423c1250791ce1015093717d2305d746c7b06d396e8bf185470d9baea781399e

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67dea9950f97f79ffe4a3a526333f530N.exe
Size

73KB
MD5

67dea9950f97f79ffe4a3a526333f530
SHA1

86754db3b3418d53292dc085863112ca8228dac5
SHA256

423c1250791ce1015093717d2305d746c7b06d396e8bf185470d9baea781399e
SHA512

0160d7d94cbb04e69b275d7f0ad3b9dd6177925e33963362c7724beeda36357195675a99c293ed00e4d8d0936f52d386aa2fa7e452b7e05b087ad6fe6715d203
SSDEEP

1536:7uX0GBhrtHLt07kyg/d0O9C4V5YMkhohBM:c1BhWKy4HUAM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe

Executes dropped EXE 64 IoCs

pid	Process
3508	Menjdbgj.exe
3460	Mnebeogl.exe
2836	Mlhbal32.exe
1608	Ndokbi32.exe
2028	Ngmgne32.exe
536	Nngokoej.exe
4712	Npfkgjdn.exe
4440	Ndaggimg.exe
2944	Nebdoa32.exe
640	Njnpppkn.exe
4752	Nlmllkja.exe
4764	Ndcdmikd.exe
1376	Neeqea32.exe
4552	Nnlhfn32.exe
920	Ndfqbhia.exe
5108	Nfgmjqop.exe
100	Nnneknob.exe
2272	Nlaegk32.exe
1520	Nggjdc32.exe
936	Njefqo32.exe
2368	Olcbmj32.exe
4548	Ocnjidkf.exe
4576	Ogifjcdp.exe
8	Oncofm32.exe
4148	Ocpgod32.exe
4228	Ofnckp32.exe
3944	Oneklm32.exe
672	Ocbddc32.exe
2972	Ofqpqo32.exe
4332	Oqfdnhfk.exe
3240	Ogpmjb32.exe
380	Onjegled.exe
3692	Oddmdf32.exe
1692	Ogbipa32.exe
2648	Ojaelm32.exe
3496	Pmoahijl.exe
2012	Pcijeb32.exe
3392	Pfhfan32.exe
1184	Pnonbk32.exe
3244	Pqmjog32.exe
4880	Pclgkb32.exe
3172	Pggbkagp.exe
2472	Pnakhkol.exe
1924	Pdkcde32.exe
4584	Pgioqq32.exe
1164	Pflplnlg.exe
2344	Pmfhig32.exe
4028	Pcppfaka.exe
3104	Pgllfp32.exe
1588	Pnfdcjkg.exe
5088	Pqdqof32.exe
3256	Pcbmka32.exe
2232	Pgnilpah.exe
3080	Pjmehkqk.exe
3636	Qqfmde32.exe
1124	Qceiaa32.exe
3076	Qfcfml32.exe
1604	Qmmnjfnl.exe
1364	Qddfkd32.exe
3744	Qgcbgo32.exe
2128	Ajanck32.exe
2940	Ampkof32.exe
2188	Adgbpc32.exe
4816	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	67dea9950f97f79ffe4a3a526333f530N.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5992	5896	WerFault.exe	197

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67dea9950f97f79ffe4a3a526333f530N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	67dea9950f97f79ffe4a3a526333f530N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aepefb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3508	4652	67dea9950f97f79ffe4a3a526333f530N.exe	83
PID 4652 wrote to memory of 3508	4652	67dea9950f97f79ffe4a3a526333f530N.exe	83
PID 4652 wrote to memory of 3508	4652	67dea9950f97f79ffe4a3a526333f530N.exe	83
PID 3508 wrote to memory of 3460	3508	Menjdbgj.exe	84
PID 3508 wrote to memory of 3460	3508	Menjdbgj.exe	84
PID 3508 wrote to memory of 3460	3508	Menjdbgj.exe	84
PID 3460 wrote to memory of 2836	3460	Mnebeogl.exe	85
PID 3460 wrote to memory of 2836	3460	Mnebeogl.exe	85
PID 3460 wrote to memory of 2836	3460	Mnebeogl.exe	85
PID 2836 wrote to memory of 1608	2836	Mlhbal32.exe	86
PID 2836 wrote to memory of 1608	2836	Mlhbal32.exe	86
PID 2836 wrote to memory of 1608	2836	Mlhbal32.exe	86
PID 1608 wrote to memory of 2028	1608	Ndokbi32.exe	87
PID 1608 wrote to memory of 2028	1608	Ndokbi32.exe	87
PID 1608 wrote to memory of 2028	1608	Ndokbi32.exe	87
PID 2028 wrote to memory of 536	2028	Ngmgne32.exe	88
PID 2028 wrote to memory of 536	2028	Ngmgne32.exe	88
PID 2028 wrote to memory of 536	2028	Ngmgne32.exe	88
PID 536 wrote to memory of 4712	536	Nngokoej.exe	89
PID 536 wrote to memory of 4712	536	Nngokoej.exe	89
PID 536 wrote to memory of 4712	536	Nngokoej.exe	89
PID 4712 wrote to memory of 4440	4712	Npfkgjdn.exe	91
PID 4712 wrote to memory of 4440	4712	Npfkgjdn.exe	91
PID 4712 wrote to memory of 4440	4712	Npfkgjdn.exe	91
PID 4440 wrote to memory of 2944	4440	Ndaggimg.exe	93
PID 4440 wrote to memory of 2944	4440	Ndaggimg.exe	93
PID 4440 wrote to memory of 2944	4440	Ndaggimg.exe	93
PID 2944 wrote to memory of 640	2944	Nebdoa32.exe	94
PID 2944 wrote to memory of 640	2944	Nebdoa32.exe	94
PID 2944 wrote to memory of 640	2944	Nebdoa32.exe	94
PID 640 wrote to memory of 4752	640	Njnpppkn.exe	95
PID 640 wrote to memory of 4752	640	Njnpppkn.exe	95
PID 640 wrote to memory of 4752	640	Njnpppkn.exe	95
PID 4752 wrote to memory of 4764	4752	Nlmllkja.exe	96
PID 4752 wrote to memory of 4764	4752	Nlmllkja.exe	96
PID 4752 wrote to memory of 4764	4752	Nlmllkja.exe	96
PID 4764 wrote to memory of 1376	4764	Ndcdmikd.exe	97
PID 4764 wrote to memory of 1376	4764	Ndcdmikd.exe	97
PID 4764 wrote to memory of 1376	4764	Ndcdmikd.exe	97
PID 1376 wrote to memory of 4552	1376	Neeqea32.exe	99
PID 1376 wrote to memory of 4552	1376	Neeqea32.exe	99
PID 1376 wrote to memory of 4552	1376	Neeqea32.exe	99
PID 4552 wrote to memory of 920	4552	Nnlhfn32.exe	100
PID 4552 wrote to memory of 920	4552	Nnlhfn32.exe	100
PID 4552 wrote to memory of 920	4552	Nnlhfn32.exe	100
PID 920 wrote to memory of 5108	920	Ndfqbhia.exe	101
PID 920 wrote to memory of 5108	920	Ndfqbhia.exe	101
PID 920 wrote to memory of 5108	920	Ndfqbhia.exe	101
PID 5108 wrote to memory of 100	5108	Nfgmjqop.exe	102
PID 5108 wrote to memory of 100	5108	Nfgmjqop.exe	102
PID 5108 wrote to memory of 100	5108	Nfgmjqop.exe	102
PID 100 wrote to memory of 2272	100	Nnneknob.exe	103
PID 100 wrote to memory of 2272	100	Nnneknob.exe	103
PID 100 wrote to memory of 2272	100	Nnneknob.exe	103
PID 2272 wrote to memory of 1520	2272	Nlaegk32.exe	104
PID 2272 wrote to memory of 1520	2272	Nlaegk32.exe	104
PID 2272 wrote to memory of 1520	2272	Nlaegk32.exe	104
PID 1520 wrote to memory of 936	1520	Nggjdc32.exe	105
PID 1520 wrote to memory of 936	1520	Nggjdc32.exe	105
PID 1520 wrote to memory of 936	1520	Nggjdc32.exe	105
PID 936 wrote to memory of 2368	936	Njefqo32.exe	106
PID 936 wrote to memory of 2368	936	Njefqo32.exe	106
PID 936 wrote to memory of 2368	936	Njefqo32.exe	106
PID 2368 wrote to memory of 4548	2368	Olcbmj32.exe	107

C:\Users\Admin\AppData\Local\Temp\67dea9950f97f79ffe4a3a526333f530N.exe
"C:\Users\Admin\AppData\Local\Temp\67dea9950f97f79ffe4a3a526333f530N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\Mnebeogl.exe
    C:\Windows\system32\Mnebeogl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\Mlhbal32.exe
      C:\Windows\system32\Mlhbal32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        25⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3344
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        69⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        74⤵
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4744
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        89⤵
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        92⤵
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2916
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        96⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        98⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        101⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 396
        114⤵
        Program crash
        
        PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5896 -ip 5896
1⤵
PID:5960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
73KB

MD5
ba5f14b256a79f651997616e388387d4

SHA1
eb552606583a50a5a289648e94a9490e9338d431

SHA256
1ca5b28e4433a3bdc01def2a50b17fb693145625639b9168ba0435e5dfd662a1

SHA512
e665a41ef93be95e5de3d3add790b61bd21a711c2ace68321351e25dbdf1f26ab1575dce5194b040d57f8a5c0ca868b64b96392acf2a849c9aeca59d6d9d9d81

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
73KB

MD5
39ac9fa389a8a766830bb0ebeb957962

SHA1
e5e0401b6ba12fa6d3d5db74cd8f6cdfae744179

SHA256
ee8a23bcdb94fc6a1c326de6d8ee60c7e6aea7b0c50fc1a5ed87558c0d900237

SHA512
ad106e93c31884ba094485165865ea37540ad2d9c418445d15bc76057937185d7a2692a56160e3cf3d4dcf552d954000bc2d3fdc3d0bddee6a47d76c960cdcea

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
73KB

MD5
777c307728747d02fce4a873c4240615

SHA1
2d646915a9decd0627fe80c5bf4827dacde3dbbe

SHA256
5b171d5183c1c83021a7c5e1fd9e5da93a762c037d02fa3960a0a7ffeed11a89

SHA512
ccebff59a23d8b0bc1e22e9f2a939dbed37ba01d0a30ab4a12f17b018e55816aebdfcefce4cb5764e03125522a73ff7482a0e7c0b3a1c26e8e3ca90a53ad7f00

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
73KB

MD5
e8d601da27a1919d4ee421b50b7ef99a

SHA1
bd8043e9c24a01275e764e42cc4999894e53f8c5

SHA256
f3bf4b3a6634c66f018c8431e650cad42f9158f0c13ba3ae88b769e319b58b58

SHA512
aded4bbee43601bfadc3c7a07e94a05d8086982e294a796b9a58c6d01fdc7b183651e43eb79a056a458f53740870f95542a9a8efdf505f290438d4e7778c36aa

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
73KB

MD5
7716af620eee93a0e28d0f8f169a449b

SHA1
bc60ebe5ae546ee9519558d6d6b74c839c2c3149

SHA256
0808513791f94d984960257fb7e01f5da20375180b1eaf7ea596c7194c81915a

SHA512
b9b1647d25bd300c7e08602889a818c1ecc0acdc1c638a08d624dd2d463f286e31b3cb7567c3af524faaa1bb0c6c640545035fd91e3dd1288c215e51748e07f6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
73KB

MD5
bdec4d48783cd603ec2b65ba8f629dfb

SHA1
483a7cb09fa25956a939f7ab164a5bd756772333

SHA256
111be8e78c5544ce89a1e5db64ecb08b566c1f39a1931700a7159944d5722622

SHA512
9dfb7338731d34fb6f64527bcc889f6bd36c96a2c8985b8a574eb7d00fcbda98f7b36e068133ed9b04c232d0209a99f54e46b8bb0c9ed4b6b4468b8b930844da

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
73KB

MD5
aa3559f92e1cb08b077ef77c422abb02

SHA1
847c1e74d314497d5bd2f2013d24f76f39b312cf

SHA256
8d248ce8857cdfe8174ef40a577aac36a879e4a18ddf6768d5eecb4a1f03988b

SHA512
4539a5a28c5568c8d2b351aed2b79176fb01a43949014f93e9f359c52d7ec0825b0a82f15fb28a76946aea81a3377ee1bdedb31f01030fb5326d58bf6b19895f

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
73KB

MD5
2f4b3d92f6d38e0042d6534e3e7fcf88

SHA1
87873ce92621039c68404aaba01d9b1bcc29dacd

SHA256
8034b622d25cb192396d0b0563d6bedd33c451e1cb9cc19939251803ca86465b

SHA512
df7f859fb61a908c8f9fda3155dc2bee23b678b31a2e8a6c44feed43ff88b9a71994716c4d8cef2676350230433025534c86f69e3e38e27a07b87b42c4fbe7cd

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
73KB

MD5
c3990313a870e3fbeff6ed779ba8c9ae

SHA1
2846136e8741d46ca3a2d15ed2b84ca2a304e6b7

SHA256
872c2ea19020049ea20b0bed8d49ad3e7fc6cd1ddec799706ad18b05f5910f91

SHA512
500fa0d571d1110fe8a1de3ed3f9a47edcf397239c6aeb0e28a07a12acec97c4e41aa00a3a974fbeb248143362ce5a9d8b6c306d084cadffd1e572dec30caf66

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
73KB

MD5
527bb591c600da1e7e82d3c89c19d9f2

SHA1
fa55c51af3a1dfef38abd43efd50c0018a4f8fe7

SHA256
386fe5adbafde10a0e5a8b3bb1239a0ba8838ca6c1e16592ca08b1e829c34813

SHA512
a6d40e7d8126d32f6deebf542874a97fdbbb4bd886a31eab79e7448da4ea4a7ddadd62ba02084c2cece3e87b9adafac985a132412310808eff0ab70f4544933d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
73KB

MD5
7e9b000e57867d60d66d63de7d2977f3

SHA1
20fbda916465877d5208fad028a74786a959108c

SHA256
41f0f41fa41ccc2e5938e1be0584bfa6d6634c16880abe6f5730fd81cc68852d

SHA512
e912632ce044fd4f288822e62adcfe42eab68c3c569db9d667022b19a13247a8ee5fb20e426e868714658e606f627deade66f4ea98eb2ae77a72a8d958192a38

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
73KB

MD5
d08a50a4ec2f3e45925cee5ee112c230

SHA1
91a091656d49878fbcc3e7bfa8174cf885b8bee1

SHA256
50ccba54358e5eb1ff665d0732cebd169d36a06883d655da0d2038e21698fb4f

SHA512
ec0c1d608ac9a44e0fc91602930867c6f45774ca58a1ffecee75f8bb82441bd51f0ec6ea8157117c1658e7d60c7be27c1c2ede740340536927441006fc507854

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
73KB

MD5
f1db5ece5c08db527db15feee22ca3c7

SHA1
71bb8b8135f10ef4305259311f5d2f6ccfe2addb

SHA256
0276965b9441cb902a960390f3abecfb845d069fa2ec53771cac8fb2255448f1

SHA512
6def945fb6d9aa09a22858f136b06a7fb128afd124cf967b5a852bb798294d2a6145096f86d599389d913d4d60e7c23454a16d5c00afda3537700dfce4c52fe8

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
73KB

MD5
e2fc43dc5e92681a6c5f797070612a21

SHA1
c027bab550964bad94c5537b7812c97b3ccea410

SHA256
9537c7587ffcc9f930239e9e9dc72d67b12fbd6c8ebbc5b453065c699448dea7

SHA512
25480bee5e73c7330ca214d2df68a00a2cbfb7a74fa78cf0648d955a6dd7a623921ab096e5708c71fc0d4756d5272ba314f961a7a00a4b0a630d2b697e29d40c

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
73KB

MD5
48c335553d3f5dc19306321d4dcb6480

SHA1
ad3614e4c37067bc2e3af4391928e9a0eb5da677

SHA256
b0558c0619165589bedbebfc6719ba799333e7799ed92b0e6d180764f18ff1da

SHA512
8bc92f089a61f98c6267561e594c10a6fae12c18496afb45c7c6d654daa87a77e146e249bedcea9b408df74c858fd6693ca256973e1058e035ff5bf68c14054e

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
73KB

MD5
3b3dcdc970dcea7c0995278b3f02fe1b

SHA1
d66b46c8038cd1469123f8e368b7a21a592d3505

SHA256
9d51a9d80a0107f790fe3ae85eae865b459ef2f2086486b5bb508e6d37f67a13

SHA512
cb496f4dcd8b1d3ed1d14fe4afc19853d7a300744902a3efff39bd162534019bd170b4df95bab09b047d785efe91aa6b2171a8a69d66c5b947eab2b2b7e2cfc8

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
73KB

MD5
d5b656581e27d4e05421062790625678

SHA1
c1d7dd68c5f456975472915e2acaa754e69cb537

SHA256
382642ecd336fa82e580d4a13d5ced3f3d26afd5db66e26499d4e1a8062f8ce7

SHA512
043434f4e560de8ac575e3afc9ab6e04080d0fdce35658030cba61b4706e34811ea6b7fb22bef445194d24357fef7d2ca84d33f67760f9f541d8a0002261629b

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
73KB

MD5
196643752bcd74583a715365ff10092f

SHA1
4b6823ec0c7099c898588895df213be5f04ae8b8

SHA256
6983fcbd28922ea5f9bf959e81de051f8be29222914e5acc26c2f1fb1836a398

SHA512
5acd5793ea8a6c60785304b2a7d04ef0ed86c950a6d2079f0b0d35e71b2f4a2bcb6be2d21f54c666179b312f93a8e064a380a10eb2e61d3ae8c3e1d26f2fe7c9

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
73KB

MD5
1b9183dc8ab4b2d49ce48ee330736992

SHA1
66f767f8eeb3ec311a29ff392abd93171b43aae3

SHA256
5cd08e49386cc3b42cc871414157f0f615a0420f83326e28cc95a2408512de74

SHA512
8beb6f4ca29e24f7b7375b26a16b9849b09354bc0a943a7774eb8ccb7c423a820826102fa9e6b1fef446116303053b7d02293258b4b8cb62748eb4c164c4ca2e

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
73KB

MD5
c6847801271e373062848a1ac885c48c

SHA1
46f5e370e7c80962450be954ed0035aff565dd72

SHA256
c9f9b6ae698d54465eda5d9de1e92e2078253dc608f1a33d0f56f1c3bfa9b7b1

SHA512
aa9de41fc4b2e833191441015b58a8ba55e4aaa312c0fa5b46bf41d2acf8ab27965b7bd650e38a144013ec77beba484167163669427f9317df34a69067c50a03

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
73KB

MD5
936cce5e1ae0886d5f9ffe74af10ffe2

SHA1
a2db69c10a0ed98a3b58fc993911000411366c64

SHA256
15a695c8db5669ae7edd0cc9068ea764d141e0851c9b44afc7b9e7abb6c4f5cb

SHA512
961d6845c5f4175f2f789d39a1436d25a6972f620cebceca14498372f28b9db04834a71c0316ca243f27da145caac60edbb91a80ea1d39b68eb1842ffb65ce2a

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
73KB

MD5
c79ce4d4aaa3e2f66526c2213ed0f11c

SHA1
35247bc5257cfc54399179bb64e5269cc79ba47c

SHA256
a901e41874602b080e40b4d53875f5f032b52da5882b1c4be15819eb4e5a4400

SHA512
e462f2043a4711496233f6e7305b4602af43590b6a33cb9b579924cc701d04e6c035380e104e61e4754240d363dd865f55a530f68cc0ea0c9fdf234907e7b599

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
73KB

MD5
5b191fc870c824196cac3c657106ec39

SHA1
eb77a52faa8e293a5a3e773ed833bfa800aeb40d

SHA256
48c615842e5757122880e5191355e3ef4feb090b9ee1b84e1130754a67f65340

SHA512
0d573eecd890be1819a37ce3470ebb17402f24b1b5eee2ddb0bd86734c2065898310da8309951eb370c2bb018bcdbae7727ea3a2cb0abfe1d45954c3c5dfd94f

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
73KB

MD5
7ad47eac145dc7b1bb4f580f833f1203

SHA1
bd6663deeba32023cb2c6c4f78b4a8876280a7b2

SHA256
bf4fc25e90a6961bf0e012f69dde3fbc3b66d59e57bb30d6195812c9f0974001

SHA512
b8e851b222eb46ef95a40ae0c8731382ae735f3be16132a4050cefcaf4e0ede89625523ab5973b336f5793cee3c0c3bb8f0f07168b5112544184ff47c22fd77a

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
73KB

MD5
8b5064e471d6b78cfcd4e413f450f3d5

SHA1
ab214d6d315bcd0025a683c53a78a58c3f3c0984

SHA256
f104ed433865af3066feed26aeadc220cbf64c9625f7fd7b2973c3e8b418db8a

SHA512
57787f8366a3eaa6b6104bac55accaad00776c9a21fc5a59396291d5159e6fb4879d21c02e005e644f16a7540759fd39e6c6a83e4484ae450602874544b58e9a

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
73KB

MD5
89477ab75ecfa6f18f77a266f24a9364

SHA1
f41ae46cb8163cf898b0a68500187a6b50ae30f6

SHA256
e711a0cfa46bf0250c410de1fcb4e3f79f3235372afff86bc9cf08fd59935ed1

SHA512
fd159d2fb51d3bb135fd054d2594dc1c845801cd6600444b575941417a1164998f58417dfa75c8fb358f1b41905dd5d7ca57bf2df1f324e2beb60f4e9a9e679f

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
73KB

MD5
b20c905e118d709c1968ad50e444598b

SHA1
fc0464717628556591a0ecf92d51dc0677a12d38

SHA256
9b7a9ed64e04b4a185d2a828060c6584c902f374c9f246c27dff5d97e9618fbb

SHA512
4435c9406556bbecabad4467d5030cedffafb3d67d94a7e3c7a3beb7ea16c793cfc50fccadb75fad4e963b0df80c0fbef21396abc1fa8246ff9f5dc1ad3c34ee

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
73KB

MD5
65dc03d27098ee3fe965839be897ffb9

SHA1
18ea079bcc9013d18fcc46846f9da7bdafbb522c

SHA256
2d19271211acab86221d00f3821c741df4c80bb3e14943f3a334a4bcea470a2e

SHA512
b483c53b6d78a36b58d7b93f499840c715f33620d79604d68e0ec8fd978a6963f777498ca72b532b6aa80f82786082ad64dd9cece284fb507ccea9520149b493

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
73KB

MD5
af07d270fce7ae89d9dc0e1db457eb88

SHA1
6811fa6be21196d2f5642957cc20cdad3c118edd

SHA256
8047865714f81ea6bffbf3c694fb9bf8d5e26a9866ec787e43e7785fa3b8dcaa

SHA512
845e061b3b49cd964363f93325367a6abc97653806044c5224ab366d7b92d9487b241112ea9162caa1bc959b204ee9ac60f3c7d9eac434d6a8ee08640b16679b

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
73KB

MD5
26f0b1255915a48285edcf77e465f9fa

SHA1
b2526562e46c0659ae60a44e64499e2ce3c7d582

SHA256
443a5708cb5cb275c812f0b34f66ea4992611b41fe7ce2c7bf6ca984b3ef1176

SHA512
c0f85eb7e21b8a869b81ba95c0979f693aabd53d8411d8dbc466a0ae226812f0bc6e22236cbfea044b85d7d9a18747151e3ec4da692abdbf57ff668b0475ddf4

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
73KB

MD5
ad1cb29dfc3caf6088b29c2cdacf552f

SHA1
27d9735b9009fc24445cd42483c59c6bf6728dbc

SHA256
613624d48be00dd6d1f5e960622a54a4bb0b4d57215fd78cfb5d9a4137fe88b6

SHA512
23236d7585a06b48681b4ca468f521749978387f8555e9ec5d48e41bf718f3f37c3e892e89b78db754228b6eeb723177fb1857868d826ef374c8ab1c588ff4d6

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
73KB

MD5
10b95f4dd6dfe2678e8f80d38be99f6b

SHA1
c3c350e00e2155876a90eb8af84d902390f9a059

SHA256
d5ffde934c738334fbc74d73d49b7490af0d42ff1f08881aacb8bd307e90de6b

SHA512
683cc4bc069124663c04ae9bf3b94c568f28f7de9c56ba3984c0de11b8cb93a9dc75bebe864fba65fe2cbb816cc60577b2688dffc6f81448d8db51cbb0248ce3

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
73KB

MD5
f04c7c855b5b9fca0dd2bcd873856bcf

SHA1
be81634deb1b75cf82631aca9dd69357dbfa7f4c

SHA256
144df26ee71b36e5639f3eba7e383ed9baa6c7e61c2423352d61639929de2160

SHA512
359630dc3ef18ca7c97e323be7c26a0bb7eee3e4dc1e029f3ea3d98f9b419f60255d3eea6cc935ec9306bec7590e3934747740bb48e46a4bd4fa2bbe85d30b96

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
73KB

MD5
e8a0ae4c7619d64688bc60d5e0ffec31

SHA1
8a9fbbc33952925c07907c5fa1c690b76b844103

SHA256
f39176c2b4c35a58a89f06a389c3f164b36c5d50e5f9a4a4b87899c41275f6ad

SHA512
826eef2e7810069d157622ec7d223b016105d2f6c597a8d5106522ca9bbb4f303af91056013d420f364c35a231ef3e73058c98cfd7b5b5c46321f57b9ee36965

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
73KB

MD5
ebc83cc1f6879e5d5403c2cd5fdd149d

SHA1
665f261fb8998575998db5884fcc1c7d5059a453

SHA256
afa9114882688a39d372f82c23acc33e4f685f2a5016e63f870f1498e899bb96

SHA512
39f59b84b9d7eddc08f4710ed54e2913c1eff384bd97cc59076ee5b2d7d89c1f2b347db6f77801b7c4d78067d245613297984f4a88c3867bf921dc56a39bc738

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
73KB

MD5
14f6dcd0a06df8423288aad63c4abe2d

SHA1
2980be579a8076ab615cbcf8f1778a60cb0aa190

SHA256
a049d7d2a59c31fa68077fe3976d6da102a404e827eb0c2a3eb12ff60f8388c6

SHA512
84a66cd011bae13fe716229e0de6c78faeb7cf9093c380bc8765777cc2a96d8fd2293273811541e922d96f24fa89cea668031366443c3ebc59820c5a1154fa2b

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
73KB

MD5
2a4c2d734e8aab35bb97a01ebf971e2f

SHA1
d494bdb5ffa82693c0cc3bbc1b7fc77cacf52088

SHA256
b635f3ac2fa09786b6ea9f14772d26e5bc1e2345061d9441d741f04764cba58e

SHA512
705d00538ad1b643495e4672df4c2895b268124be5c62dfd1d3a53f4dea16e047be59fca8eaba0c70140f836e751c360c30221f92142d41791859e5043413851

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
73KB

MD5
05d237da7ade9069dedfb3c5b434624e

SHA1
a03ddc19d0f1a79949999348c48bbf692ed68c85

SHA256
209c7013ce25c5df7ecb8602e300ed3733ecf0ec84b206ff59a77d2225243ec9

SHA512
3571945b32707cbba74b6848144adb854ef37e03c68ae60d79f4e2260ba518416bbbf7596b3262829ab62eb41d1c541a60d4854e038b8479a1f8509cc492158f

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
73KB

MD5
d0ad853135821618d9234a48fa698603

SHA1
5fe28eae875e547018e5068d6ef04f3e10dd9c21

SHA256
95431ac78dead637def9f7d6dca35124ec77624bf8273d4332bf13cba2dae441

SHA512
4885e585a06422eeae2318825e0738e8ba392dd83437d6ad30134d2fb62ca60e7a2ff614371abb7daf23a9c9832ffd83d9884141ee4c78480d7b8f458761c8f4

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
73KB

MD5
af06f257549816ddad24423db6399a01

SHA1
6ff2f4962eec217a7f332101b6ef4c343a269198

SHA256
25705d5869542d58abc1f5cd45fc36b775c1f83c6e7e875a5af527357f7d39f3

SHA512
45a64a135c14a458355b15d2b8df5a6ce8d2b4c4ec1047b5709ff81d46771c6062a45daa73f2b79a5303e84ec0623f72a1ba9624fbdd00d003ca6e1be52c0bd5

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
73KB

MD5
03b6fa7c70a625645b1d6f73c3ca674b

SHA1
0c063f7a1b0db4c509fa2707f7fe180c3c3f9ed8

SHA256
186f78032d1a8b0ff97422c0c0fa58e4e0d4bf7edf2b152e5f8e515b1f8e8f1e

SHA512
131a39ade076ecdf0ac8f58262db71da0166b2a3145642bdb8172f31121d7cfc12770a1c850860d1311c1b40a48145207b604d9784794f331177b20f913f80ec

Download Submit
memory/8-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/100-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/380-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/972-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3076-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3172-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3460-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3460-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3496-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3808-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4744-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads