8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248d

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Size

96KB
MD5

9dbdb2eb884d55c546458d89058872b0
SHA1

285830947fe82d885eb569a714ef632963334f25
SHA256

8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248d
SHA512

c1b866e67a7ae191cca3e280e2826337f686281b7c917f7682f99d684fe29ab7033004aea794702598370cafd30d60ef1d1028623bbc5964341fb7b68346547d
SSDEEP

1536:tzofGpvXZDl+JAmz+vfq2pY20iQD2SuvYnASRK8H8OM6bOLXi8PmCofGy:K0xxtvS2pY20i7YvK8cDrLXfzoey

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijce32.exe

Executes dropped EXE 37 IoCs

pid	Process
4892	Mdpagc32.exe
2332	Madbagif.exe
4984	Mlifnphl.exe
4556	Mccokj32.exe
2836	Mddkbbfg.exe
2184	Mojopk32.exe
1784	Mdghhb32.exe
4808	Nomlek32.exe
4072	Nchhfild.exe
3884	Ndidna32.exe
512	Ncjdki32.exe
4504	Nhgmcp32.exe
3696	Ncmaai32.exe
4600	Nhjjip32.exe
4704	Nocbfjmc.exe
2564	Ndpjnq32.exe
1228	Ncaklhdi.exe
3304	Nfpghccm.exe
4284	Oohkai32.exe
3060	Odedipge.exe
3716	Ollljmhg.exe
3816	Ocfdgg32.exe
832	Ofdqcc32.exe
1268	Ohcmpn32.exe
4580	Omaeem32.exe
660	Ofijnbkb.exe
1592	Okfbgiij.exe
5024	Pcpgmf32.exe
3536	Pmhkflnj.exe
936	Pkmhgh32.exe
2992	Pbimjb32.exe
4444	Pcijce32.exe
1772	Qckfid32.exe
2328	Qihoak32.exe
2500	Aflpkpjm.exe
2612	Akihcfid.exe
4968	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Aflpkpjm.exe
File opened for modification	C:\Windows\SysWOW64\Mlifnphl.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Jdaaqg32.dll	Ohcmpn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Nhjjip32.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Ofijnbkb.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Mdpagc32.exe	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Ndidna32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjdki32.exe	Ndidna32.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Aflpkpjm.exe
File opened for modification	C:\Windows\SysWOW64\Nchhfild.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Mccokj32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mddkbbfg.exe
File opened for modification	C:\Windows\SysWOW64\Mojopk32.exe	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Oohkai32.exe
File opened for modification	C:\Windows\SysWOW64\Odedipge.exe	Oohkai32.exe
File created	C:\Windows\SysWOW64\Jcokoo32.dll	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Mlifnphl.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Acicqigg.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Ollljmhg.exe
File created	C:\Windows\SysWOW64\Encnaa32.dll	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
File created	C:\Windows\SysWOW64\Pdgfaf32.dll	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Oohkai32.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Ohcmpn32.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Hkidlkmq.dll	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Mccokj32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Mddkbbfg.exe	Mccokj32.exe
File created	C:\Windows\SysWOW64\Ofdqcc32.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Dlqgpnjq.dll	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Pcijce32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Ollljmhg.exe	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Ocfdgg32.exe	Ollljmhg.exe
File created	C:\Windows\SysWOW64\Cifiamoa.dll	Mccokj32.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Nhgmcp32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Nbdenofm.dll	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
File created	C:\Windows\SysWOW64\Cdpqko32.dll	Mlifnphl.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjip32.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mccokj32.exe
File created	C:\Windows\SysWOW64\Flekgd32.dll	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidna32.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Oohkai32.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Pkmhgh32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Madbagif.exe	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Nngihj32.dll	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Ffmnibme.dll	Nomlek32.exe
File opened for modification	C:\Windows\SysWOW64\Aflpkpjm.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Pmhegoin.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Nomlek32.exe	Mdghhb32.exe

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpqko32.dll"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Mccokj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaeig32.dll"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mojopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mccokj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhegoin.dll"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmeii32.dll"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdenofm.dll"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioldni.dll"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Madbagif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncaklhdi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4892	4540	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe	89
PID 4540 wrote to memory of 4892	4540	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe	89
PID 4540 wrote to memory of 4892	4540	8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe	89
PID 4892 wrote to memory of 2332	4892	Mdpagc32.exe	90
PID 4892 wrote to memory of 2332	4892	Mdpagc32.exe	90
PID 4892 wrote to memory of 2332	4892	Mdpagc32.exe	90
PID 2332 wrote to memory of 4984	2332	Madbagif.exe	91
PID 2332 wrote to memory of 4984	2332	Madbagif.exe	91
PID 2332 wrote to memory of 4984	2332	Madbagif.exe	91
PID 4984 wrote to memory of 4556	4984	Mlifnphl.exe	92
PID 4984 wrote to memory of 4556	4984	Mlifnphl.exe	92
PID 4984 wrote to memory of 4556	4984	Mlifnphl.exe	92
PID 4556 wrote to memory of 2836	4556	Mccokj32.exe	93
PID 4556 wrote to memory of 2836	4556	Mccokj32.exe	93
PID 4556 wrote to memory of 2836	4556	Mccokj32.exe	93
PID 2836 wrote to memory of 2184	2836	Mddkbbfg.exe	94
PID 2836 wrote to memory of 2184	2836	Mddkbbfg.exe	94
PID 2836 wrote to memory of 2184	2836	Mddkbbfg.exe	94
PID 2184 wrote to memory of 1784	2184	Mojopk32.exe	95
PID 2184 wrote to memory of 1784	2184	Mojopk32.exe	95
PID 2184 wrote to memory of 1784	2184	Mojopk32.exe	95
PID 1784 wrote to memory of 4808	1784	Mdghhb32.exe	96
PID 1784 wrote to memory of 4808	1784	Mdghhb32.exe	96
PID 1784 wrote to memory of 4808	1784	Mdghhb32.exe	96
PID 4808 wrote to memory of 4072	4808	Nomlek32.exe	97
PID 4808 wrote to memory of 4072	4808	Nomlek32.exe	97
PID 4808 wrote to memory of 4072	4808	Nomlek32.exe	97
PID 4072 wrote to memory of 3884	4072	Nchhfild.exe	98
PID 4072 wrote to memory of 3884	4072	Nchhfild.exe	98
PID 4072 wrote to memory of 3884	4072	Nchhfild.exe	98
PID 3884 wrote to memory of 512	3884	Ndidna32.exe	99
PID 3884 wrote to memory of 512	3884	Ndidna32.exe	99
PID 3884 wrote to memory of 512	3884	Ndidna32.exe	99
PID 512 wrote to memory of 4504	512	Ncjdki32.exe	100
PID 512 wrote to memory of 4504	512	Ncjdki32.exe	100
PID 512 wrote to memory of 4504	512	Ncjdki32.exe	100
PID 4504 wrote to memory of 3696	4504	Nhgmcp32.exe	101
PID 4504 wrote to memory of 3696	4504	Nhgmcp32.exe	101
PID 4504 wrote to memory of 3696	4504	Nhgmcp32.exe	101
PID 3696 wrote to memory of 4600	3696	Ncmaai32.exe	102
PID 3696 wrote to memory of 4600	3696	Ncmaai32.exe	102
PID 3696 wrote to memory of 4600	3696	Ncmaai32.exe	102
PID 4600 wrote to memory of 4704	4600	Nhjjip32.exe	103
PID 4600 wrote to memory of 4704	4600	Nhjjip32.exe	103
PID 4600 wrote to memory of 4704	4600	Nhjjip32.exe	103
PID 4704 wrote to memory of 2564	4704	Nocbfjmc.exe	104
PID 4704 wrote to memory of 2564	4704	Nocbfjmc.exe	104
PID 4704 wrote to memory of 2564	4704	Nocbfjmc.exe	104
PID 2564 wrote to memory of 1228	2564	Ndpjnq32.exe	105
PID 2564 wrote to memory of 1228	2564	Ndpjnq32.exe	105
PID 2564 wrote to memory of 1228	2564	Ndpjnq32.exe	105
PID 1228 wrote to memory of 3304	1228	Ncaklhdi.exe	106
PID 1228 wrote to memory of 3304	1228	Ncaklhdi.exe	106
PID 1228 wrote to memory of 3304	1228	Ncaklhdi.exe	106
PID 3304 wrote to memory of 4284	3304	Nfpghccm.exe	107
PID 3304 wrote to memory of 4284	3304	Nfpghccm.exe	107
PID 3304 wrote to memory of 4284	3304	Nfpghccm.exe	107
PID 4284 wrote to memory of 3060	4284	Oohkai32.exe	108
PID 4284 wrote to memory of 3060	4284	Oohkai32.exe	108
PID 4284 wrote to memory of 3060	4284	Oohkai32.exe	108
PID 3060 wrote to memory of 3716	3060	Odedipge.exe	109
PID 3060 wrote to memory of 3716	3060	Odedipge.exe	109
PID 3060 wrote to memory of 3716	3060	Odedipge.exe	109
PID 3716 wrote to memory of 3816	3716	Ollljmhg.exe	110

C:\Users\Admin\AppData\Local\Temp\8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
"C:\Users\Admin\AppData\Local\Temp\8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\Mdpagc32.exe
  C:\Windows\system32\Mdpagc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\Madbagif.exe
    C:\Windows\system32\Madbagif.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\Mlifnphl.exe
      C:\Windows\system32\Mlifnphl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cifiamoa.dll

Filesize
7KB

MD5
a8582803b8bf87c1fa8e0619f75ebe8d

SHA1
8f687101fb31511979fce4a9e676b3212f1d08ec

SHA256
a49865de6105e006053cbebbe78d88bfc240e5e20419349eae5f0681debdf417

SHA512
c562c5e5a6d9d258ec6208404d2643f8260e3c202f6b7871cab76709234590079f584926f48c018daa37bd31e2f9400bdb0c6c808a6e29de1fab529511656130

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
96KB

MD5
6ea6a1820f7e91c6d32f82e6e28ab2e6

SHA1
c58691adfc6755473ed4b8e2205e7cf28e13c185

SHA256
c409ba73d4ce90a66bd03da9ebfc149c0ae2121d73c2ef6ad81049fe91725740

SHA512
dda4d343b509fae45543aaf63b4cfffd9979795c9f71bfcd5beb131ee89b004b22d939ce9e9f2f74defb16fd68a43b1ecb20a6a33ceb20969d6d48610fcd0f87

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
96KB

MD5
2257dd28072fc37bc0791b95badb9b29

SHA1
4c0b5d1eece984d2f689355c9b7c01fec5d380bf

SHA256
05c8583729e6dc24ba6765418d506986a512cc3d3f2e26f1f9fc70b2a7ec2e37

SHA512
2bf56e3404d9df4868f9a312e97350d1724313b4c5c4f6dfed502e37b1374df6f47ecd20ab6b1102900a3be0e21edfe04151d290314b4faa4e920399a193edfb

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
96KB

MD5
d5c25c515e81e594488968e710ffd4d6

SHA1
6605ad1861bbd75b75cea29674ee61ad79c1cc82

SHA256
3c99c995d7edbb3a33fccc42c0fda1e0b78be9bdbe27a7c78eac5e4cb4a022ba

SHA512
09c9fa3b288e5129ec1bf8bea1942876aa4e67b4e912e9727ea5f5830db5bc5f909a01f044e50a5c602273052cab86c51cde4129512c3fd7241798c9da94cac7

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
96KB

MD5
eedd94a76dee2579e180d81e4731f633

SHA1
422ea53d4d190567d8ce351cd06e2bebffaa3394

SHA256
5d2ca353e7bc43330cc861158bc6d88a1e35094dc446e8d4a670206a221e2ef8

SHA512
a91b668416c78d81b990a2b24bf575a8d3bc1682374b3dacc6616d3eca09187611e25dbef417b64f40349aa34921c9cf17927a32a72a0b2898dff5d3ee0feeb3

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
96KB

MD5
e3f4aa07fac7f63f4db7fb4a065033b9

SHA1
93d9fb23517b260c4ac8a052e4a459eb369d9bc6

SHA256
5b3b479489a3bedfa9d8ecb6e9e6f5cd99359105432e487d3843ab0d61051732

SHA512
a2941eb99370e931d768293708b00cbbc3d7f4b218e1706abe801a8bf8664cd0f687a7fa59df68941b0105236004d99712a4979209db8d0a4fec3c9af6b95605

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
96KB

MD5
f820c00673cd7adc2e6a6b403782c580

SHA1
2013a27b43bab0a94942270924e2fd906c1b6de7

SHA256
a55d9cbbacb0e2316ae38492ae3e8e6b4aa3b60e338aa35bf24df7a7022bc946

SHA512
3be1bc2373874c539a9274bc7c592cbf769eb37142d7ed6e7413873f28f2b122e5c72a8529645af4d74f60cc9e13a53b354286c016c02e1e3407e8460acaf93d

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
96KB

MD5
33aaf52835b1c228110ba44a9c2fbf7e

SHA1
7fbb4e07f3d2ec0f4a8ddc1b95d77dd566be4c80

SHA256
2361b71a56d113ba2e174df4de18957227df92b26eafa286dbf155ce9fa64481

SHA512
bc9f8eb5d6d657fc556902b8a0baed5eadc8942ea7d866a5c84bf50f85d44cc7d9b2d550579cd628e6ff4917a9c156e58482ea08198f3b58a7a73ca2924ee906

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
96KB

MD5
9b8c9774f9dcdc3440f44c7958804b37

SHA1
e58249bfdeb4cbc25bece900cb75bd851e6407e8

SHA256
5b86d4f4816504d1352575211ceb2a16f84a90c55dc6f24bc77fd622a2dd98e7

SHA512
2e2fe8aad5bf68b6eb78164ee7bf9c3fadde16e6a7cf52b8e6ff966f2e55c7e9db38e48155e319ac55b8f75ab15ee69023fc1907e8af3e98e2c349ed4a388a5f

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
96KB

MD5
72084178ca42d9f3f5633105ee946bc3

SHA1
ceef1630e8038c56fea27c88ee2672e32989992a

SHA256
2270697733e93b45ec973535be8c97f7997c847b0c7fb0b6b1cc8fc680cd7268

SHA512
e8caa05e46fd1479767262497c5d3a298147f5fabceb3e3dad158f58074a23d52750b046882764816012bfbc6b3b16977013e84707875317b7a0351bfc5113f9

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
96KB

MD5
5b293d014aedd05ebeb1d857a8a7c693

SHA1
de06ff92f3f30d00a1bca450ddcaeeb37f7ee025

SHA256
5f902352dfe5ecbf0a2fb7f3edaac1e19b7e0763816a075d1084fbe1938adcee

SHA512
d02fb69309c7dde49adc4ec4f2e49605d30d14762c95c15220e077e50b94ef973d1b95e6e3697ff145d5532909961b9f354fb2a828e9017e7e613b05d33db16f

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
96KB

MD5
4cc0cbaa8e473e305a6cce5c9eabc73a

SHA1
5e8c9aa36720fc2c7327622b6bcd619e5136e781

SHA256
42632e86384b5b439e90181716dd20c23c4118a03cc17491595a5f802ce2bd24

SHA512
a6737a5fc0d0cc793371f994835609b2e4aff34750a319347298e97f6c84c6cf5a8bd756dafee0fcefaddddc363fc6ad5472b7bf648d3fdd9dde455df2b1893b

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
96KB

MD5
432b422cb85fc23fc62d2ed3e410408b

SHA1
e6bab93b0c5594f7454e2256756106cb24723264

SHA256
0a650e0eb425d98a815f166ab0602dd5f5dbab5853a27783541193043d984ac1

SHA512
9c6896e0cf41ff193ae3b5e1f58cc454b69669d50399ab41172510dbd0b12c22080a04a9286f3b7763fb837d3f60d6126ccdd633fbc3eae8cd16cdce93211f90

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
96KB

MD5
3c9f6449e4b28ffa377244cabfbf0859

SHA1
6b0e1947edc1bcbbc45f6b529230584fec620d28

SHA256
4bd37f21ac12f37bc516f3e736aac7a9d2d440a93ac70213aafeb0a8edec136f

SHA512
65f1f0d9d40dab5e37098f032eb80a771f328de6d31ea735a78516df8110b7d09b475d0ee503dd750861299e5c751b1e6a7658735215d887519ab95390cd8b4e

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
96KB

MD5
19d5b034a0fe310af69254a2bd10bc54

SHA1
77ec40fc74087f771abbff68f66b4cace9e040d0

SHA256
e096ef0d53bfba12dc64b1160820609ba427089b5c136d3352d97bb9bdae2ef3

SHA512
33e8a79d6aab53e82c48790cb3825c3b22cf87b7a1e31d6a75e4927d7e2fdc55f88b69517c8b74b4b5324ab900a6f4ade797468afbc3b02386569ab9613a3be5

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
96KB

MD5
e1ba964905f17bb8960dcd56d3f2b42b

SHA1
6d4f4b69aa9bb7475134238b0f0052503c82c3d1

SHA256
b54f744d95b357e063535ec34bc6c1c96be90de20c3f9d1708d63ba29ee9f948

SHA512
25105a74162a96dde2dce15b8076b9e62e87ee234ca86e75d177047c6a7dbe019dda423ed3f7668ab0920623a72811080fd0cbd3ebe43a51e4d65a8777c04eca

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
96KB

MD5
a424d7c628cf27a6fbdc99e7a677bb73

SHA1
f53397948c50dda2930b69efd62ccf469bb35b47

SHA256
d4540101b876a4360b639cfba303f8a4f6545cd67d6955b543c9282b5f8468ca

SHA512
4e93119dfd5b43862f974005908bf6bcf24571fb853a8874476b74ce6d971b47b38bd784f658e98f57399c1709114218a23b82960d3de63c63fe12165b860277

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
96KB

MD5
a9e43193a25447ff1c3a11b4d926ab40

SHA1
f49d9a7cbb94c2043b202903f930626e20e821ac

SHA256
e71c6c45897a17e05bb1ba23a2d8a18c7df55c5d70d46003546c7f205b1456b1

SHA512
dd836ea357aad804eb6f47522d15554f2b4e334fba541c0fd8dc869a7706ff52f8ad2ce9c2d16121eeb36324c93e4984d71cd66ee467dc2a4c70ab440b0154ef

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
96KB

MD5
b2d558f2227dd6b08dbda4ebf89794ef

SHA1
cab64f5f5df6ea400e367240696b11fbd17f349a

SHA256
8cd5a3715a10f5973e764bfb80a77d899475932171f0fa4fd5285a8083840e7e

SHA512
2fe8473d65e8a5344dcefa5b7ab2f64417c71f3ae6e73a57428c6e058bf41f86984c5883249c9d7486fa3567b5dce2ff5befa60d6f933da6af33ef4c8999191e

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
96KB

MD5
d2d8f9cd72b9de834e0eb75ff8d39905

SHA1
fd5ac0b77ae6f011d796cffca262e2d8a17b963a

SHA256
f8f67c4c2686bb4c012bec33218639e03caca230839489ee7f8b8efa7b371ca2

SHA512
836b00fd16d574314875f0338fc69498b665e3b4dda5f70b6b37e5529a0e941a114fa7795d14a30b78d25b73b149cd7875260f967d00a103a9f82e1b2e4389c1

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
96KB

MD5
3d121163b6932729535c805a3ef0ecf8

SHA1
76b948c62b1f2476ea178258d5ff715a83760d1e

SHA256
8c40a46ea9c87f2621fa02fb27ac466d3c8a19314cbd62f443d858dad837019e

SHA512
ccdb0938427ebf1a37fc00c8ea3819e06e548a2b06409b6b6b32c672f36180da25392953d205d0b9dc6983d220ffed94ae84b8e315efef7d41610e6b2341933e

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
96KB

MD5
be931e0ed90c72413e3e2e14ef7bd611

SHA1
ea8e9a2bdf46d05a4e38d8b23824b44352a96684

SHA256
13e91138b98e94ee6e9ee580f37ec0320e8182b0d638323818f0a6a22ba2ff65

SHA512
c899bfe86da9b3f38b57f01a0d4bd6c96afb77fea49f7f5cd6cba0d0a5bcd11384e5a9e11f1e294276ea06cd9ae8dce0ce53dc0fac4c271238fd7ae8eb135787

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
96KB

MD5
77ddf649d4172bcb269ffe425d849555

SHA1
4d0b33dfc1d39bd7bc9a83fffe548ca2d5ad6e65

SHA256
58a683c771ac19cb19b7e45876690eb4a6b79a20dac5dc294ebdaddf077c4476

SHA512
252d82766477a740892f9feb15246713bfec12d354d9f3782e6726375b2fd450801a47d10839ffbc459f71fb41365258d72d94c4e70b314b692d5e97f3b2305b

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
96KB

MD5
2e738fa37e33ffcaa3ab7834537b4032

SHA1
4496ba9caf82aac9aee477c6a4112a6f29e54af2

SHA256
8a9bff483e2d841ebeee0dcad753798ca4f30a625c60d917296e9024d79cb721

SHA512
078794a59d290a18beef6721255edb6c268bd702a305a8ba74fe681cde8477af51b32fe5dfcae26737220f25f6a91198dfacfc4f49eae2d658b987f4a90ce4cc

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
96KB

MD5
32cbf64bca35c222aad446f17c7f8aaf

SHA1
45580ec24476103bec9e794301a3be4b7a166870

SHA256
21381d20016b1545f5b7e160318bf4aa8c7f033a2ac65725a742f573de743422

SHA512
51b669832de01f253f4eb51a7a027cabe1b0621c9e300d30f347d7ec1f1271427470ea92abc90da9c77bd874d3b8c98ae25a3109dbf9d4cb9afc050b07171327

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
96KB

MD5
e92febe6c97d76cd9f3a98aaeb5276c1

SHA1
d9bbaafaaf203cbe2eac82537e311eab84dd5b68

SHA256
6cedc9aca1038f1fa9e889d6f38416de5d722b592940036d1cadeda1cff78f38

SHA512
37cf618ed8f074994d1fe486a1f55d043a83b91fb9d31bef3f3135d3c95a31c28908782b6ef5966dbe02a3e74bb0d70478eda6987d9eaeb35881b608f8730ca1

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
96KB

MD5
5dfaa896ec6fbf6928289fad76e497cd

SHA1
bac597a89bb9860179507005be669414b3038963

SHA256
7e7ce4518b44918a7254a2dcb56c1ca37477fb1b5b7b8f21585d09be53e74240

SHA512
a55aaa26be866161016511fa871f0ea66cdb0570ca5c16e569c58ad95563888fffbd0e17673454a0a724d52ab75539dcc8d80eba39bcceb038690d6bc7651c0e

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
96KB

MD5
f9da660fad9504d48557369f702cfb65

SHA1
4d977f1bc870a67d9d56f0b573f41d9d365a2c44

SHA256
c3a4290238b79c595973221a0ece02382cc05b63b40ef7bf60ad6000037b99a0

SHA512
7f93daf51a5b70c78dc0fe953ffef6bc6472252bee6d6dbee69e641e8e598c68f2f9fa2393793cd04b16c25bb38b7ba6ae26e8ac523aaf0388a3fc85b1554753

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
96KB

MD5
06b019207649df2ee4c0f66c1ef89dd5

SHA1
e9a37388aae2e52ded20e535b8ba77bca131d7a9

SHA256
61015f2315173fd4ec1883d363a6f0729517f9fc5eaf8ffbaa40c415a2607c32

SHA512
4ba6896ad68b10b9b83e32f67f955c42e22f490708b37474dfd7d9b88b918e9173aa18805286e90d3e55122f56839e2eba3155758a73b4a774a863b8c2a18c5e

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
96KB

MD5
e6a7a0b76702f0d3681b8ffda1fc580e

SHA1
ad0f4b080a17c22c239469a1873d34f188ef3c80

SHA256
dd7e5fb4056f7033fcbfd4cd92515c04b917f32c72fe84db724869be53d97653

SHA512
254a039ee26cf05f95b96a54a2cccf345b385744b54e043c0ca2e418fd8397c5bcab554b77a2288593acc33b40de6b0738004325058557ae666e30132b800069

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
96KB

MD5
cbed3195e1ad47e9e65c75f8f071e838

SHA1
21c8df770b8d4ca2cdb0c4007a228d111ca3b8c4

SHA256
58906f7bfe4cbe3d3df4d541d7a32d18b2322ac6b83fd80463e64bb0312a5a85

SHA512
78e714f98d69b299465010daab0e569feb5f0b7da7f1c4ddde828faeb5d44f0ac4dfd1ce80c9749bd35b2b09886b996448215b3856dd9180ead96fe38c20563f

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
96KB

MD5
c7d430d54dd4fe3659156b030dfaa1f6

SHA1
8a7ce9f45a138cacc75fc7b7b5fdb0eee029e769

SHA256
ef8f1d7f6ab62a400d6f720076625bc88f83881eb3ba264eb7973727d5d4fe7c

SHA512
4cf77a06ec6e70e53d6408af8b8f2b84a9db0429e9574d156d5917970abaedc285ef173780066338a11b12b467e84c84ba00c8bfeb810fc8c64e8f50bfb63b08

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
96KB

MD5
b25477003c34eae4db6bda6e1a6b3407

SHA1
a69e1d46d6b67ef1af2cb03d427a2d61c00d839b

SHA256
96e6432a96c05efe619ca917a5436d7df331f8eb518ed1daa35ea90e60a738bb

SHA512
715e2e0d332ef4418947cba063bd45cc6f76bb1f49f6e86e40c4942b714b12514feaa994711ded4e60902c53e93cdb747bac72a637cba6cb83f043fe3b8b2ba1

Download Submit
memory/512-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/660-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/660-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1592-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1592-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3536-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3536-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3816-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3884-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3884-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4284-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4284-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads