8fcb414928fcdd896cced5fd98963ed7958aee4f4b5fd1db8d2e6278e991c30c

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fb0b5f8d72a29a57089b31e37890de0N.exe
Size

92KB
MD5

4fb0b5f8d72a29a57089b31e37890de0
SHA1

0070ea6f864377137ac28109cd1b28f09c97abd0
SHA256

8fcb414928fcdd896cced5fd98963ed7958aee4f4b5fd1db8d2e6278e991c30c
SHA512

61a27ea46ab8bf2bf8c1fe17089f7653609af7660bcc5bdb221fc8167999a222c4213c2a2a508e72ce838b97ee699357a2462592a5664e2dd4dd1bd1b0b5e523
SSDEEP

1536:oTo2fKSVJGAeobh2WQmMy4c7vWB2p4jXq+66DFUABABOVLefE3:B2SKyoZvMyfWYWj6+JB8M3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4fb0b5f8d72a29a57089b31e37890de0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe

Executes dropped EXE 64 IoCs

pid	Process
2148	Nggnadib.exe
640	Nnafno32.exe
1124	Nqpcjj32.exe
3448	Ngjkfd32.exe
1464	Njhgbp32.exe
4676	Nmfcok32.exe
3544	Nfohgqlg.exe
3616	Njjdho32.exe
4880	Nmipdk32.exe
2092	Npgmpf32.exe
3596	Njmqnobn.exe
5116	Nmkmjjaa.exe
216	Nfcabp32.exe
1544	Oaifpi32.exe
4004	Offnhpfo.exe
508	Ompfej32.exe
5020	Opnbae32.exe
4924	Ofhknodl.exe
116	Onocomdo.exe
2484	Opqofe32.exe
2952	Oghghb32.exe
112	Ojfcdnjc.exe
4396	Opclldhj.exe
3636	Ogjdmbil.exe
2816	Opeiadfg.exe
1796	Ohlqcagj.exe
4804	Pjkmomfn.exe
4536	Paeelgnj.exe
1504	Phonha32.exe
4872	Pmlfqh32.exe
3664	Ppjbmc32.exe
4704	Pnkbkk32.exe
3968	Paiogf32.exe
4460	Phcgcqab.exe
3944	Pjbcplpe.exe
1344	Pmpolgoi.exe
3676	Pdjgha32.exe
4644	Pjdpelnc.exe
4508	Panhbfep.exe
4444	Pdmdnadc.exe
2364	Qjfmkk32.exe
5012	Qaqegecm.exe
4088	Qdoacabq.exe
1356	Qfmmplad.exe
2320	Qodeajbg.exe
4440	Qdaniq32.exe
4960	Afpjel32.exe
4036	Amjbbfgo.exe
4092	Aphnnafb.exe
2452	Ahofoogd.exe
2488	Amlogfel.exe
1092	Adfgdpmi.exe
1688	Amnlme32.exe
3988	Akblfj32.exe
2024	Aaldccip.exe
3692	Ahfmpnql.exe
1296	Aopemh32.exe
3252	Aaoaic32.exe
2536	Bhhiemoj.exe
1056	Bkgeainn.exe
1856	Baannc32.exe
768	Bhkfkmmg.exe
1228	Boenhgdd.exe
2216	Bmhocd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Bkgeainn.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Nnafno32.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Nmfcok32.exe	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Dannpknl.dll	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Ppcbba32.dll	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	Nqpcjj32.exe
File opened for modification	C:\Windows\SysWOW64\Ompfej32.exe	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Nmkmjjaa.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Qbdadm32.dll	Nfcabp32.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Pjdpelnc.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Opclldhj.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Nfohgqlg.exe	Nmfcok32.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Kmkdjo32.dll	Nggnadib.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Opnbae32.exe
File created	C:\Windows\SysWOW64\Opqofe32.exe	Onocomdo.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Lbpflbpa.dll	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Aaldccip.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Bgemej32.dll	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qjfmkk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6008	5888	WerFault.exe	183

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offnhpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npgmpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4fb0b5f8d72a29a57089b31e37890de0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4fb0b5f8d72a29a57089b31e37890de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll"	4fb0b5f8d72a29a57089b31e37890de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2148	1708	4fb0b5f8d72a29a57089b31e37890de0N.exe	92
PID 1708 wrote to memory of 2148	1708	4fb0b5f8d72a29a57089b31e37890de0N.exe	92
PID 1708 wrote to memory of 2148	1708	4fb0b5f8d72a29a57089b31e37890de0N.exe	92
PID 2148 wrote to memory of 640	2148	Nggnadib.exe	93
PID 2148 wrote to memory of 640	2148	Nggnadib.exe	93
PID 2148 wrote to memory of 640	2148	Nggnadib.exe	93
PID 640 wrote to memory of 1124	640	Nnafno32.exe	94
PID 640 wrote to memory of 1124	640	Nnafno32.exe	94
PID 640 wrote to memory of 1124	640	Nnafno32.exe	94
PID 1124 wrote to memory of 3448	1124	Nqpcjj32.exe	95
PID 1124 wrote to memory of 3448	1124	Nqpcjj32.exe	95
PID 1124 wrote to memory of 3448	1124	Nqpcjj32.exe	95
PID 3448 wrote to memory of 1464	3448	Ngjkfd32.exe	96
PID 3448 wrote to memory of 1464	3448	Ngjkfd32.exe	96
PID 3448 wrote to memory of 1464	3448	Ngjkfd32.exe	96
PID 1464 wrote to memory of 4676	1464	Njhgbp32.exe	97
PID 1464 wrote to memory of 4676	1464	Njhgbp32.exe	97
PID 1464 wrote to memory of 4676	1464	Njhgbp32.exe	97
PID 4676 wrote to memory of 3544	4676	Nmfcok32.exe	99
PID 4676 wrote to memory of 3544	4676	Nmfcok32.exe	99
PID 4676 wrote to memory of 3544	4676	Nmfcok32.exe	99
PID 3544 wrote to memory of 3616	3544	Nfohgqlg.exe	100
PID 3544 wrote to memory of 3616	3544	Nfohgqlg.exe	100
PID 3544 wrote to memory of 3616	3544	Nfohgqlg.exe	100
PID 3616 wrote to memory of 4880	3616	Njjdho32.exe	101
PID 3616 wrote to memory of 4880	3616	Njjdho32.exe	101
PID 3616 wrote to memory of 4880	3616	Njjdho32.exe	101
PID 4880 wrote to memory of 2092	4880	Nmipdk32.exe	102
PID 4880 wrote to memory of 2092	4880	Nmipdk32.exe	102
PID 4880 wrote to memory of 2092	4880	Nmipdk32.exe	102
PID 2092 wrote to memory of 3596	2092	Npgmpf32.exe	104
PID 2092 wrote to memory of 3596	2092	Npgmpf32.exe	104
PID 2092 wrote to memory of 3596	2092	Npgmpf32.exe	104
PID 3596 wrote to memory of 5116	3596	Njmqnobn.exe	105
PID 3596 wrote to memory of 5116	3596	Njmqnobn.exe	105
PID 3596 wrote to memory of 5116	3596	Njmqnobn.exe	105
PID 5116 wrote to memory of 216	5116	Nmkmjjaa.exe	106
PID 5116 wrote to memory of 216	5116	Nmkmjjaa.exe	106
PID 5116 wrote to memory of 216	5116	Nmkmjjaa.exe	106
PID 216 wrote to memory of 1544	216	Nfcabp32.exe	107
PID 216 wrote to memory of 1544	216	Nfcabp32.exe	107
PID 216 wrote to memory of 1544	216	Nfcabp32.exe	107
PID 1544 wrote to memory of 4004	1544	Oaifpi32.exe	108
PID 1544 wrote to memory of 4004	1544	Oaifpi32.exe	108
PID 1544 wrote to memory of 4004	1544	Oaifpi32.exe	108
PID 4004 wrote to memory of 508	4004	Offnhpfo.exe	110
PID 4004 wrote to memory of 508	4004	Offnhpfo.exe	110
PID 4004 wrote to memory of 508	4004	Offnhpfo.exe	110
PID 508 wrote to memory of 5020	508	Ompfej32.exe	111
PID 508 wrote to memory of 5020	508	Ompfej32.exe	111
PID 508 wrote to memory of 5020	508	Ompfej32.exe	111
PID 5020 wrote to memory of 4924	5020	Opnbae32.exe	112
PID 5020 wrote to memory of 4924	5020	Opnbae32.exe	112
PID 5020 wrote to memory of 4924	5020	Opnbae32.exe	112
PID 4924 wrote to memory of 116	4924	Ofhknodl.exe	113
PID 4924 wrote to memory of 116	4924	Ofhknodl.exe	113
PID 4924 wrote to memory of 116	4924	Ofhknodl.exe	113
PID 116 wrote to memory of 2484	116	Onocomdo.exe	114
PID 116 wrote to memory of 2484	116	Onocomdo.exe	114
PID 116 wrote to memory of 2484	116	Onocomdo.exe	114
PID 2484 wrote to memory of 2952	2484	Opqofe32.exe	115
PID 2484 wrote to memory of 2952	2484	Opqofe32.exe	115
PID 2484 wrote to memory of 2952	2484	Opqofe32.exe	115
PID 2952 wrote to memory of 112	2952	Oghghb32.exe	116

C:\Users\Admin\AppData\Local\Temp\4fb0b5f8d72a29a57089b31e37890de0N.exe
"C:\Users\Admin\AppData\Local\Temp\4fb0b5f8d72a29a57089b31e37890de0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Nggnadib.exe
  C:\Windows\system32\Nggnadib.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Nnafno32.exe
    C:\Windows\system32\Nnafno32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\Nqpcjj32.exe
      C:\Windows\system32\Nqpcjj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        88⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 400
        89⤵
        Program crash
        
        PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5888 -ip 5888
1⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amnlme32.exe

Filesize
92KB

MD5
a3621726f4e8b92e8436bc1c6eff394c

SHA1
651bf8dc1e620c090c636d2510b294a5af8af83f

SHA256
aa4832158636d85bc1ff63c9f0b2c10dcdd0f068e595f459a0985173c3db7df1

SHA512
34bcfce69542a8407363da9e1a64f2a16df9d13cdcb511a4981ba85cc1670c22ee9f61f5a1fd792ec43040ba500f249f217983bc98f7a0396233a267cd051d4e

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
92KB

MD5
cec7928b41a85e4847e0daef17d77230

SHA1
71d53ed9e1f66a0d1f38e5f394f784ca2f8bdd18

SHA256
9b19f2a50962a65cdcfc3deafcab8a802e6250a1dc42e4e11330d81c8d327760

SHA512
c8abb9f893a57b2bec567e7d814f99976134228d50a375af0663950236b17a4eaee5e560925534cf0b3c7504c021e5828ba6913f8edaf7635cb0335e63103157

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
92KB

MD5
d3ec418b5123a018a44cc45dfb9f368a

SHA1
5b87e8613ef8f0d32deb9ce09592327fb7eb13d0

SHA256
64dab8e40e2035bff50f76ad1c0455675df93d3f58e579db9ad2b0321ed09d85

SHA512
72b747bab738824456ee768b1c57a390e457e48d0046c3a905a475814825859dbc1328cc9abafc56a6e9e2a5617adbae4f9406bd64f2bbaadd0c4361e0f20dec

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
92KB

MD5
5c4ec635dbf0abfead886ff0e2bc81cb

SHA1
7bef3029856ca0ebec1745c8a87ebc1fa546d1c1

SHA256
e85faa2addfbf78abfb4b82de59ba926a110851656e99083ae931f5aeac20f77

SHA512
ab24066af9ff760a6dcf88b538d8d7cd8f208b424079a010f6961be5134f0db09f1aa5ed0db2e265ea3b7b0e78dbbbe7c08d3c57e15bda86bffad342c7968a89

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
92KB

MD5
f08800551f5ae898a42a4d5bb70af8ef

SHA1
9f3aa351ef426daadd58c2545b8c8c6cb7372a3c

SHA256
7c225988c37cc9bb682b41576057bcd16d1e4ac776b36106f2afaed2b88b6176

SHA512
32bebedcdb1879a88f561ee0fff52b1e57f5e1bd38dfa960b8480ce0c588debcd5f178b73b29e6089389a68723dd392837b660e9a06a80b6b8957e43171b5680

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
92KB

MD5
7a87cf3aee8e0c6d8a50edc9feb3a229

SHA1
e6dcc463bffba379b337f3f9a06ba7df1df3dbb3

SHA256
6e3d5491ab7af03a86de65e6d156a9a7eef2ee1e1d87060802b9035816c28735

SHA512
3727a9cf70215ea3f74684a8df7b948e895c81f997bd6093cb94e244fa2a10f2f5a14583ef86cdb853030aec70021137fb2346c6620c06f9cb17ea54ca219ada

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
92KB

MD5
0e5c6e067537b1ff831b9f6fbfed7045

SHA1
70f80d938724e1c33582e61f6b90f4619c2a8617

SHA256
bbc4b29c9fa2a2a698f54f63b8e495d765654d43fe67a9648a7f026022a88087

SHA512
9f86b5121aefe1d67884d83a3fd2dc2e5f1d4425982850b56bcf4355358342ba9aac97cc9b2dbd1dabad073f242fd4b2e27c7f760ce65fb285e1e8eef809056f

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
92KB

MD5
1785016ddf5d88e8c51b3937be8fa29e

SHA1
a0380a199c9c1cf94f4653803e30cf5fac75b465

SHA256
dc4197d66773c6d64b3a730360bc3fbd2fb0d1dbd89881800b83c723a814c6ed

SHA512
100827782e1ac22b21f79b5d8fb3a2735d9b6535c250d5effc93e3e01180e095d5f0dd6adaffe299814b13d942fd6ad2241bb900b7349a36aec5594b9939a3bf

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
92KB

MD5
f391bbe670c537c351ac03d1d399fe97

SHA1
e7151b44d2f02277c714f7a396733f5957d833e1

SHA256
2e94153da30deb2245c90a0a41ebe46b64517cddc3281cc87c3b438d1ac9d5c3

SHA512
49c4c31adfeeebdfbe0c121ec5cc0cbd503c6070adcd471f24a1e5311fbdaa402ced7ec936ed2afa41e439b678058691086cc3e6918126c7980ba746222a7356

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
92KB

MD5
d35c9be21f332f47a314726efb432957

SHA1
4cbc42b76b545bcc2723d6065a79a54a5d268990

SHA256
235cf6ac4203125d863448727a8fbad965262d8cb367cfd70abbfeee33307e59

SHA512
52af32bd6553a63415e75ca84d100dbc7f3a4ef8b872f54756c3d034f3288fabf587d41e0f88de451be8e2153f981d1ab8f7c79055110d932fdc438507e71d10

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
92KB

MD5
05d85302cce0da85e5d88f41440929bc

SHA1
46febdb5658ac7379c6efc2ff0686598208105cb

SHA256
cb5bb406aaddd253c2087515f254e9b6f87da5a402404084e16e19540906719d

SHA512
bc75c8b6172f14e9ced8678055aea5b2967d10f37e92e43cedbaeedca70058fd9deb210f603ae049e7cba8e74df5f5a23f45be58cddad0631708f4cecb9fe8dc

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
92KB

MD5
2adee6be7881c9c383f1aadbbdb40d5c

SHA1
634b25a2fc8cca3e3d47a44f23012a0046cdd1f4

SHA256
c381da630754016df3adcfef8cd78519a7912dda79e43fbc8326c7a4b967f388

SHA512
04e616d4d1ac5fcdafeea6e0b3e5470e2a548be7b004d365c15732b6357921777c62475e6a668ef6255becc194146b8559df5628d25b8404105d12bddd7a31dc

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
92KB

MD5
5c5295c095e08244a43eee9c4ea08eb2

SHA1
dfec0f5ea47ec56a0bfcfb2e84a541ed444fd07e

SHA256
1bba57cdc1a2174c9a641a293a96c55748c125f52e3cf692eb70f925409add15

SHA512
0557b350e9b6ce592e144cbb5bcb83ec797a5f7d8fe78f20f2163dc968617986a5cc16357325a7190913b133a1622deaa08d55cd9b6306c7d82f98b70e8d614b

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
92KB

MD5
6d563af64299f8c03d6e114b2d8943ac

SHA1
db477a0717c23c4abed74cf1bf5209487c0f41eb

SHA256
16e81cd4b7ca9562744f6670ad8361871e2ded09775d4c9b8d50cb4ddffa2958

SHA512
658f969848fbe405bbefd7422e5727d7910e7c881d5e4a60379f1750169e84f254096a02f6e9aa520715ca9e0b462c9d930484f313f943bfc79ca2934081c4b6

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
92KB

MD5
f9c0b972eda8d77dc3003e6e46a3b608

SHA1
61584e847d68c4ae8643c36975a5326714dcaf55

SHA256
cff1040865843536e09bf6cfe241052e629e8e12c9838db570a3bc44051b392d

SHA512
826181d12dea9360ebe3b0230fbad2cc03a912c25d17091ce7d85d3bb188c0b06ca173ac91b8b1e895ce04eda29333902fb225d20d50eeb29501b01b8a5a04ea

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
92KB

MD5
352cef9fca4ceaf357c27d76b565105f

SHA1
c420cc2c269ee0cb63045a0f0724f8ece6199555

SHA256
4654a9a1b8fe1227cc982bc3278c9a17cb4b71c84cd0c1b1391528a9ef9e41cd

SHA512
696f785a1e9cecab2047c4f30b6158ace4a36388dad3ab9bfa75ebcb2051383d82fe96531a523815d1fa9cef0caa43e2ddba54fb554143da1d8a89012f156aa0

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
92KB

MD5
8eff92bca0cffad723b1d71ac7372092

SHA1
cb38de8d110bc57ff4e8b23b8999e9c6435232b9

SHA256
c57886abf551738de6651e5906ee3e7b3fd41fe4ea62a92c0f4dfeec8cc76b10

SHA512
855f0d416490fafb3c6343f114ea9bc28db4d7fe493ce653505d3bf27cc028ca6734ee0bd6b34e97c560b1cd60a4a24604ded9400fd60ef29af846ac0119a701

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
92KB

MD5
c5ccc07765ce60d158cd77908475c215

SHA1
f5ce99b08d1dd42477e2287ae190bb9833400612

SHA256
7f1a053be648d07890ae22d8b2de0604ff0564da16d55a3703144d09024d949b

SHA512
d91e5d0dfd97c16732386a52b8b179b61ac41425a6e078318b4a16e412b8501515d0d8dce78cc68b02db68bcec1e513de39fc644b2201f341c8806bd9d6a2596

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
92KB

MD5
bd7793e4c360cceb404f6dda2a28dd4a

SHA1
37233dac1937aaff98fded1ffdfaf1d1a7663032

SHA256
5dc04911b95cd5bd437c5d43969e83ab5f82ea3f634da107302e50ffa2da3ffe

SHA512
9be2cf81aa7d6d486302cb17d054827c010be8170000036988597735daf022391f128ddcbe6e6d53aa8642ba33ab449524081063af63879c8f1292872a5a6f0a

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
92KB

MD5
609c1a9dc3532eb00735a88bb46228e4

SHA1
34e3b8478ead6154bcddcf7dc8279452a3d70ea5

SHA256
e29d38ab8da5bb0fde75b4056a1ebdd01f020bdf95d2d249ee4b5e1eb8b13b4f

SHA512
ee71a2fe6e7724943cdc3baced214330ec92e074fb52ccf47eb2b3d113e4b668c026171a6f1bd4cac59891ff038c38086cc48b912bf632e62a30f940b6fa52bc

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
92KB

MD5
3c63174c1208e574153ce888186758ae

SHA1
df732e6f936798038eab22a1607c0185e5c88c46

SHA256
553d778eef0fb0535208c8736354049bb7eba5113b19ef7e13eb7c198ba27c94

SHA512
52fef433bc558851c4539ab319ca4ee57b0de77c4170293cd4e16ec37d276c36be732388cdd367e48b8c33d4e5db5dad1beae6425ec1ab94fcfd8beedfb8fd7f

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
92KB

MD5
010283c8376062291dc656a1faab10ab

SHA1
6ec4bc7c0580881a48e76feecf1a9a670955c78a

SHA256
6c50e0c9648f95c56eb9d77cb0f5d171b75348fe385232ec9156587615c2ef73

SHA512
b7e80ee62ed281a9227c305cf0c3e661afeef29994936694b0630110f104e6a1299bdcb68b33294690b800b7954ba62662a5a4b2e98c4d1f3d54000c2e3f17aa

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
92KB

MD5
f3f84a7b3a9cc16cd3c9cdbd3c0cefbb

SHA1
25531c3c4b63a5caf305e5fdb4c098ed808a86a4

SHA256
41803b167e7d6ccef2fa0a2fff7687c49a95444d3262f5b792431922cde3a943

SHA512
4db8f41ee21947c7102a3248202f6b0dc6e741924d4cca559c50bb505f3f683108b127ca415b053ddd88ea2109c86a98b4446254d1b6200c9ee384511495fe58

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
92KB

MD5
f2baa4738bffa656afd44a4421e7087b

SHA1
f06c9ce0f623551d4a4950ff9a447cc9fc0aad7d

SHA256
9b860a6cb4ad54b4848f9f611a1b6bf7582790dd3145de71e4146362e3e8faf0

SHA512
119ceca85301a1b0b4d4b53fad7bbef02eb4cadc65a425a80fb447d52d7602e57a063145f3baf5a731f3047f9d67ec0b3bd937adaf54c2cf0ad418e379efaf04

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
92KB

MD5
c73dce3ef69d7d9c3177e279b1fca2c9

SHA1
ba05187b9848a1041cdb48cbfb8048e1d363c5a0

SHA256
5a519d570b880a9537d9a022990f62d52fc636c543e2d870941b19ce6e60a0a6

SHA512
a20903939e4c734853e16902eed6bfece2baac1eeb8b8e9885310c2afe72e6857f99f9e259b5d346d3add82314d4feee923c45cb3fe522924a08673bbd563360

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
92KB

MD5
64128ea83315b4b5f681413fa4ab88c4

SHA1
a2fd21fb34ff15499789b1138245f62ed2ad3c78

SHA256
78b28bcd7539b3b764d8d77e0d0fb8c56fb15cfae3ba2bb94f34b37e714da78e

SHA512
2e58463ba004bdcf1bb7642764b9c53e26436f41f3ffcaca0b8043b6a0006c3ff2c13c078728ef74d0a61a5832ea8abdfc7a7d817dc489b573cfc8919d171a78

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
92KB

MD5
ae2897b538f78a0de038e9c636bb9c12

SHA1
6a268989c4fea9c89272a6e4540e1d0d08fd0295

SHA256
9ad3d35be647abe4d935c8eec54b20264f53513c83e431dfd81cb2a7a1ebf3ec

SHA512
a9a07a315dbe0de12af2c6bd9b727fb543ddf349423754ff9e4e110041f0b8d68861913ccafd318ad29151154c5375e85ae40dca94fe0f03a97a1da780ced342

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
92KB

MD5
7bfb6940e432caedf3e3c03926b9cfdd

SHA1
fd447c565b2c758f28ee4aa812b164d57b70d424

SHA256
f4dca60435f17a56616e24a7b979a5fe9dcd66ece0863dacc76f239e3698e864

SHA512
0c01d84450a884d729419f34d6ee624fb9d348a3a2b1d536073efe3547e961508bbd4ad88067692e3af16825489fe0c5a3c3ba4e0fec120987f8454ca6344762

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
92KB

MD5
04569d2cf7e1167f65db5ee92a115d53

SHA1
35058e93c0f09ebf15041bbd9c2e30f5de15a222

SHA256
c06a5bb0b842775c8884db578d71653268398b9fe4d4fa5741a1d0afbb37c2ed

SHA512
04936263a8a9c9fa6185538865fbfb444c49bae5a45e51a9dd2db7555e2890feba7a056965af1f4ae71ca2a0102c8d445cbe8a92ad5a305729ec664b27cef7c0

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
92KB

MD5
755810a358d992427c93356ab34d1b9f

SHA1
7c3483fbd123acc3f6cee541e76d681aaf1bc7a1

SHA256
8b7616ca9c8f2ce99cb4075a320682ad66d1098763920b979721cca86e3341fc

SHA512
be07315d893c08fe33362058648e5887a0651f089c4e6bedb1b759727070eba63134536570754e3411d9b7bb02475dffb1f3129897a5967f6a1f38ebe0955823

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
92KB

MD5
3083422047d1b208be18ac3e399f3d72

SHA1
e09ebe310f6a2db85efc353a6c2119999b37d9ea

SHA256
fa4d4f2a6f59e81f1d6899e0bb31c13ec21bb083780ba17a7461d7975ebf35dd

SHA512
6a0ad3902f31544f0b3bf85e3f812e156afb3197d9a7ee5af8261adf7480ff7875c55851642491201e20e2c29daf86ea6b79ad94f3f95c17b3d7a31e32e11d13

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
92KB

MD5
164ac5ef35eaf22a888dee1cebfbff4b

SHA1
65819f22e2b547da64bfbbae2971fd5ea9b06c5c

SHA256
0b9d44a7b5f0d7b6cd4184de7dd75d09d42aa8ef1c291c27adbb96b73fad826d

SHA512
c13d8f3252ef90743372a15911dbfed2afd1d9103cccbfd73d34159f2849e4b8752acb029bc378739955b0e27491822c3046996f566fb83e9dbd065a6a5a398f

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
92KB

MD5
80287404c233e4bf79914ccffb77e0ee

SHA1
29444e4b2abc962dd4cbf1a3b9eed133094856fb

SHA256
ab8c7a78edef10a1c0a566bc8a494d8bbaf110c827a44f3c12b1b3c0fcbd6720

SHA512
c92d3bfae2fbfb551a0b48379a4f6436c7bcf81b2ebd35b4ec27d60f528ad7449aec1e0baf26c6763a6152de5b9c498604fa9de418d7846d610746f2990d1bbd

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
92KB

MD5
d08d547f68dd3e6266f7d90a2c365f33

SHA1
03c1572f6f84b0b97cd2f5888ba44acaf11780ba

SHA256
711a0f0946cac3892753691787df18fc05df1f7d272536d2fbd74d7d25dfdb37

SHA512
e7bf2aa5983361a268940d1a0d1324b13c75974cbbe2974134ca033ddbf8a61ed61f73f05558147c515e8fd7cd3c9b8417a3b3475cb64f98e7e0b8fe77089c85

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
92KB

MD5
ab9204bfa84c66a03fb1829ecb644609

SHA1
e9320c5438dba5a7fd92c055c289c332b4a429b9

SHA256
721b975b485c03da0720f51b05a2728ff0096df91870158e0395d9bf1ac699a7

SHA512
2319fe0460e3458d3354add36aa845ecdc4f4c0ce22a5546a3fa646d2a0584e9601702fdab238c067df7acf86d9a9744b0918e72d83075161b40a22554bcd9ce

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
92KB

MD5
39fd67132dea31e93ea199d1ee39603f

SHA1
877944dca2289578f8c391838d3eb4146336ea50

SHA256
11c80f1671fda93994ad87078ecf989ce38ba33af67e8388d8f04a1c74be8397

SHA512
e3b95f2d69f5a2079fd2de6c5bd61fd3a89e0094a54a5d55ae4809c0a29a7f5e87cacf37779f7008e795efa1650982ae3be28ebe7c317c14f496786a15bf7047

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
92KB

MD5
350adf8a2c889ac85322033aa84c9688

SHA1
fb220808b86724568165b51c569368116dbc6635

SHA256
dd4f13739070f5f05aa421f3c7d1e6999e0205d67ee8c6dc57fb84b9677e9164

SHA512
fc93890c0a4a662535af80f7e21b82c7c1add9464bbb4970772fede82efb4ed7feda0005a121fe81d4ebbe44f807f739cdf7eca16a94187e1f73e532b8203750

Download Submit
memory/112-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/216-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/508-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1544-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1708-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3544-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3544-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4396-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4960-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5164-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5248-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5304-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5352-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5408-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5456-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5500-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5540-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5584-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5620-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5668-560-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5712-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5756-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5800-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5844-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads