wrote to memory of 5080	4568	Nnneknob.exe	100
PID 5080 wrote to memory of 216	5080	Npmagine.exe	101
PID 5080 wrote to memory of 216	5080	Npmagine.exe	101
PID 5080 wrote to memory of 216	5080	Npmagine.exe	101
PID 216 wrote to memory of 2784	216	Nckndeni.exe	102
PID 216 wrote to memory of 2784	216	Nckndeni.exe	102
PID 216 wrote to memory of 2784	216	Nckndeni.exe	102
PID 2784 wrote to memory of 3372	2784	Njefqo32.exe	103
PID 2784 wrote to memory of 3372	2784	Njefqo32.exe	103
PID 2784 wrote to memory of 3372	2784	Njefqo32.exe	103
PID 3372 wrote to memory of 2676	3372	Oponmilc.exe	105
PID 3372 wrote to memory of 2676	3372	Oponmilc.exe	105
PID 3372 wrote to memory of 2676	3372	Oponmilc.exe	105
PID 2676 wrote to memory of 3240	2676	Ocnjidkf.exe	106
PID 2676 wrote to memory of 3240	2676	Ocnjidkf.exe	106
PID 2676 wrote to memory of 3240	2676	Ocnjidkf.exe	106
PID 3240 wrote to memory of 1104	3240	Oflgep32.exe	107

C:\Users\Admin\AppData\Local\Temp\3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe
"C:\Users\Admin\AppData\Local\Temp\3d16b3844618893d050e929ed250ddb3ffc6e098be8f1b7d89853a89d281ea73.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\Mdmnlj32.exe
  C:\Windows\system32\Mdmnlj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\SysWOW64\Mnebeogl.exe
      C:\Windows\system32\Mnebeogl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        23⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        25⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        26⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        28⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        35⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        36⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        45⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        66⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1436
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        77⤵
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        78⤵
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        79⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        81⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4236
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        87⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        88⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        90⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        91⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        95⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        97⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        98⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        100⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        104⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        116⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        119⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        121⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        127⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        134⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 404
        136⤵
        Program crash
        
        PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5448 -ip 5448
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anadoi32.exe

Filesize
64KB

MD5
6e190a6eb07389547433ef52967fe745

SHA1
50cd49081a7ac53d8f7a521f2420a29e3e87bfca

SHA256
40a79e99635e1a667604a12bde01e242b554e46d5205b3141b17caa2fb9c19fc

SHA512
e09c8e9e5fa3ca0980aa960a10247ee1125379c7459505eba91e1efc296e3475a1710b4d9db8aeb9fa006b081ce99c781183a3748aae42197bd5f5fe035ad957

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
7dddde35e85db2889ddd06cf2232cdce

SHA1
9fcfbc7bda61a4ed16caa29a330707f9abe7ba99

SHA256
e4da5daa0771e699b51bcba202071f9aef5cb8e821bcfb199beb6a8fbbdc057d

SHA512
54e5bbf41b8a9a21b7f76403e3a4041f026d1d3f558df2e359bb3c53469121cde75374d5fee3e2fd2f52b2592c4ea0335c9d4e661930bc46eb942cc5e804b325

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
88b4ed58b4630606bb86f3ea9c0d609f

SHA1
0db5f4b0aaaa80e17097e70fc4a5a2150dc9c22d

SHA256
08035f6465775f391c633df8958211eb757c3e5969176fd87c4ab6aaf761d689

SHA512
1e6a2dd97c54aacaee50bad9f773ae92e0d0269b8cdb737f7bda27d513eb0e928e18760d888c98c5abaadda120d630e702baf95676cc3d50c07f6cc7038c02b3

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
64KB

MD5
6b2518bf23ef193b1a42ce9d39f5ecca

SHA1
9a16e9b32d133266bdf8667b70a8fc2ac85ddd66

SHA256
41b4ebfd7cb955d342bc57728de46187f011a90a27e68bc938321d4a18cbbf5a

SHA512
d6c58f60f0d5b44ba53ef05b321e6e29f2653e8819f6b2d55b572028918db2d3c03d7f593a2b1fd57faa0e862b558c331f61bf067ce8d8154b7fd771b6b335da

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
64KB

MD5
8500dfefcc5244891bacba4f3fa5934c

SHA1
e8a2eb6a2e42cf7d61df6081a12a7f6b6451a187

SHA256
477a903fa11b0155ce4641904f2e44881abbae2b687dbc3b0b520f5c0ef4adc2

SHA512
80e6becde4a6b5f4b7df526e79d3dfc8c177daa37bdeb65e96d4d1427ab7a8a4f92d881ec78aac945abc8892f1c44d76a74eef163b4592d3181d8979bf6c4727

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
64KB

MD5
a870923a4487969dc89dd5cd45de755d

SHA1
be16de758247c27c5fb990a5a647177c0871aced

SHA256
a7a647ca5509fe5f104424fc83a16769392d58d5273be320db9437d0121d8b79

SHA512
f0151e7dcbfc3be892f0d63832152107e2adcc1ba11d60d2ba444e12e6141df502b886485edc7d9b7e1120a11da16204de0a89fcafb9580521dbf2d44ad2a82a

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
2cd679825c884b301f6962d95fb37601

SHA1
12b135221dd45c54d11b75995f07598e9091ac29

SHA256
215c263421e974de0e231806058836ac139a849ef7e87b621abaf6ad435c54ec

SHA512
63399b428cc8d4e1c15c458c42bd68cea15df4fdac5eda48799cf47d409ff752f09e4c0b0c50c26ebaebd6d5ff1d9cd506422ce970b6d791c44dbf9489db7990

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
8378fc2197084c522970d71bb4f013bf

SHA1
0eeaea006195fc4b34e053df18a2b1306719673b

SHA256
a5859fc448c20a3037ff090eea910897a46517c68a56af679bc75b8b6e29ae81

SHA512
77b47ff374bbae912420c037e1573edf1a417ae143f3400e828abbc1ee9c4b855b71db248b03626eda1000518dae46cfbce21838a267cae7278926c4ba7285a6

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
64KB

MD5
831be181aaaa166fd60ecd2331f84fce

SHA1
67757d58ef9e5398d6f5b2051faf5a2c82dafa6d

SHA256
44b1d2bb367302c1f9768a20948e4e6a40fb8559427755a8828d7c35ce662575

SHA512
989aa082e54583c2a081c531cb56558ee776d525c9c4fb9acb3fdb0164d9d42487f81e716b10d25b0ee556638890948031ca34b2c4be1d9287db038c6ca046aa

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
64KB

MD5
32bfbbb6aace4c7e21103fde7813a5fe

SHA1
c841b98cbed6b0f19ff2834b4b7af18c075e3e90

SHA256
3b0c09f6636a12c799cb8c750e54aa41d901b15711be92b36729c7f7fe60e66c

SHA512
4a79fae4bb6c37cc36f7381bc11e406757585284f784f215e75af456d2316917b90256bd974fe715a3eee0dae5be6b779e67a2683c44a52e3c8f51e8923c625b

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
64KB

MD5
37d208c0db079b80b374df05d52de2a1

SHA1
0ec0b259c449723edbf11f55c04794394c8a9cc0

SHA256
1592ccb65ca84e9c59fde0526286a66584b496be8503f7989a6314c97c828cde

SHA512
92fde363bfba28d94662be493cfb495ba8fae38ccc235aa237aa6c5302bee0b3432517233bfc7855066997e722aec20f64b5d7b828863a9863adc0011614433f

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
64KB

MD5
09fe804284aaacde5d16f54a15aac389

SHA1
383ba83837ea6e4a6cbeec249fcc189c222235cd

SHA256
a2fa874c1b6a49c13b0f15727b52a65b4761fcfc5eed2b980a0d1c00ad598e9f

SHA512
ad938fd786c48bc1830a18252ecd79f79a5f042f38518daf5ab1215fb2e42f6dc7ba190215bb1ef9ec68d35c87228e082ec113b8afe07aef5bd1b7c0f15e8cce

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
64KB

MD5
83935d90c1c1a988dbea84e84a580629

SHA1
eb005ad9ba6fb42481eb8ae0580b18e0411b1761

SHA256
fe9b91139009248195b369e442600a7e7f7977c93442e981ba39eb28f7cc931a

SHA512
ba4c6f4d44a0179e46558f595e4fb95ed12a521467e70936fd06b968596cfa2d01efda88af63b50f827deb3933fd10487167a86f36cfde6e446434708e89e1a8

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
64KB

MD5
6500973fbe271a448c5df58194e84876

SHA1
99e36d85e0f11d1cf3f725df5aad9d43db141ced

SHA256
0923f3a3ab017264f2f95c6d9b356dcebbb0101f48f9e5101a7d05a20b0172ca

SHA512
0be4eaaf1fb0b243f544fddfe97b66c01c91744d88b27e6cf719c3c1af15071d637d01e7b7a53fcaee02e451e9d6700e0e6ef40f1b49ab156e62426c7b9adc25

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
64KB

MD5
2bbb8a0de4fef2863383d1827df15b1a

SHA1
dbd3a96e31be57adf904d7e3029dc1b3a93c9cba

SHA256
51a76dd170a7a421da7bfb265c27008996251a8d8abef195ff720594a3c9eb58

SHA512
abbb7e8f439ab2ccdc4ba238f7228144648e8f30e476d8513ff9a2dac014bafa5e0c986616a8516581c0b13bd1c22c9285413c18d423ff73335759f6635b78b6

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
64KB

MD5
be51e9bcdf9d7dc20909aaea50b46a90

SHA1
20959c2b8ba66987f87fc36cf0c86360fa5e3511

SHA256
b40480953f3884755c1e811f581bfa623e79da0dcfc022a0f7a81fede93c98c3

SHA512
4a0a9e98c37fce4cb0dd6d7837b5191df0de3bde09223280a1e998bcc642565593c55965bd9831eec1566938aec95cfce92b24435cf7b6d395937ad1ff0e9f53

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
64KB

MD5
e1ce0cc562a1c3b92a743729890566d5

SHA1
a84e0470f1b166e18343f30351e9f8f9f60a52c6

SHA256
ffc93a503721fcf80d40544e53fb83fe00b9eef314d4ee7a9f87be068f022e53

SHA512
b12e52e04785cc0770ec2ab12a97ec1141b629363de780165eee105be2a9cbf0a4dd5aa53a229f3cb68af0497d1f157e5e3241bf0f968d9c46a172306b2fb9bb

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
64KB

MD5
996258c670b30967325032692f3e2b34

SHA1
86ff9f239cd265989a1e837fc5fd6b13d97a1864

SHA256
3f51089ad96361de93ecbe34b004b4a5db9002df30e54d174bfe5b46fb0ee210

SHA512
05c801e086012591bac753d73f360f7ba866e4574fc49d0eeb0e63df0d0f4f3f3e8ec4c1036b9c8845a14419fd111ba7fca9b00d9f99c3090f8321766ae2bb71

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
64KB

MD5
2131696bb789260afa9e756510390e5b

SHA1
1eb004d4237f798041e8ad5bf8f329d15cff2f64

SHA256
ae3d687d9162376f658bfa4cde0d908f74f7849331c3072fad9be9dc66134643

SHA512
7eda527dd96e0dc5771dd74492f8ccf4af4ac129c25ba46a0dfface267935411ec9def1bcec8ed690ca8feeae3b1643eaa6f3d49d7e6e605aa4cb5e2510d78a1

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
64KB

MD5
a33d73aad2666b4be6ec096ee5984d24

SHA1
fd1263fc5165f89531763eeeeb6a19cdba84dfb6

SHA256
d5674f6d49eb101da2b04bf4fafea5b811d3b70aed83a0ee8a0bdb652beb81c4

SHA512
bac230ca0e1f0d137dbefadee54ee93efd288464a44bffddac8cf4cabcdcd454e652dbcf60a903888f4753362f3ec387c4b2ef24b400f76bc8f7e402511e9fc0

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
64KB

MD5
6af62c51e287433c3e50fadb111bc500

SHA1
5fd41fec56c06f7a19be5608ca25523041ffa118

SHA256
65298038fc613a1918fe66383f5e523099fc50533b8e5db3114e5388b57530a4

SHA512
5f5853637a1e68cd65e0b87c3fb87cd164973a803e71da1cf540ea525e62952d62cd3a43d270d11a9f80842e65a1849266fcd13b5001c5ee9aff1ac426b9a61e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
0f3df53204b1abbbf32061c5a7e9b7f2

SHA1
4574a5561da28ad0eab07ff5ca640daa03f2e166

SHA256
62f12ec12bb8a6f29c9b96772e2c9cdf49f0ad343ebc7647ffe4097fba79b2c6

SHA512
0c1813b8057c2bdc4442c6c8c3d521ab7042a6a49908d7e6f05f09ffe84ab5dca5ce6d6f4f93807ce9e606d6ffbc67a7c5e1f44d7fc1ae2d04bceb9937d30c00

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
9ed9993970e1f93d9e16d78b9d6c8b84

SHA1
c784024cdb23a8cc22d0e9ef4f695da75e85f669

SHA256
1876f8a3b020b43c5795f6e4114deea3767b1f494521aed47acf8449935b1398

SHA512
147928e91601673696ffd7fea367175051211b0a5a035ac7dc23a812289779e9dbc45a8e9b4f2de4ffc753580e5979a69cf9d6f778357f1c9fcde56e2317304a

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
64KB

MD5
993b052714be361aad464c19153db03e

SHA1
258cc9855cc5cfa49c7f521340764d2f6bdf1a58

SHA256
b3ac5b9d2b2fd5214a2d10eca1c89e5921069e56cc7a4e1d595c5594025de49d

SHA512
22adf8bcf8ae692ea50b7650ecbeec425e7f13d73277b33672d566dcc1c21cdd186df423e991b18a20ed3a94b260f8e6b13df7b3051807f496aae3ea540dad04

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
64KB

MD5
5ce96b66d72fe20a11be06793e5e12c0

SHA1
60947fed89e5c8183e913bf97cd7736a73d453a5

SHA256
14581e4443a8899e85893fb7d94bcd2f8024086c25bd6b8172e0e61eaab0dfe6

SHA512
ad95be3668a86feb2b1a6e32ba0b446dfa93862ba028f7c77a144a5a93ed2f8785d375d9a9f1d2632f10edea048eb965a1e443d97c8fc8a20cab611b307e7278

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
64KB

MD5
9b653df2d76a16a1a50b42542b939f6e

SHA1
d019a1a9e1c69def7568edebac31f434fbb5676c

SHA256
9b3f32379eba26bc92676c5a0794a38f089c7ff718312aefb06920bbfd5808b3

SHA512
4ed44928cc066fbf4ee7cc3afa9f11d4872d2be5518f3c80d992afdc4c960b318cba809231b4693a10bd3bbfa6f9b5ce7ce94635efaeb648322187a3a41c7703

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
64KB

MD5
32f54416101120dbc4dff7b33315898a

SHA1
c1ae256f0e640d772a921d961b5e6cf375575468

SHA256
fb82f1371721b63a991fce6f2da85ca51aa68aff8834378a6769773a6d244823

SHA512
add3408128386855ea3de12f15f262877680bb32d6a227efab2282037a3fc8cf7532722a87cc815df08c7169e6156b65680f61c26dab1fe219dbde6eb54d6a86

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
72718626ed4dd196cc58ab207e522a98

SHA1
277d83210d5a71a2f4a611c0ed6af5a72d47d4e5

SHA256
461be645d22e1eb7f31769cf039787f0a6a63d7ba4ea5ad164589cfa890049dd

SHA512
61c89e9148e311a3b7ba43de4628df7deacb1021b6eaaca1e8ebb1427a0ab55aae8517cdbc5bea9eb9fee5576521758a783dd413e3ec79aa8abaf2e46bf8467d

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
64KB

MD5
5990c176e86c4e66b672db7b532ea8c2

SHA1
5ef9257f4a4c3129f8273a2a3ea66aa099f7e794

SHA256
7be4e062c2aabb6d764f251e1f3470a89de79c356aae0c567a9380f54233f7b5

SHA512
f4a51b3ade20b33cc3404dd3e5652e48fe4f3e50d10333bb8815e64b8f7fc814732ba6aa6f067f1300a658d8cadba45314d0db6f900f6a1835774e39a46961d7

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
64KB

MD5
b91a3b98f868a41ad7cee3afc4547708

SHA1
b800600f290b899fce48fa340f49738c0408d8ac

SHA256
68918c11f6bb2e6f98e3f7bb7b1f7015d97bc6f7687f345874d3d86338801e61

SHA512
f1f0834d8532a77433bea606f7e8ecf4ea02ef94669fd0ba5b2a571c27d6ba94760602ce9e65f1664b0da5d95b9301d7139033ede7d6c352c1f3b2f668c00cf9

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
64KB

MD5
50ba278cf89830aaabdb72fb3f01773b

SHA1
14e05efe0fce6ba32f654677dd12fa6cf0fe5644

SHA256
dcddf8e46b41e79a91cce70243e112a0ac8d2f0c16897f7d0d28c89171318c56

SHA512
d51585ced878bfbea2f2df46f19f2356c880410854ed17b1d681abf89ba55b18aa1d659e23703bb6a4ccde397d07c194746935d6b18cdda5e6b093d6775dd763

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
e0e83787cdef29599c01710617f94a9a

SHA1
be494a5a6091b775cdb3d22a379e150d62cbfc97

SHA256
c98623c31a5d2cfa2c2093dfdd324e96297ff675038b78b1e0062047961da452

SHA512
1fa1720b06a4fe083fdcb21f3e5b2908f91f11f554c21e00016bab6f8d49f0f23f38fc230db8bb23428e613a248be9cfe9d93b84aafd8becc8885207ec4e9ebd

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
49cbb9fb73bd1407097417809cbc49b8

SHA1
02b9e8f124d2fbf9b2095233d2a91af6a7652344

SHA256
b6529f2b883a09bace1d26b951bb4d24d8c679982653d130923c821840eb0468

SHA512
51f3ed70733f0236c1562225f79d5264918ffe8bfbc261260a7c06a6fc9297cb44c03fb8d802c47e737f5978bc4dc53368366806fa18bbe3c204881acb467bf6

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
64KB

MD5
d7e612334f5dc2da864787cc3897f7f1

SHA1
8d948cf65461c8ce6ebb08f89f5bea2429b7dbaa

SHA256
59d44a6d9373f5ded29b5de9f60f4be88840d0d61a6ac00d655b27860f098e6a

SHA512
2d9eff90d84c2a809e7e05c35a47339422a1ec0c50360f4ab42bfa910dac7dd036cdd8d6277e3530bef5830a0357c40b691354f7568fee24e70f88280bc7fbc1

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
6a8c90033bc778fb4e81d407b1a3716c

SHA1
0b810dae5f9579c792f966831683bec908138339

SHA256
d7ca2f11ec2b43bd6946a6ac7364064ef302e2e4883379877eb73cc9096e28d2

SHA512
b3468b2a5e2eb6a30fb073a31acd57385146b36ffa0dbb398167358abb66e0f4b1adcc6e6247fe9a39dc0b3fa41b89cee3d3f19bc54a7c0e60eb68713bd2291c

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
64KB

MD5
67836b4942e714aac168eea2d263f9cf

SHA1
77f0a3639054263014b0ec9a1358ed497b60afdc

SHA256
02e2a357bfca6ffc7a811ae57685f125d0974070f12a684cecd602445b2c094a

SHA512
1d3cb3d356e4156fe8e63a694197ad4d52ba352fd41db13ba5822309d7045400a7c861143183bc5537a47376c1a13e245b4b5ee1a902a9a4e5debfd1017d1dac

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
64KB

MD5
42d9dfc4fc24fef22232a4d333d54254

SHA1
12e64fad9517c94b7a9b60466824a5255b97436b

SHA256
b23d8d82af8844ce22ff9a45b75b16d2647275c0ab316ccad741f4833994dd4b

SHA512
55fc5767e7002fac879e521a2d5f1cbbcc363116c1e6b9648d51af95ff7ec5ce67e42757a5df8a6d6a73b755cac603c6de41b85451efeab5147dd7939973aa08

Download Submit
memory/8-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/552-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3240-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads