f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
Size

64KB
MD5

fa10f2a8c6fd483dd4eb5cd12a514a1c
SHA1

e3464bd4c5306e1c55713bf625b3d7fc6c189966
SHA256

f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907
SHA512

af1541742a69d18b4afbd8362a6621ee166d6e918081e78a6e1a806741133db13645622b5ff0083d4747c2ace881ece0f9593004e7feca749ccad148415f88c2
SSDEEP

1536:WrX3VMxVTbpG7WVOGUbVIx4SUXruCHcpzt/Idn:UX3wdsWVzUb6xZpFwn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe

Executes dropped EXE 64 IoCs

pid	Process
4956	Ngbpidjh.exe
3768	Nnlhfn32.exe
1488	Nloiakho.exe
2656	Ngdmod32.exe
3268	Njciko32.exe
3100	Npmagine.exe
3964	Nckndeni.exe
3992	Njefqo32.exe
1464	Oponmilc.exe
2916	Ogifjcdp.exe
2336	Oncofm32.exe
4836	Odmgcgbi.exe
1552	Oneklm32.exe
452	Odocigqg.exe
3976	Ognpebpj.exe
2344	Onhhamgg.exe
1492	Odapnf32.exe
4068	Ogpmjb32.exe
3576	Ofeilobp.exe
1968	Pnlaml32.exe
1428	Pgefeajb.exe
4648	Pqmjog32.exe
1468	Pcncpbmd.exe
744	Pqbdjfln.exe
3132	Pgllfp32.exe
1868	Pmidog32.exe
2056	Pjmehkqk.exe
2460	Qmkadgpo.exe
4684	Qjoankoi.exe
3704	Qgcbgo32.exe
4396	Ampkof32.exe
4564	Ageolo32.exe
1828	Anogiicl.exe
3888	Aclpap32.exe
4240	Anadoi32.exe
1532	Aeklkchg.exe
1140	Ajhddjfn.exe
2632	Aabmqd32.exe
1460	Ajkaii32.exe
684	Agoabn32.exe
5080	Bmkjkd32.exe
3460	Bcebhoii.exe
1832	Bjokdipf.exe
3176	Beeoaapl.exe
1244	Bjagjhnc.exe
1224	Balpgb32.exe
4052	Bfhhoi32.exe
2096	Banllbdn.exe
444	Bclhhnca.exe
384	Bjfaeh32.exe
2508	Bapiabak.exe
1564	Cfmajipb.exe
4360	Cmgjgcgo.exe
376	Cdabcm32.exe
1136	Chmndlge.exe
1780	Cnffqf32.exe
1148	Caebma32.exe
4440	Cdcoim32.exe
3236	Chokikeb.exe
3396	Cfbkeh32.exe
3484	Cjmgfgdf.exe
616	Cmlcbbcj.exe
772	Cagobalc.exe
1248	Cdfkolkf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	1268	WerFault.exe	168

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4956	1008	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe	82
PID 1008 wrote to memory of 4956	1008	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe	82
PID 1008 wrote to memory of 4956	1008	f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe	82
PID 4956 wrote to memory of 3768	4956	Ngbpidjh.exe	83
PID 4956 wrote to memory of 3768	4956	Ngbpidjh.exe	83
PID 4956 wrote to memory of 3768	4956	Ngbpidjh.exe	83
PID 3768 wrote to memory of 1488	3768	Nnlhfn32.exe	84
PID 3768 wrote to memory of 1488	3768	Nnlhfn32.exe	84
PID 3768 wrote to memory of 1488	3768	Nnlhfn32.exe	84
PID 1488 wrote to memory of 2656	1488	Nloiakho.exe	85
PID 1488 wrote to memory of 2656	1488	Nloiakho.exe	85
PID 1488 wrote to memory of 2656	1488	Nloiakho.exe	85
PID 2656 wrote to memory of 3268	2656	Ngdmod32.exe	86
PID 2656 wrote to memory of 3268	2656	Ngdmod32.exe	86
PID 2656 wrote to memory of 3268	2656	Ngdmod32.exe	86
PID 3268 wrote to memory of 3100	3268	Njciko32.exe	87
PID 3268 wrote to memory of 3100	3268	Njciko32.exe	87
PID 3268 wrote to memory of 3100	3268	Njciko32.exe	87
PID 3100 wrote to memory of 3964	3100	Npmagine.exe	88
PID 3100 wrote to memory of 3964	3100	Npmagine.exe	88
PID 3100 wrote to memory of 3964	3100	Npmagine.exe	88
PID 3964 wrote to memory of 3992	3964	Nckndeni.exe	89
PID 3964 wrote to memory of 3992	3964	Nckndeni.exe	89
PID 3964 wrote to memory of 3992	3964	Nckndeni.exe	89
PID 3992 wrote to memory of 1464	3992	Njefqo32.exe	90
PID 3992 wrote to memory of 1464	3992	Njefqo32.exe	90
PID 3992 wrote to memory of 1464	3992	Njefqo32.exe	90
PID 1464 wrote to memory of 2916	1464	Oponmilc.exe	91
PID 1464 wrote to memory of 2916	1464	Oponmilc.exe	91
PID 1464 wrote to memory of 2916	1464	Oponmilc.exe	91
PID 2916 wrote to memory of 2336	2916	Ogifjcdp.exe	92
PID 2916 wrote to memory of 2336	2916	Ogifjcdp.exe	92
PID 2916 wrote to memory of 2336	2916	Ogifjcdp.exe	92
PID 2336 wrote to memory of 4836	2336	Oncofm32.exe	93
PID 2336 wrote to memory of 4836	2336	Oncofm32.exe	93
PID 2336 wrote to memory of 4836	2336	Oncofm32.exe	93
PID 4836 wrote to memory of 1552	4836	Odmgcgbi.exe	94
PID 4836 wrote to memory of 1552	4836	Odmgcgbi.exe	94
PID 4836 wrote to memory of 1552	4836	Odmgcgbi.exe	94
PID 1552 wrote to memory of 452	1552	Oneklm32.exe	95
PID 1552 wrote to memory of 452	1552	Oneklm32.exe	95
PID 1552 wrote to memory of 452	1552	Oneklm32.exe	95
PID 452 wrote to memory of 3976	452	Odocigqg.exe	96
PID 452 wrote to memory of 3976	452	Odocigqg.exe	96
PID 452 wrote to memory of 3976	452	Odocigqg.exe	96
PID 3976 wrote to memory of 2344	3976	Ognpebpj.exe	97
PID 3976 wrote to memory of 2344	3976	Ognpebpj.exe	97
PID 3976 wrote to memory of 2344	3976	Ognpebpj.exe	97
PID 2344 wrote to memory of 1492	2344	Onhhamgg.exe	98
PID 2344 wrote to memory of 1492	2344	Onhhamgg.exe	98
PID 2344 wrote to memory of 1492	2344	Onhhamgg.exe	98
PID 1492 wrote to memory of 4068	1492	Odapnf32.exe	99
PID 1492 wrote to memory of 4068	1492	Odapnf32.exe	99
PID 1492 wrote to memory of 4068	1492	Odapnf32.exe	99
PID 4068 wrote to memory of 3576	4068	Ogpmjb32.exe	100
PID 4068 wrote to memory of 3576	4068	Ogpmjb32.exe	100
PID 4068 wrote to memory of 3576	4068	Ogpmjb32.exe	100
PID 3576 wrote to memory of 1968	3576	Ofeilobp.exe	101
PID 3576 wrote to memory of 1968	3576	Ofeilobp.exe	101
PID 3576 wrote to memory of 1968	3576	Ofeilobp.exe	101
PID 1968 wrote to memory of 1428	1968	Pnlaml32.exe	102
PID 1968 wrote to memory of 1428	1968	Pnlaml32.exe	102
PID 1968 wrote to memory of 1428	1968	Pnlaml32.exe	102
PID 1428 wrote to memory of 4648	1428	Pgefeajb.exe	103

C:\Users\Admin\AppData\Local\Temp\f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe
"C:\Users\Admin\AppData\Local\Temp\f60a1d58f2ce1fa3b33ef74ae3af5e573b2cf717a14acbc0db8edcf5fb8fd907.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\Nnlhfn32.exe
    C:\Windows\system32\Nnlhfn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\Nloiakho.exe
      C:\Windows\system32\Nloiakho.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        74⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        78⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 404
        85⤵
        Program crash
        
        PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1268 -ip 1268
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
64KB

MD5
46716d813f9916f51e3183f8247ab427

SHA1
d12687632e2a7014d7061f3cc48d28d97c42839f

SHA256
f67910f166210adfbe69347573f28d467a514439e45f3bde8f485e0e0bfef33f

SHA512
c97e7413e2778fd06ade5c49d4a5f768f8e14c828bdf5bf978cd4ad5ab6dc486a895fc293e8de11df832ca11b5be16d133c07cc1dd50876f9aaaa089f94a9987

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
64KB

MD5
b0c51c3e085e071bf05a87ea12c69ee1

SHA1
ba1fd5d443d578260dba9de9ace5fb4ab742f1bf

SHA256
175ee5012fae0a01224e9cdb9f23a9b67417e39d63edea3813598e047ecdadfd

SHA512
7b3debe8ead50105e63f51541be39a05497c2613e74c120b03e6dbc70bda3e8c63f211452ba1174015f48a2f324f22bea79ed41717577ced1bef44ce655e7f2d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
64KB

MD5
a985fa17a9e47ddbf7d6355839c1f203

SHA1
d52856c8f9f6a1eb2209aa23fe23bfd1f5a95670

SHA256
06b9388b7a7636c92a0380e8f68ea5ec98c15232f07de945d2b40c2a2f1c7e07

SHA512
6df55d616a471236fec871b81a671a42387ea42c7627e89dc380b4b94513ce7a56b5621ef67b4808f9fdc484a9d04bac1962847f028b9337075fee0315a6f184

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
64KB

MD5
ecd49d8ba16ef60fbe65192207f4cfd7

SHA1
852141a58e6a06bbbb42700ffd34add659b693d4

SHA256
f03d5ccd433107de35a5fd271431a167dc13e72c42ba3f900e05c0de04e29baf

SHA512
a1ef83b00ff545d8fa37a9eeb14352b4dee4a570e74265b53307568fdb7cc885f67a587c81dacd55d215686ee2e6d0241e1d98517b2464001d5828a50f857256

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
b650cd031f9b27863feaca629c7a14a7

SHA1
6e3146e12bb48841671e63bea33c5113d8b9ba84

SHA256
4cfc2e2a276c9cc9e1d07a5e25eefaad81c3a53d52276498d05c23b00af03f07

SHA512
b4c85ffbca628beba050cf18291d33fc2de5f67f9b6917c009fcc622d41ee5e783e5509c13b6b5737e63882baa817ff16b2c32b7e407467892fe8195b6520fbe

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
78a636a601d669be035454745901dba1

SHA1
4f5d918ad53b7df876d934f299dca3e9e72df5c5

SHA256
b0713ce6eb233b3b1f3a8dca9eb010c7c28fc5300e6f0db9377f9968bd681885

SHA512
1ca7fe44d09e852a3f70352d7425581dc13c6c292959e43da380ece454964c86310a88abd6bf2f1a0cdcff968bb62f2d0d17d0016489fc57ff041050c6255069

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
a26ec3a658e21073bea61d0671a0ba49

SHA1
2376b13a789af866344d12d36cebdc6cee4a937c

SHA256
94db288dd5aa476ef9a5ecfcace91b0597283d64cf33eb965c74663f4c20576c

SHA512
3a7903ee180263f13ec97dae43d40ffa7c048b04e6059b227dcf490cf3b7990bdff0bc758f533aec003bc14055ffbdd23b4f66645fa3de1d0264db111eb3c407

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
05f5de741cb31ce06a49539e713003d6

SHA1
1dc5e1ee8f1e88ec48051d4913145ccd26aa02ed

SHA256
fed93e11c1be4d0bf62ed877b468120f0d74d7779f68e9aa8cfabefbfc76a5a6

SHA512
e96efcf6afbaf6a81246efcc3413591dbe5e659c1f076b06d44c98449166713bf0b618ab21a1d938e65ff3e7186d59f7aa82dd003ccc37dbe691cf68458a97c3

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
ae8caac08b77d134e463a17585ca286c

SHA1
9496c90a2bafadd2b01a99a0ea43badaf2e750a5

SHA256
5c579dbebebdaf3f6e3a3938dfba484df6c09f89755523d2851889df44a9d22c

SHA512
75bf056afa3c4ba6e29fba5178cc33d13b9253ff630bacaf0da2c53e1d3c66516e8b8b07a211fcf3c76ce148f4e0f4c61b7f8890d31a84f60f7e67fd820488d7

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
64KB

MD5
ae3aaee33aa59468b52d03931cc775ee

SHA1
cb688a61543a1009abfa9ad5db437ecbd9bd2d7e

SHA256
d1c07a77c2dfda865e9c8fcf1d841933de44de2ea47489ef6309649eca5e8c1a

SHA512
64d8feb353f936f54fbfcd59a5b25746a500766a553abe1cbb5965747f74619016d3e28611defaa8b91c3137eff36cc1121b8d4ea4bae3d0d8de980d56223d00

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
64KB

MD5
a185b203544b11054c62372cbe332c32

SHA1
a9482bce600672e521292c5d21ffeb1bab884f0e

SHA256
a6f096ff72cdc00648d8140f79ccf5d1274ca11fd4ee7cca3d34630c709b8a77

SHA512
1c39204a01b1c2f2069cfeaf9dea4624ef94f3c482e94e2399cf3c7f012bb4346bf6ddb92dd6a2cea192ec30090d88bad2fdeecc5a404d13e63c3d93e6224291

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
64KB

MD5
e28763ee3dde74a52c56b714c2243303

SHA1
dcf2fed28c27711211dfbdcb5fd58d3030328228

SHA256
28cf749f86dde356710bddabb8730838e333d624491c10d0060a5df0b2600c78

SHA512
3f5778b11f15f9f67688f325fbe2e7fdab5c47de96bc6563041006a6d2b26d1cebd7a0a3b923c5a671ab1117649b52306ca68836a642ca99f2cf5e0b1c579eaa

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
64KB

MD5
4f07a9cf1cc3c2f1d2567d9fd0416cb4

SHA1
678d0dee0d7bf17fcca847b0977c4943d991e557

SHA256
4f33b36c084fe08f9cf8eb105abf91a3a8bad8be87d9d6fdf5286b371a8cec09

SHA512
273be933f7f94df86735e7305567d9da050040e87dfad11c3eb046303ab269b265ec2aca2211741feb796212e09a03114b144b9fb80e393dc48ea2f78927a418

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
64KB

MD5
10fb8a9f5d4723451ece4fd3c7d08a9b

SHA1
1877495b6e98f50f19952d4c6556d17ec366c4ce

SHA256
3635975018add1d841895469786f983317f3fd1ac9ce74b65658c40479e2e955

SHA512
ca7601ea5af95b3795b131817c1163eb4d4d325eedefed20bf0f039f7b8b258881c09f57f23a006b951dafacf3e7b40c2d668144738a7f66c8838e128e67e364

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
64KB

MD5
6674870da9925cba1e1edacbf145865e

SHA1
b81f88d3da3288e481b43779122a9fb42fb94b4f

SHA256
cf4ab2de5d0e7b259b68b8f64f3feaab79f8861f6362891b39052af3c8a86f28

SHA512
e850ff5586490dcfc22992c9e916fbcf310da70c1b68963057be5ef735ecba4c08751d0b37f6979ba486fececc306c18a780e7fc608b8609c39477e8d301e95e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
64KB

MD5
9e5e0add2c302f75a88e2dcdec840193

SHA1
ed180908fa67157fff50c19f592bb6031734d75f

SHA256
577ae985bdb28b8131bff38863dc245b283f46ccc71382d17e4cbad527a546b5

SHA512
c8e52eec57467106e050665bdfefdaf20511973ba207219dca16e88c6c52f0abac2e1c17f316d38468956237f5bf9e20c83f3d94206254bc8c5696f7e2aa89df

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
64KB

MD5
3a2c521b6d85cacbbd6c3c52d328d457

SHA1
bd143f13cb19e1c74978bf6b215e8a1c2260447b

SHA256
8d1dcd0d657f1001fea9977c4aa715047d2036b390e38c520a30ad11d049d2a2

SHA512
988c950c9b928982152731f4736f6a09f8a4eeefbbf214c7d3e9ec4af3722a89e3d1a54e6e7dd76e91bd0d142766c454a539249a9582b9d95efbabbf85c146db

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
64KB

MD5
e882a2f524710b20a1f30734cfb3a82d

SHA1
298f0e75a662f8dd241414689b49b04007ef9ef8

SHA256
da865285c6bca030acbe2f7c7ff752e7d3a99e3d2e86dc6c5e3c66a3bc3cbfb6

SHA512
55c4360c12166ad0baf380ecf3cf9bd6a28fef45eb788ce75cc3c9e3cba4560b7c73422d55a5c28d7e33b4dd2b648bb647b65b59ac7ee4404327953fbd476e67

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
64KB

MD5
35a4c82c111dccda8f0b1f67faa5c0bf

SHA1
8b4c4031a892521c0271f805cdef9bd1e88310ba

SHA256
a570858c8b8fa63e94afab972977ca56b37716db1f05f450f0cfe32f588b35d8

SHA512
f32b106aa4306f74a7537d4bbf03aab46d82dc986daff952df4eee8c1cc45e0971a8877bdd2dffdf7d9727bc46ba78daa257930e624ae86f209aee5ffe6dda33

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
64KB

MD5
36e024db8e09447811ae59ec65e47ce3

SHA1
0bc6c56f3a17e283f1199e072983457a35fda7ed

SHA256
e49d5252e127460df73ae1f2310d5012bef11674ce39509a1e97e817efb0622b

SHA512
d88eef105a74ec5b0000a92601520f6c7f9b414816eef89c36d01e00b2c5e71d7693aeb440e22879b7a0818319a13eab3adaa265c513f0beb2d528ef21b9f795

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
64KB

MD5
ad300076d7a6f0a0bfad3bc824016e8c

SHA1
56a03726eeeb4d864c2fd67eb420d726550ea7c1

SHA256
d4e97e4227821ca9a18361babdc33142a26ad6abe3eabd0a44fdd365f03eb04e

SHA512
6bb36c3e747031ac5fce35a55e68ee0496c4c2d1fe396efc4c69f91d048466ca1fcea034a38adf28e4b1a72278684a9d91363f0a5cd2507058e2e17e76db78de

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
904547c9c979596f682839eabf4e51b5

SHA1
b914e1948f63a7dab9aefbb88bdc42454ad4a035

SHA256
4933e8247eeae2bd88a0e9d7d2f104e658c417edc9e2c38f5525dc7f0a50eaab

SHA512
5890ce858d9ea7464ca17bfba33bd33a4a9c7af238852b243575464be560957cc4be3cb18a513f4d4fa103335f8a596fb37b12b8abc41ce01f8d1597726e24af

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
64KB

MD5
72ee9cb02aaf999fa7b83cf4b393ad58

SHA1
20c55c60442a4903a17772fbb8457f62ff84ff0d

SHA256
cf1b0138a7e697455cc9e3e2b6cf262b59ad444ec734a8cffa886a68a65a1772

SHA512
e80d6bfad1e2a74db85fc4dbd9d7a499ce423763e43ab14b5434170190272c5ccd8ca90e736d15fe81d3d2c310a238449a6ea7e63b9077760f9896182c69a35f

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
64KB

MD5
3bf5e8beddc841380971ccec8e61bcc6

SHA1
c210ecbca61caa3a671715ad228a67ffa66968d7

SHA256
1244418ace452c1202cc2614cf6127a2b9fe93d6965bf3bf554a44f853e19a41

SHA512
a56af522d9e536cf7885f52d45c6ff378d2278002bb28e7aca1cb3fc77e05d244b1bc6307fc86ca0ac758184faa1c50fee3b674ff8e04c837768118272a58589

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
64KB

MD5
b65c8624d8b95305053a5e9e2ede9a86

SHA1
11f0e9c7075eda4313eb13cb2d12aa4d0a5a9607

SHA256
6742ab961e3aee6f99a4cd701675f13a13d3c49b75a9138bfabedfe484328292

SHA512
766705b3f0403108aba0be80743a93e21fc38e8c7e6a47f977d35b7b616ea33dc8ce70fc6ac4efc2fb039ec4a1ff200abe5c68b581eac4427938a3501aaaf808

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
d5d89a6b14d70e88bd2c39c84d5bbca5

SHA1
568658a0cf62e4338e0d189be3e6af1314bb3f86

SHA256
1686dff203aea7683591f351ea42ee9305c2c3f1ba25ecc365448264e5d8aa7c

SHA512
19a39a50ff3cc4fd2f3aff8ce98cb80ddf3387c232a6769e72e35ed7bb020cae783680260b5151a6f4ccf16a3ee5024187b1c08496449fdef0e30d7d7b361d91

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
64KB

MD5
0d264da58579aefcf801b0791767c8de

SHA1
91c7c3a6545ba9a59d30d52d37ebdfdc3530092b

SHA256
8a74cc044a89994f125816908a704a1eddddddc46413ae0908213e4629892049

SHA512
5d70cd58a4e30340dabc71207dad119fd663b7a5f859a1a627dd938ea2b873fc93b6ce54d9a648fda484e44d553b5019194f3e2dd34666c0d60b151c8c958dab

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
64KB

MD5
33653ec5c0cd3b17615a456da201e865

SHA1
e9a2cadb4905bb6b7712eec4d17fd1ed85587bbc

SHA256
dcdc5cd481591d2843691848d90f421b4b35889edde667a3dccf82048aa3bb74

SHA512
e627f9ea1d5da631eabe80154ff951b9cf74e95cf46301a0e252eb01c60da91baac40ff8f56b94c8e137234b596c98069a4e178f106e72782296c35b75664c77

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
64KB

MD5
297ec40451a80c8181547368653daeb7

SHA1
71250b75d36c27629a770a787ee5f34a5c8b93b6

SHA256
2d67e29fa84ee2ab227c77723ddc81883e0789f00c10a12139442bf712fce751

SHA512
3eafbe9c09d0f28fdf1651878bde4f613f122f9d64834bf1031603e0c7a72adcd10a8f8de4b30800ae4cf56f911f98417b324df6d38ca4198cfa4890b88c4d3b

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
64KB

MD5
bfc05f0229b07debbe9cb2d100873153

SHA1
7d8023a7012e63bcd0efbd8ef42c075fe6f19d88

SHA256
5d25507f2a03b0c18292b54299d447cd4173b20e929386038274e72e0aef4092

SHA512
8a3e575fd4069eb5eb2f11eb1b056d739fbcb1a0a8b8818c253f771b1a74df930097957db53c4f962ef6a1ae2c868e20f58ed10aeea0a8093264ebe2c1bcb751

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
64KB

MD5
536084d1d1d5f3362839beaa6be5b69c

SHA1
4a1b1b6fc11e628cf053075aebbf82c3b264c6ca

SHA256
60377d8e13f216d9d5b2dc653b898498ac0e027987acd81587b896f2f2096c41

SHA512
01a69312575ccb042c2c3820dd24e86d2d6668cb9aee5df7d60411c685a159d847c52e86a87cb5874a243a1873850b89c6365e9aaa35a5dbf64dadbde476dd03

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
64KB

MD5
b8fd66cf1ceb90f041417accbdd0f7b7

SHA1
d644d5cb88db9f307c773971e9cdc64851781d67

SHA256
e12780530bbc07889b4327134a4551e1ed2e98b3ac9df41f039477150ce0e893

SHA512
c16180b1d3582010025399875d88421117f1e5511e2fea730932973a0982b57740a821e266d4ef24fcde70eb069890d240da27a7a5d2df92c56b7e1e6c691d63

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
64KB

MD5
86498178e33a812b2d81a12df161aae7

SHA1
e6398b575936f4971390c60b4525554b6abe4b77

SHA256
c977dbb2a474e07db79b5d866b61f8b327e02560cbc5e2c58cce270e4717a520

SHA512
09e6f3510d7f4316749585825f944ff021b24682de5f151f26f04caa4985a73d5ccb2491eef2c20ecc3ae5a0e4842fec11917b28c8c81d246f110dfb178af1b8

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
64KB

MD5
cc792c87cd392c9d12c817ecebb7e4a8

SHA1
42be9decfb22d4146db93872d74068600166caf3

SHA256
d54fc39597da97623862c44f959cfe5592f4da1522e5516cbc45a542f829bf99

SHA512
6ac8af629468a805edd9feaa4d7c32afa34cb37eee2b715c56936a76b63d40c87e90cc51e8a1d5567ca3b79ae438fea0a8091ccf91312bbe68b917c3cf672c5d

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
64KB

MD5
aa93fcf4f04be42d984ee87a220e7f6c

SHA1
f76e40e9c3c703a9a3023eeff963b3c00c95da20

SHA256
de608849a6690592638b1a1dacba73143e7205e4c206bce7a6b60defd78c4e0a

SHA512
fa94ee2dc978f60cea1671bebdd9649d599c9c618b8bf3137766cd6c2760a92a661efdfcb3c0d3f85933eebdca293140ad4399e5bbe0a05effa944781c5d28fb

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
64KB

MD5
bc89819f006138f37ac8fcd57df22b51

SHA1
63b91c082d7c445e5cfc50f3d5409cacaf3bc9f6

SHA256
a4e935f0ddd8ea865111e9d0fcb42d4038e181835bac31934b276c4378f9b793

SHA512
07dd73134159b8d4833144e4b9843a12fa3f6325b567b2fb05b4a3835c4276dc2052029d498ed7a0cf1e7d0905f03b4e55d3cca087bba1b5084e3a32d5cf467c

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
64KB

MD5
753e4a785af5e71ac5d702f5e795b519

SHA1
4f3717d2a08bd13aaf2bf5d29f9dbfc453a3f33f

SHA256
bd7f9febf4a1c7fc87e69f275e9431d9322a83231fe264ab1e05b569e11f177c

SHA512
4a6ed9dee48de50c8d39e7d02e3cb86b8aed52f425e542becaa98cca4f3426b12d5d8ed98b16438ba670d531c633910e9ecad2b51e7d8fb6283d842f22605f4d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
767dc932d649547e7f815df4e6ceeccf

SHA1
151a6ff790ca7564979591941d86ebd7bfabf2e6

SHA256
4c7917440a0a355a4a9cbd3cd62bb520635c0f4c985003c064d02d76a4429441

SHA512
0818318018229b6f7c64d2e4d31e0206160b37f9034a901b75f918d5737c6d4caca21dc7ad9bd6bad8a19f55a60fe8fdf24febec7137891812aaaa87f6659b6a

Download Submit
memory/384-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads