4101731cde394bd08a0b0eaea436a7021281a44168ac7f4d896f18248de60853

Analysis

max time kernel
98s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54dd0b41a620770b39b3a209b2110db0N.exe
Size

548KB
MD5

54dd0b41a620770b39b3a209b2110db0
SHA1

d2dd5926f4e6d7f54222710434659416ce18b99c
SHA256

4101731cde394bd08a0b0eaea436a7021281a44168ac7f4d896f18248de60853
SHA512

467d2410911b2bc4592996068cb4b3d166164f368a2dc92dd4622f8b41718572dcba8756a7f408934e634959ebedba52f34b5a97357a5e09edda231a217be8f8
SSDEEP

12288:AnDb7Svy6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:SDTq5htaSHFaZRBEYyqmaf2qwiHPKgRP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	54dd0b41a620770b39b3a209b2110db0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe

Executes dropped EXE 64 IoCs

pid	Process
3500	Ojgbfocc.exe
336	Ofnckp32.exe
3992	Olhlhjpd.exe
1152	Ocbddc32.exe
1060	Oqfdnhfk.exe
4776	Ojoign32.exe
1948	Oddmdf32.exe
3004	Pmoahijl.exe
1476	Pjcbbmif.exe
3496	Pggbkagp.exe
4796	Pnakhkol.exe
4032	Pqpgdfnp.exe
2216	Pcncpbmd.exe
396	Pdpmpdbd.exe
4860	Pfaigm32.exe
740	Qceiaa32.exe
4496	Qmmnjfnl.exe
736	Ampkof32.exe
1104	Anogiicl.exe
2144	Aclpap32.exe
1164	Amddjegd.exe
2292	Acnlgp32.exe
1572	Amgapeea.exe
4760	Afoeiklb.exe
4264	Anfmjhmd.exe
812	Aadifclh.exe
4356	Bfabnjjp.exe
3236	Bjmnoi32.exe
3368	Bnhjohkb.exe
4516	Bganhm32.exe
2896	Bfdodjhm.exe
1416	Bnkgeg32.exe
2672	Baicac32.exe
2124	Beeoaapl.exe
2020	Bgcknmop.exe
4568	Bffkij32.exe
3000	Bjagjhnc.exe
3688	Bmpcfdmg.exe
4736	Balpgb32.exe
3624	Bcjlcn32.exe
2580	Bgehcmmm.exe
2684	Bfhhoi32.exe
2824	Bnpppgdj.exe
3960	Banllbdn.exe
880	Beihma32.exe
1244	Bhhdil32.exe
4580	Bfkedibe.exe
2592	Bnbmefbg.exe
1700	Bmemac32.exe
3820	Belebq32.exe
2260	Chjaol32.exe
1524	Cfmajipb.exe
3728	Cndikf32.exe
1928	Cabfga32.exe
3884	Cenahpha.exe
3068	Chmndlge.exe
2528	Cfpnph32.exe
2452	Cnffqf32.exe
4128	Cmiflbel.exe
2532	Ceqnmpfo.exe
4456	Ceckcp32.exe
1940	Cfdhkhjj.exe
4296	Cmnpgb32.exe
4884	Ceehho32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	54dd0b41a620770b39b3a209b2110db0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5140	4716	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54dd0b41a620770b39b3a209b2110db0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	54dd0b41a620770b39b3a209b2110db0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	54dd0b41a620770b39b3a209b2110db0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	54dd0b41a620770b39b3a209b2110db0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3500	2152	54dd0b41a620770b39b3a209b2110db0N.exe	84
PID 2152 wrote to memory of 3500	2152	54dd0b41a620770b39b3a209b2110db0N.exe	84
PID 2152 wrote to memory of 3500	2152	54dd0b41a620770b39b3a209b2110db0N.exe	84
PID 3500 wrote to memory of 336	3500	Ojgbfocc.exe	85
PID 3500 wrote to memory of 336	3500	Ojgbfocc.exe	85
PID 3500 wrote to memory of 336	3500	Ojgbfocc.exe	85
PID 336 wrote to memory of 3992	336	Ofnckp32.exe	86
PID 336 wrote to memory of 3992	336	Ofnckp32.exe	86
PID 336 wrote to memory of 3992	336	Ofnckp32.exe	86
PID 3992 wrote to memory of 1152	3992	Olhlhjpd.exe	87
PID 3992 wrote to memory of 1152	3992	Olhlhjpd.exe	87
PID 3992 wrote to memory of 1152	3992	Olhlhjpd.exe	87
PID 1152 wrote to memory of 1060	1152	Ocbddc32.exe	88
PID 1152 wrote to memory of 1060	1152	Ocbddc32.exe	88
PID 1152 wrote to memory of 1060	1152	Ocbddc32.exe	88
PID 1060 wrote to memory of 4776	1060	Oqfdnhfk.exe	89
PID 1060 wrote to memory of 4776	1060	Oqfdnhfk.exe	89
PID 1060 wrote to memory of 4776	1060	Oqfdnhfk.exe	89
PID 4776 wrote to memory of 1948	4776	Ojoign32.exe	90
PID 4776 wrote to memory of 1948	4776	Ojoign32.exe	90
PID 4776 wrote to memory of 1948	4776	Ojoign32.exe	90
PID 1948 wrote to memory of 3004	1948	Oddmdf32.exe	92
PID 1948 wrote to memory of 3004	1948	Oddmdf32.exe	92
PID 1948 wrote to memory of 3004	1948	Oddmdf32.exe	92
PID 3004 wrote to memory of 1476	3004	Pmoahijl.exe	94
PID 3004 wrote to memory of 1476	3004	Pmoahijl.exe	94
PID 3004 wrote to memory of 1476	3004	Pmoahijl.exe	94
PID 1476 wrote to memory of 3496	1476	Pjcbbmif.exe	96
PID 1476 wrote to memory of 3496	1476	Pjcbbmif.exe	96
PID 1476 wrote to memory of 3496	1476	Pjcbbmif.exe	96
PID 3496 wrote to memory of 4796	3496	Pggbkagp.exe	97
PID 3496 wrote to memory of 4796	3496	Pggbkagp.exe	97
PID 3496 wrote to memory of 4796	3496	Pggbkagp.exe	97
PID 4796 wrote to memory of 4032	4796	Pnakhkol.exe	98
PID 4796 wrote to memory of 4032	4796	Pnakhkol.exe	98
PID 4796 wrote to memory of 4032	4796	Pnakhkol.exe	98
PID 4032 wrote to memory of 2216	4032	Pqpgdfnp.exe	99
PID 4032 wrote to memory of 2216	4032	Pqpgdfnp.exe	99
PID 4032 wrote to memory of 2216	4032	Pqpgdfnp.exe	99
PID 2216 wrote to memory of 396	2216	Pcncpbmd.exe	100
PID 2216 wrote to memory of 396	2216	Pcncpbmd.exe	100
PID 2216 wrote to memory of 396	2216	Pcncpbmd.exe	100
PID 396 wrote to memory of 4860	396	Pdpmpdbd.exe	101
PID 396 wrote to memory of 4860	396	Pdpmpdbd.exe	101
PID 396 wrote to memory of 4860	396	Pdpmpdbd.exe	101
PID 4860 wrote to memory of 740	4860	Pfaigm32.exe	102
PID 4860 wrote to memory of 740	4860	Pfaigm32.exe	102
PID 4860 wrote to memory of 740	4860	Pfaigm32.exe	102
PID 740 wrote to memory of 4496	740	Qceiaa32.exe	103
PID 740 wrote to memory of 4496	740	Qceiaa32.exe	103
PID 740 wrote to memory of 4496	740	Qceiaa32.exe	103
PID 4496 wrote to memory of 736	4496	Qmmnjfnl.exe	104
PID 4496 wrote to memory of 736	4496	Qmmnjfnl.exe	104
PID 4496 wrote to memory of 736	4496	Qmmnjfnl.exe	104
PID 736 wrote to memory of 1104	736	Ampkof32.exe	105
PID 736 wrote to memory of 1104	736	Ampkof32.exe	105
PID 736 wrote to memory of 1104	736	Ampkof32.exe	105
PID 1104 wrote to memory of 2144	1104	Anogiicl.exe	106
PID 1104 wrote to memory of 2144	1104	Anogiicl.exe	106
PID 1104 wrote to memory of 2144	1104	Anogiicl.exe	106
PID 2144 wrote to memory of 1164	2144	Aclpap32.exe	107
PID 2144 wrote to memory of 1164	2144	Aclpap32.exe	107
PID 2144 wrote to memory of 1164	2144	Aclpap32.exe	107
PID 1164 wrote to memory of 2292	1164	Amddjegd.exe	108

C:\Users\Admin\AppData\Local\Temp\54dd0b41a620770b39b3a209b2110db0N.exe
"C:\Users\Admin\AppData\Local\Temp\54dd0b41a620770b39b3a209b2110db0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\Ojgbfocc.exe
  C:\Windows\system32\Ojgbfocc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\Ofnckp32.exe
    C:\Windows\system32\Ofnckp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\Olhlhjpd.exe
      C:\Windows\system32\Olhlhjpd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        38⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        60⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 396
        80⤵
        Program crash
        
        PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4716 -ip 4716
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
548KB

MD5
ebda4b526cecc0435f508cd6813fc06d

SHA1
4effd43c82db85c88c3eea4df991df1eeb190474

SHA256
2db9268a2ade98ad8fecc447565d4362572d89132a9e5f74777d4062f6dbe7af

SHA512
85f00b9b266de04398617cd06dcb1a4339931761ce80e54d85eeecc4872a82317f0683313c88c7a66872723315e55b5a16ec25efe2915493bd08669ce9cc2f29

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
548KB

MD5
815bc28997a0779b5ed526a07302cc7f

SHA1
82fb23692b9d583ca9486f8bad141ebd5a70f80f

SHA256
386180134d28126f5243d21af70034072f0e7b880a4bd7745b6627172f059223

SHA512
5a7d38553700c4d7cdf0aab9f87c6320554006a692641282f8d2fdde3090ab194179ccb9138554ac6aedf1542a98934a5da1ba165d6c6b1ece305a5de44275b0

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
548KB

MD5
153ac9eb71b35bd5261c51c29c1e7b0f

SHA1
ab30b6acbe2267989bc47d209830ec2b79f0d103

SHA256
33cb87b952a16fc6f4d4f55b4f873178f6c45b01f8d318b5541efcbfd5c4b67e

SHA512
b859aebb3498c8333fa26781f286d1ee44c856e4244659eee799580c72a5db81776be7ff2392531d1dc978949f41b7788662b87b11c1a7229f6b167c86390d95

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
548KB

MD5
603cc1d350e7b3d86daf48938466d926

SHA1
1021a382f55deedc21e6e1251fd3d0f4f9d4322d

SHA256
f4ee8b5b1dff072f8e60db16b38b67f6a48392e3216e03cb4f9e4a00c4a6ab04

SHA512
92d2a8c06f2893763430e27cdccab2c9c98aa1984c952dd49eb961f330e47c7db1c411e0b2d363236c647a80bda0da6d740ff19a9f969e85924e55554e6a8fef

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
548KB

MD5
8c93004fa8fe99444454640a9b8fd6d7

SHA1
598d75b7ce0e58f9afce5b307d574660c3ee8cca

SHA256
e81670be6180fced466f50eef542de21b180ba63c7b33a49ef40f9d20e0606f6

SHA512
a58cb1718c19bff1926aaf3b21d7513ee5fb9330755196cec0a8eb4034d5aaa302ea76dfad1e6e8b6b674ffc97cd8aa7d6022442d844c85a45e07e42b52982a4

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
548KB

MD5
99d1d695a9f29ae701c51e445585a940

SHA1
a9bba6e1b399ab9d1b3789918c7bfef3ef38edf3

SHA256
9f8c9cbe24d0b54d7145ae31774cf29889e33865a5287091d1cb64e03cb7ce26

SHA512
0dfbd2958488acca2825e652225633b130f9d7e671776489c708e895ef9174cd0ed08113ec2c4b3b0b96706c5b6943882c4a6b79b48afaf45d1b42bd53ea13d9

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
548KB

MD5
2bf1a0defaf2bfb4b050ea39bb5522e2

SHA1
f96a54f644fed9f387aea46a7fe15a1b0ea2270a

SHA256
4de33a54b5878b3e80290b66824c4038db6ece6680357e4c73fff4ec853737ea

SHA512
c8ae19980b045611c9f0a379801463ac35c237727f509b771f5ac2b1a2a9363348dc1a65aaef8e4a5ef4e46881751e99b240161708bb660bc032b8ec9f9886bb

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
548KB

MD5
b050701df355bd49587424ade43ffd22

SHA1
16c4bc16ad56806d538afdea77bec76da065ca5c

SHA256
c0efa47c95512d2af7d9ec43ca9e0ebcfdaca1fd07fba7ed0ceb71050dc213f9

SHA512
c9b653231a8b5e5a3cce4792a37f522469f78dccba1f4caa7091d91cf1d67f761bc3e84b125310a85783ae4b099f17b7fffb14dd47e3bc038c1810030f182508

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
548KB

MD5
058eef64957090aba8590bf318350268

SHA1
cb464069b42cbce4251e4d3a5adcbf0d9ed0fea8

SHA256
1fb0cf13865a736921d07e13283403a2cb42edd61ccf65d9edfbb75044c21907

SHA512
2af8098d0bd68ef8de614f585ad5a7c42c4fbffc380ade7dedf031d0c51f0d503f695c638abccc458ef4dfa10f594cc8a11ded38a0ea44e510c29f90d106db1e

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
548KB

MD5
20558769c9da26aca0e1f7c44bf96524

SHA1
94f46deea91d839630d78b69d592e1ac120e3fd8

SHA256
3517932b1e1d9011c708aa6ef256e20b687e4c6ca499805d0d0683eecb3ca68f

SHA512
7dba1e3464e1dd4e78d92cf1efe795740a39b0cba508fbaf299a6c0229f266146c79aa0171bf00969edbef36c5738e55f0699e2ac52de1dd08d5daa521be4fc3

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
548KB

MD5
58b5c4351a2db9189b40cece475bdab5

SHA1
02933f25bd0b8347805b720d80c0160e26c5104d

SHA256
760d8af5b2aab97c55e89f00f72c8d3f1a4ea8f1ae7a2be51d405b2b1a91b34f

SHA512
a4bb1985fb6f220391d7755125c5a7f534434a5f98bbd11f7ba6bbd93117ef9e4b61f470b0c049648b48470ade4b9a0f8601f592db15bf99f200f350f5c2f4dd

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
548KB

MD5
25253c8fa46724c86996954b905b6bcb

SHA1
d4bb5a3a674ab3e5e5460bb8fe289cf7fc269171

SHA256
03807e50cd22186955e0edfc8f9ac67ec48edb9cac5276887d39e7fb1e764e1c

SHA512
e5f2c5c233ab3ee7d24bbd4d9cc44171955608a133418256278cb39518503a8119c1678ccc2dd4feae1615587636b1ec96383124361497e7586067866ca96505

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
548KB

MD5
242a39a4073fd3be734fb72a8bc7997c

SHA1
8a82204bc7602a6c4c7737789d3568c95e5050bf

SHA256
01028cda5d3d1da2b886019fbc8e6643c749598765262f0dcf6743fe193208e9

SHA512
89e7fccb7a6f6464e55af1c261658786ec481bf00c266681ab602cb50f23a85ca72ec4e0037581a9168dc0841b4c1d19ef22f8f2ba5fc0c7068148b142214e37

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
548KB

MD5
0eeef84a049982ec442092965ee7ddd6

SHA1
9ee2615576f37c64ccdd12761441c11761799ab7

SHA256
bd7cda8c11886aaa1987dca7d89600813630c9b8066b2718259b8ab8a572e0f1

SHA512
5532b2ea7958224b00bd0ea759b7aaaccd2d3bcee1d0911eed06f2698d0185a84c913cd79d8b50da54c29f4f4ab5cb29a073d930726ad19a4ed0cfae8b378343

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
548KB

MD5
a1a5d8f040c46627e9332930b79a2da2

SHA1
87f7fce34d9a6c447fb8f8669cc7ebe95340d1f9

SHA256
159516a53b53f79400ccd8540e096e3145dc7d81cf8f1b81874fa96e67889d11

SHA512
2f78a1dfb10724139b9c9a32a2674a7ca5dda25363c2a9842afea2e506b6776cf835b616e0b0010b10993242d08aaf0284480ea7d46ae748125d1c9bf8735e88

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
548KB

MD5
6bd900baf66b441594134c75b816bccf

SHA1
c01a7ba6bb6bb2ffb3498cd0abeca4e2477874e4

SHA256
7ce0c7ec21deed0e3ad0ddf2e3625fac29383353fb1f84304a1f76276149021c

SHA512
8600ffd79e62ac7a4f56fc6c7eb676b91771bdd1e8e75e06bc4eb5cb4cca1f2d427877d69b34ce1ad7e1dcc7dcee5da1a0e715a60e53f7c63e8c387f47eafb1d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
548KB

MD5
2c2818282fa90a689518b8f1d2c783cd

SHA1
d577c4b2dd7f039ade9cc3d717d49f81ba0607a1

SHA256
a95740695333c6231f147fbbc3e4e0745e4d1a30b407e07f1c3b610966296e6b

SHA512
507427ad8e81d5c56670e1602122f49480f9d484b4e2f360afcf4bf87b8cf94e572148fb3530da889beda9202e8b322426e390e281bf826cf16db8d80d3f23e2

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
548KB

MD5
5c8a31f08074241324dc695665b25f2d

SHA1
646e10d3256e8ae8a1c7ce930d17e6840bd316a7

SHA256
51e0b5379b82d7c8b699645fe5ada3c9a8b7a2853e2bbb0449fa9890c996b0c0

SHA512
33efa1511e7abc169b72dc3a5156e8f1eecb7f0a3c34a7b6cc1a95999be04670d7ff2f0409710d57a969313bf5430eac0073d9def83dcd2cbddae81035c62536

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
548KB

MD5
30dcd785e6e576675d94f12426aca3c9

SHA1
91b9f49a68a569866817b0f4454251dfdaa4283d

SHA256
8170c641cd1a2f4b9d51e864fa8d6142bfa0eeaa823ef6fbe8ab6b8dfefb0c38

SHA512
9f24296937cfb094c9647ce591978fbf870140e087f9355f8f1a743778ca91c8315a622243104dd4ccee1246d9db62ba96f15058eb4ed956d10f64ddac2187e3

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
548KB

MD5
a1e2bf66331cb0f8d63e15e63f733389

SHA1
e3de451635e8f5a31916a32ee695fb20491b4a89

SHA256
b0d9b7031f6d2cb68c1ce08c0bcb3e523495713bf879659702cd376680be8a1e

SHA512
6e9518b9d3b99a14d76b5802aa5bc32838702fc10db749f9d5c46026ea19d66e917ef17c4dc5ff1a9f1671e6ad12a70a46bb2f612c8eca3c7c07a9e05cf4ea30

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
548KB

MD5
dc0fcf06deb7ce9583b35c41716c893d

SHA1
c770e738243ff933f0421f8fb24795ba2cbbf614

SHA256
70ebc601c1ffea912981173bfdf182315b6393d9e7d50f0bdc230b85a33574ef

SHA512
592da1fc24841fc44344755ce323c357616d23688fdb000f93d3ec65e25a45fb5a1e61f07bb01e2eb2b07fd66d79804a84bb29efc659172bf3f4f2c3769fac68

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
548KB

MD5
c61baa2e3e3a45de7c15fd34308d1203

SHA1
7b6d50f68d6c5c2748c09362eea88b53f58b7c97

SHA256
7052daab623bb282c62fb5d80cde58ef29952122121d467158e3cc1e471ab4ea

SHA512
05e7a9ba8ce5088c45af4e71668dba8b721d10bd2cf9495a016187d46794a6d158c3cda2b9ede6fd8bb3d1681e226ceb922807b985fe15c6c3fe00e123d8020b

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
548KB

MD5
58fa05bb37b8a1b185b8c9697a3db981

SHA1
afb30c8de7af41695577ef310d19ddd1e3883267

SHA256
c86832805bee81d79daecbb5dbd390832f6ddb177d716167a1594ecaa618dca3

SHA512
9198b38461a0b7fbcdb2f2ced8d57a88340c7b89913c306deac6c955495ffddf38cc5bf5ac86645fe2a5441fa8d1dae2ec9ba1935fe8712be9346d6ebd692a7a

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
548KB

MD5
f3ddd0f9ff3b93e953b9250f85cb3779

SHA1
5c0cbc65bb48bad4b9de740694a6104adf02db15

SHA256
34eeb5a80d3ae770a870fdbca76f5f668f97e276f89f5cd00ccca8861080f18c

SHA512
3427c1a21eafdf57ef2380db99896a0d63c406dc8b0ab70d3643f18d51257fafacc5c068de24957a410d6d4955409200176aec16e7deccb81b7761afbfbe77f8

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
548KB

MD5
3e8ed72e755206dc7e0b9e1dfd9b257f

SHA1
2e9cac8703b559dbbce30dafd578ef8f21bca989

SHA256
1b3c479f3e367792d21fd8fbb7fe507a5bc087241d00e542df7e362e62f02c48

SHA512
8009c89ff4c61fa8f6f0f5725f29091723907936b3f1ed942dd2333dc914fdc1846d641bc4e9c021ae1806d4a2602038d9bf7dc97775319ffe166628a871bf83

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
548KB

MD5
6fda0dcf42b0f052b711dc5935948f57

SHA1
11aa47da30a77db743ab4f3472ffc3d6b1186c8f

SHA256
6daed990b2bc38bec1569c7fd69e6ecd35e57af37acc06cb2a7815fe055371af

SHA512
15005a2cb168b57544dc2e5bd05e3fad4fc783d12731c83f5a9dffa2922aace1467e89802657bd343f21dcaf897f7ac484bb15c4972ffeee0b73cbe31b7e8761

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
548KB

MD5
3bef4c812a9e9113ffbd52a95ff7717a

SHA1
0e2482f3c202fa600a882bf8cde4e11a81c76763

SHA256
9a4da8b9b6ce9760f4566d5564b9f1d7b419b933a8cb6b69ada498f268cedd7a

SHA512
6d6ab2f21aea25cb893625c45f379646b41d0cd1fd09804ada02ae031aa3885fd89f6d1f8255fef83ab90d050706c393ba1a96a74e75012eb4182361e8ed7825

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
548KB

MD5
bba403d0123b7b7f5a8d72e03989cfaf

SHA1
93901a46f5d8cb30ffa6251570a24f0a4442d46c

SHA256
bd29bf108c99a24e77abbd2fe93988cf6e3e0523eedb5dc1bb16d75fcf72ed6d

SHA512
0013384a5aedf17115db800f82776bb7abe6fadce325fbba11d79cfc069457e8f2501b4809921fb95a6761dcd115787abb913ce5d8d06fd7384910c3d1113b89

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
548KB

MD5
b47da07892841f07802dba3c1a5a73ef

SHA1
d1c7fda3befbc217722760585cad6bcbfe80030a

SHA256
fbb3235ac85746b76b22ef07d42479ed45822d212ab4252ff9f07492f0af93ed

SHA512
72a30eb62c4ac6aed90006965f421ac8c15dd6eaf5e6d39663a5b7cbe3020ed16921b5bea811e53f2b0b5484de329f8057253a16e9f720792052769bfdb17e86

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
548KB

MD5
940270d855044a663126333a31fa4b4c

SHA1
818e063a726d120c794bccc34bb211f01c2b198b

SHA256
a22ecf620621b0503109033e1144d7cc4f3034b8b3f1b26276c58ecdc04e54b9

SHA512
f525a76535c4ba96eb6acf68b2ea39bbebfa292b6a213e945b193ff44f2202c34f66958c8dad8f8969ee575779ddbb6d88baa68692bbb59b5c3d8d3f144ab264

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
548KB

MD5
b037440bea993335263d72cf8b4700b0

SHA1
a3daeea3aeb5a7530677199d8327046efef15ab8

SHA256
9f745272df526bd9150ffb02526325c7ea570dbe17cf89a557bf8c888db21603

SHA512
7e8a99218bd3bd77a04ec6bba37b3bd4c39e4ebf0abbb79f2c1fdfc890d5e45122ab2fcaab2f44636dacd53d53629462b7b761c482d9495b974dec2006becadd

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
548KB

MD5
822a1ebc94e93b76f267dae254411e76

SHA1
620abdd29d8ed27074a75a1f13eae598ce3cadbb

SHA256
00ba2df4f9b3936d39c32b489e0461f1c314f715923a06c371caf2bd830a7960

SHA512
de7a613fadf2e5a197268415b0ebb787543b048ee3003768a19fed5ad58c5f90b46288e9b586e4631e7f622d8d83fee4dcf4a6ac8b8e76060c2cc351aaf0fee8

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
548KB

MD5
74b16c17c1a2e0ab5ef534bdbbf27927

SHA1
b8ca0227865147469c202e4fdb4a2cd602f460b1

SHA256
9ccc89899b66012e434379b9e7ac394174ae497c3bb6e1f7651991a5d751ba14

SHA512
94a3a59835f47fd0b3f78ac354821fb6d98dfd39eb4a3321d5654930388b9f446a6d129f9ebf7d084263b76d55332c602de64dedfa190d778020a1f0993459c9

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
548KB

MD5
a30a59a54bfffbccfb707500347c472a

SHA1
04bfd9b21312961892e99ff4307e83c340a89cbc

SHA256
0bc1976d612e695f3b0fe119fb11012bd1a0e5ff03eca0dcb667859420f996c6

SHA512
5755346bc87deef25e50b25b984533a659c06fa91af4efea696e0d2053d84bea94d2c31f2d2dbdf3d4e2ae24e031375c4016e315a087b7f9942cfe09a934a9d7

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
548KB

MD5
d9ac35e2f09ed82bcbe41619fe69de9a

SHA1
4c0a67e4d2415b750dfcfe7b45848fe6747e1af5

SHA256
888803d21ae5ef8e278e640972ef969ab38c7a78f36bfdc73ab801f3aded9216

SHA512
e338232d6fa276d478286f57869ac96b05570276ec288f33911a03bbd4e6e74d6ea5665447af6654b47c8550e113c6cb073ff1972e37104df6aba9d0a9896f50

Download Submit
memory/336-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2152-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads