3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1

Analysis

max time kernel
37s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Size

90KB
MD5

ce8c97ef820203e82cc9a1562d57968f
SHA1

a6446b5bed53f88f69ca98127db85d38b4194218
SHA256

3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1
SHA512

21cfc43d764a955dd4f6a1ba3170f0306fd50d2637b5afc980c100b6df5967d6a82f2ec82b06e1f45efc2c0639006e8438a6bdee835b856e2e9e52d06a6ed912
SSDEEP

1536:b2i6HeCmE4qRcfGfNOhavnbuHlIojDmkHJfIS2EWJXifOOQ/4BrGTI5Yxj:6eCmWcSnbcIKJn23JOU/4kT0Yxj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiodliep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgpmgod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifgllbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbmcjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fldbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iekbmfdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lppkgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmlmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifkmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafilj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgllj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mliibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lppkgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehiiop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgnfpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmlmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdpfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jadlgjjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njobpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqcel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjcekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnfeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljfckodo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mliibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmgkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhndcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikpgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqgngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjolpkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hikobfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgpmgod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqpjndio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbmcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jafilj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kifgllbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnobfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnfpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fondonbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fldbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbibli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moloidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjolpkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhgnbehe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikobfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icbldbgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglpjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glpdbfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddagi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iekbmfdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imidgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiodliep.exe

Executes dropped EXE 52 IoCs

pid	Process
3020	Ehiiop32.exe
2824	Fgnfpm32.exe
2900	Fgqcel32.exe
2856	Flmlmc32.exe
2744	Fondonbc.exe
2100	Fldbnb32.exe
1056	Gdpfbd32.exe
2404	Gjolpkhj.exe
2620	Glpdbfek.exe
2308	Gjcekj32.exe
3064	Hqpjndio.exe
2336	Hikobfgj.exe
2328	Hfalaj32.exe
2424	Ikbndqnc.exe
1644	Iekbmfdc.exe
2168	Imidgh32.exe
1536	Icbldbgi.exe
1100	Iiodliep.exe
1784	Jhgnbehe.exe
320	Jifkmh32.exe
2128	Jocceo32.exe
1708	Jadlgjjq.exe
1636	Jhndcd32.exe
2268	Jafilj32.exe
2860	Kbjbibli.exe
1592	Kifgllbc.exe
2896	Kbokda32.exe
2796	Klgpmgod.exe
2644	Kikpgk32.exe
2704	Lddagi32.exe
2496	Lkoidcaj.exe
1668	Lnobfn32.exe
2992	Ljfckodo.exe
3000	Lppkgi32.exe
2980	Llgllj32.exe
1036	Mglpjc32.exe
2200	Mliibj32.exe
2292	Mjmiknng.exe
2192	Moloidjl.exe
752	Mbmgkp32.exe
2360	Mkelcenm.exe
1948	Ndnplk32.exe
1348	Nnfeep32.exe
940	Nccmng32.exe
1676	Nqgngk32.exe
1952	Njobpa32.exe
1148	Nplkhh32.exe
2396	Nmpkal32.exe
2304	Nbmcjc32.exe
2136	Opqdcgib.exe
2876	Oiiilm32.exe
2108	Ohnemidj.exe

Loads dropped DLL 64 IoCs

pid	Process
2592	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
2592	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
3020	Ehiiop32.exe
3020	Ehiiop32.exe
2824	Fgnfpm32.exe
2824	Fgnfpm32.exe
2900	Fgqcel32.exe
2900	Fgqcel32.exe
2856	Flmlmc32.exe
2856	Flmlmc32.exe
2744	Fondonbc.exe
2744	Fondonbc.exe
2100	Fldbnb32.exe
2100	Fldbnb32.exe
1056	Gdpfbd32.exe
1056	Gdpfbd32.exe
2404	Gjolpkhj.exe
2404	Gjolpkhj.exe
2620	Glpdbfek.exe
2620	Glpdbfek.exe
2308	Gjcekj32.exe
2308	Gjcekj32.exe
3064	Hqpjndio.exe
3064	Hqpjndio.exe
2336	Hikobfgj.exe
2336	Hikobfgj.exe
2328	Hfalaj32.exe
2328	Hfalaj32.exe
2424	Ikbndqnc.exe
2424	Ikbndqnc.exe
1644	Iekbmfdc.exe
1644	Iekbmfdc.exe
2168	Imidgh32.exe
2168	Imidgh32.exe
1536	Icbldbgi.exe
1536	Icbldbgi.exe
1100	Iiodliep.exe
1100	Iiodliep.exe
1784	Jhgnbehe.exe
1784	Jhgnbehe.exe
320	Jifkmh32.exe
320	Jifkmh32.exe
2128	Jocceo32.exe
2128	Jocceo32.exe
1708	Jadlgjjq.exe
1708	Jadlgjjq.exe
1636	Jhndcd32.exe
1636	Jhndcd32.exe
2268	Jafilj32.exe
2268	Jafilj32.exe
2860	Kbjbibli.exe
2860	Kbjbibli.exe
1592	Kifgllbc.exe
1592	Kifgllbc.exe
2896	Kbokda32.exe
2896	Kbokda32.exe
2796	Klgpmgod.exe
2796	Klgpmgod.exe
2644	Kikpgk32.exe
2644	Kikpgk32.exe
2704	Lddagi32.exe
2704	Lddagi32.exe
2496	Lkoidcaj.exe
2496	Lkoidcaj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpggcbki.dll	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
File created	C:\Windows\SysWOW64\Kifgllbc.exe	Kbjbibli.exe
File opened for modification	C:\Windows\SysWOW64\Klgpmgod.exe	Kbokda32.exe
File created	C:\Windows\SysWOW64\Bbfojg32.dll	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpkal32.exe	Nplkhh32.exe
File created	C:\Windows\SysWOW64\Lkoidcaj.exe	Lddagi32.exe
File created	C:\Windows\SysWOW64\Opqdcgib.exe	Nbmcjc32.exe
File created	C:\Windows\SysWOW64\Gjcekj32.exe	Glpdbfek.exe
File created	C:\Windows\SysWOW64\Jljkakol.dll	Iiodliep.exe
File created	C:\Windows\SysWOW64\Jhndcd32.exe	Jadlgjjq.exe
File created	C:\Windows\SysWOW64\Klgpmgod.exe	Kbokda32.exe
File created	C:\Windows\SysWOW64\Lddagi32.exe	Kikpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqcel32.exe	Fgnfpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jhgnbehe.exe	Iiodliep.exe
File created	C:\Windows\SysWOW64\Oiiilm32.exe	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Ikbndqnc.exe	Hfalaj32.exe
File created	C:\Windows\SysWOW64\Cbekip32.dll	Lppkgi32.exe
File created	C:\Windows\SysWOW64\Dbkgliff.dll	Mglpjc32.exe
File created	C:\Windows\SysWOW64\Qegpeh32.dll	Njobpa32.exe
File created	C:\Windows\SysWOW64\Pfhofj32.dll	Jifkmh32.exe
File created	C:\Windows\SysWOW64\Lnobfn32.exe	Lkoidcaj.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Mkelcenm.exe
File opened for modification	C:\Windows\SysWOW64\Flmlmc32.exe	Fgqcel32.exe
File opened for modification	C:\Windows\SysWOW64\Hfalaj32.exe	Hikobfgj.exe
File opened for modification	C:\Windows\SysWOW64\Ikbndqnc.exe	Hfalaj32.exe
File opened for modification	C:\Windows\SysWOW64\Mglpjc32.exe	Llgllj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnplk32.exe	Mkelcenm.exe
File created	C:\Windows\SysWOW64\Ogljib32.dll	Fgqcel32.exe
File created	C:\Windows\SysWOW64\Ldcnnnje.dll	Fondonbc.exe
File created	C:\Windows\SysWOW64\Immbmp32.dll	Glpdbfek.exe
File created	C:\Windows\SysWOW64\Llgllj32.exe	Lppkgi32.exe
File created	C:\Windows\SysWOW64\Mliibj32.exe	Mglpjc32.exe
File opened for modification	C:\Windows\SysWOW64\Gjcekj32.exe	Glpdbfek.exe
File created	C:\Windows\SysWOW64\Imidgh32.exe	Iekbmfdc.exe
File opened for modification	C:\Windows\SysWOW64\Jafilj32.exe	Jhndcd32.exe
File created	C:\Windows\SysWOW64\Cdkklgcn.dll	Kbjbibli.exe
File opened for modification	C:\Windows\SysWOW64\Kbokda32.exe	Kifgllbc.exe
File created	C:\Windows\SysWOW64\Hqpjndio.exe	Gjcekj32.exe
File created	C:\Windows\SysWOW64\Ckifmh32.dll	Iekbmfdc.exe
File created	C:\Windows\SysWOW64\Fdlhbc32.dll	Jhndcd32.exe
File created	C:\Windows\SysWOW64\Eehkmm32.dll	Mjmiknng.exe
File created	C:\Windows\SysWOW64\Jkokef32.dll	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Glpdbfek.exe	Gjolpkhj.exe
File opened for modification	C:\Windows\SysWOW64\Jadlgjjq.exe	Jocceo32.exe
File opened for modification	C:\Windows\SysWOW64\Kikpgk32.exe	Klgpmgod.exe
File created	C:\Windows\SysWOW64\Oajojd32.dll	Lkoidcaj.exe
File opened for modification	C:\Windows\SysWOW64\Nbmcjc32.exe	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Iekbmfdc.exe	Ikbndqnc.exe
File created	C:\Windows\SysWOW64\Lmaadi32.dll	Imidgh32.exe
File created	C:\Windows\SysWOW64\Oifbhdjc.dll	Llgllj32.exe
File created	C:\Windows\SysWOW64\Nqgngk32.exe	Nccmng32.exe
File created	C:\Windows\SysWOW64\Jceahq32.dll	Nqgngk32.exe
File created	C:\Windows\SysWOW64\Fefhnhpc.dll	Fgnfpm32.exe
File opened for modification	C:\Windows\SysWOW64\Glpdbfek.exe	Gjolpkhj.exe
File created	C:\Windows\SysWOW64\Iiodliep.exe	Icbldbgi.exe
File created	C:\Windows\SysWOW64\Cmolej32.dll	Jadlgjjq.exe
File opened for modification	C:\Windows\SysWOW64\Nccmng32.exe	Nnfeep32.exe
File opened for modification	C:\Windows\SysWOW64\Kifgllbc.exe	Kbjbibli.exe
File created	C:\Windows\SysWOW64\Nknplm32.dll	Lnobfn32.exe
File created	C:\Windows\SysWOW64\Kahmln32.dll	Moloidjl.exe
File created	C:\Windows\SysWOW64\Gkmkilcj.dll	Mkelcenm.exe
File created	C:\Windows\SysWOW64\Kbjbibli.exe	Jafilj32.exe
File created	C:\Windows\SysWOW64\Mglpjc32.exe	Llgllj32.exe
File created	C:\Windows\SysWOW64\Dpmmdfgc.dll	Mliibj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	2108	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flmlmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glpdbfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfeep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lppkgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkelcenm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiiilm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdpfbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiodliep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgllj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqpjndio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfalaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icbldbgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljfckodo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fondonbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hikobfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mglpjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nccmng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnfpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgpmgod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcekj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jadlgjjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbibli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjmiknng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imidgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbokda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iekbmfdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikpgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqgngk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmcjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqdcgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafilj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifgllbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddagi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mliibj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhndcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmgkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqcel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikbndqnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhgnbehe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnobfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehiiop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fldbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifkmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkoidcaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjolpkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplkhh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jafilj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llgllj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkelcenm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqgngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgqcel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqpjndio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll"	Jafilj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qenpjecb.dll"	Opqdcgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchahi32.dll"	Gjolpkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjfpmp.dll"	Jocceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkklgcn.dll"	Kbjbibli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opqdcgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jifkmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgpmgod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnobfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iekbmfdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiodliep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhgnbehe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jifkmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnobfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcnnnje.dll"	Fondonbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhemglp.dll"	Ikbndqnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikbndqnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcggjbl.dll"	Hqpjndio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jocceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifbhdjc.dll"	Llgllj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbmgkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjolpkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glpdbfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnfeep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbokda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immbmp32.dll"	Glpdbfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icbldbgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kifgllbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmmdfgc.dll"	Mliibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moloidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glpdbfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbibli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lppkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgggld32.dll"	Nbmcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefhnhpc.dll"	Fgnfpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fondonbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klgpmgod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flmlmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddagi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhofj32.dll"	Jifkmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kifgllbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljfckodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkmm32.dll"	Mjmiknng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgnfpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkicala.dll"	Hikobfgj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3020	2592	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe	29
PID 2592 wrote to memory of 3020	2592	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe	29
PID 2592 wrote to memory of 3020	2592	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe	29
PID 2592 wrote to memory of 3020	2592	3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe	29
PID 3020 wrote to memory of 2824	3020	Ehiiop32.exe	30
PID 3020 wrote to memory of 2824	3020	Ehiiop32.exe	30
PID 3020 wrote to memory of 2824	3020	Ehiiop32.exe	30
PID 3020 wrote to memory of 2824	3020	Ehiiop32.exe	30
PID 2824 wrote to memory of 2900	2824	Fgnfpm32.exe	31
PID 2824 wrote to memory of 2900	2824	Fgnfpm32.exe	31
PID 2824 wrote to memory of 2900	2824	Fgnfpm32.exe	31
PID 2824 wrote to memory of 2900	2824	Fgnfpm32.exe	31
PID 2900 wrote to memory of 2856	2900	Fgqcel32.exe	32
PID 2900 wrote to memory of 2856	2900	Fgqcel32.exe	32
PID 2900 wrote to memory of 2856	2900	Fgqcel32.exe	32
PID 2900 wrote to memory of 2856	2900	Fgqcel32.exe	32
PID 2856 wrote to memory of 2744	2856	Flmlmc32.exe	33
PID 2856 wrote to memory of 2744	2856	Flmlmc32.exe	33
PID 2856 wrote to memory of 2744	2856	Flmlmc32.exe	33
PID 2856 wrote to memory of 2744	2856	Flmlmc32.exe	33
PID 2744 wrote to memory of 2100	2744	Fondonbc.exe	34
PID 2744 wrote to memory of 2100	2744	Fondonbc.exe	34
PID 2744 wrote to memory of 2100	2744	Fondonbc.exe	34
PID 2744 wrote to memory of 2100	2744	Fondonbc.exe	34
PID 2100 wrote to memory of 1056	2100	Fldbnb32.exe	35
PID 2100 wrote to memory of 1056	2100	Fldbnb32.exe	35
PID 2100 wrote to memory of 1056	2100	Fldbnb32.exe	35
PID 2100 wrote to memory of 1056	2100	Fldbnb32.exe	35
PID 1056 wrote to memory of 2404	1056	Gdpfbd32.exe	36
PID 1056 wrote to memory of 2404	1056	Gdpfbd32.exe	36
PID 1056 wrote to memory of 2404	1056	Gdpfbd32.exe	36
PID 1056 wrote to memory of 2404	1056	Gdpfbd32.exe	36
PID 2404 wrote to memory of 2620	2404	Gjolpkhj.exe	37
PID 2404 wrote to memory of 2620	2404	Gjolpkhj.exe	37
PID 2404 wrote to memory of 2620	2404	Gjolpkhj.exe	37
PID 2404 wrote to memory of 2620	2404	Gjolpkhj.exe	37
PID 2620 wrote to memory of 2308	2620	Glpdbfek.exe	38
PID 2620 wrote to memory of 2308	2620	Glpdbfek.exe	38
PID 2620 wrote to memory of 2308	2620	Glpdbfek.exe	38
PID 2620 wrote to memory of 2308	2620	Glpdbfek.exe	38
PID 2308 wrote to memory of 3064	2308	Gjcekj32.exe	39
PID 2308 wrote to memory of 3064	2308	Gjcekj32.exe	39
PID 2308 wrote to memory of 3064	2308	Gjcekj32.exe	39
PID 2308 wrote to memory of 3064	2308	Gjcekj32.exe	39
PID 3064 wrote to memory of 2336	3064	Hqpjndio.exe	40
PID 3064 wrote to memory of 2336	3064	Hqpjndio.exe	40
PID 3064 wrote to memory of 2336	3064	Hqpjndio.exe	40
PID 3064 wrote to memory of 2336	3064	Hqpjndio.exe	40
PID 2336 wrote to memory of 2328	2336	Hikobfgj.exe	41
PID 2336 wrote to memory of 2328	2336	Hikobfgj.exe	41
PID 2336 wrote to memory of 2328	2336	Hikobfgj.exe	41
PID 2336 wrote to memory of 2328	2336	Hikobfgj.exe	41
PID 2328 wrote to memory of 2424	2328	Hfalaj32.exe	42
PID 2328 wrote to memory of 2424	2328	Hfalaj32.exe	42
PID 2328 wrote to memory of 2424	2328	Hfalaj32.exe	42
PID 2328 wrote to memory of 2424	2328	Hfalaj32.exe	42
PID 2424 wrote to memory of 1644	2424	Ikbndqnc.exe	43
PID 2424 wrote to memory of 1644	2424	Ikbndqnc.exe	43
PID 2424 wrote to memory of 1644	2424	Ikbndqnc.exe	43
PID 2424 wrote to memory of 1644	2424	Ikbndqnc.exe	43
PID 1644 wrote to memory of 2168	1644	Iekbmfdc.exe	44
PID 1644 wrote to memory of 2168	1644	Iekbmfdc.exe	44
PID 1644 wrote to memory of 2168	1644	Iekbmfdc.exe	44
PID 1644 wrote to memory of 2168	1644	Iekbmfdc.exe	44

C:\Users\Admin\AppData\Local\Temp\3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe
"C:\Users\Admin\AppData\Local\Temp\3cd68e046c32696e9640baab3bba64253c56f37bb2a9326ffbec35c7eec297d1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\Ehiiop32.exe
  C:\Windows\system32\Ehiiop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Fgnfpm32.exe
    C:\Windows\system32\Fgnfpm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\Fgqcel32.exe
      C:\Windows\system32\Fgqcel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\Flmlmc32.exe
        
        C:\Windows\system32\Flmlmc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\Fondonbc.exe
        
        C:\Windows\system32\Fondonbc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Fldbnb32.exe
        
        C:\Windows\system32\Fldbnb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Gdpfbd32.exe
        
        C:\Windows\system32\Gdpfbd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Gjolpkhj.exe
        
        C:\Windows\system32\Gjolpkhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Glpdbfek.exe
        
        C:\Windows\system32\Glpdbfek.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Gjcekj32.exe
        
        C:\Windows\system32\Gjcekj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Hqpjndio.exe
        
        C:\Windows\system32\Hqpjndio.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Hikobfgj.exe
        
        C:\Windows\system32\Hikobfgj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Hfalaj32.exe
        
        C:\Windows\system32\Hfalaj32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ikbndqnc.exe
        
        C:\Windows\system32\Ikbndqnc.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Iekbmfdc.exe
        
        C:\Windows\system32\Iekbmfdc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Imidgh32.exe
        
        C:\Windows\system32\Imidgh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Icbldbgi.exe
        
        C:\Windows\system32\Icbldbgi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Iiodliep.exe
        
        C:\Windows\system32\Iiodliep.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Jhgnbehe.exe
        
        C:\Windows\system32\Jhgnbehe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Jifkmh32.exe
        
        C:\Windows\system32\Jifkmh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Jocceo32.exe
        
        C:\Windows\system32\Jocceo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Jadlgjjq.exe
        
        C:\Windows\system32\Jadlgjjq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Jhndcd32.exe
        
        C:\Windows\system32\Jhndcd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Jafilj32.exe
        
        C:\Windows\system32\Jafilj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Kbjbibli.exe
        
        C:\Windows\system32\Kbjbibli.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Kifgllbc.exe
        
        C:\Windows\system32\Kifgllbc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Kbokda32.exe
        
        C:\Windows\system32\Kbokda32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Klgpmgod.exe
        
        C:\Windows\system32\Klgpmgod.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Kikpgk32.exe
        
        C:\Windows\system32\Kikpgk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Lddagi32.exe
        
        C:\Windows\system32\Lddagi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Lkoidcaj.exe
        
        C:\Windows\system32\Lkoidcaj.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Lnobfn32.exe
        
        C:\Windows\system32\Lnobfn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Ljfckodo.exe
        
        C:\Windows\system32\Ljfckodo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Lppkgi32.exe
        
        C:\Windows\system32\Lppkgi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Llgllj32.exe
        
        C:\Windows\system32\Llgllj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Mglpjc32.exe
        
        C:\Windows\system32\Mglpjc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Mliibj32.exe
        
        C:\Windows\system32\Mliibj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Mjmiknng.exe
        
        C:\Windows\system32\Mjmiknng.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Moloidjl.exe
        
        C:\Windows\system32\Moloidjl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Mbmgkp32.exe
        
        C:\Windows\system32\Mbmgkp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Mkelcenm.exe
        
        C:\Windows\system32\Mkelcenm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Ndnplk32.exe
        
        C:\Windows\system32\Ndnplk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Nnfeep32.exe
        
        C:\Windows\system32\Nnfeep32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Nccmng32.exe
        
        C:\Windows\system32\Nccmng32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Nqgngk32.exe
        
        C:\Windows\system32\Nqgngk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Nplkhh32.exe
        
        C:\Windows\system32\Nplkhh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Nbmcjc32.exe
        
        C:\Windows\system32\Nbmcjc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Opqdcgib.exe
        
        C:\Windows\system32\Opqdcgib.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Oiiilm32.exe
        
        C:\Windows\system32\Oiiilm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 140
        54⤵
        Program crash
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fgnfpm32.exe

Filesize
90KB

MD5
08b051a3e01a9cf9655f4a18720ec75a

SHA1
0dcabc64388fd75ce34fe0b4775ba3ddc207ecd4

SHA256
1ef10224e3d8ece51cd4e8a6dadd5ef7222d63ff93ebe1a88bbee9a1d04fcc58

SHA512
a3250c6de77a9c4db1dc4bbcd0d4cba9af9f3273c1e0ceb6a14af020433d2ab5ec9df24f955eab7aedd24da5afcd19e891e74e8fab3777f155e32e99dc61ce24

Download Submit
C:\Windows\SysWOW64\Fgqcel32.exe

Filesize
90KB

MD5
9912ee64a3e82871c8f191c9d596cbad

SHA1
0625431e453725964e1f9f8db412bf375726e86e

SHA256
5cf490c7b40cd7e2d7df1c43d977f03592e4ff73bdd56fcddb07d2d8c1760954

SHA512
eeaf63af5e972faecff568ba66825716fa537d4b37908907423ce2f7dfe1cadd27ff375f46e270e022b9b7694bf751978b51adafc0dd176792e1c2a7f4d4fc34

Download Submit
C:\Windows\SysWOW64\Gmabknal.dll

Filesize
7KB

MD5
1937edcf6959ef394dc6bb2df21d4479

SHA1
f4af19b821545b8d1effc70dc67a52aa9f9f3059

SHA256
ea0cb707001c8e032a329e521378d5fa18a89edd3046cbc5bbcc0fec81d7dba9

SHA512
cb641cae69f1d3dd12e0c5ab38179c64d04af2343f517341657b0b4d38fc89dbdeda4a4fcff9600738aefc664a1daf0f9a3c0c5ef1a0cabdb95e1fef1561c43d

Download Submit
C:\Windows\SysWOW64\Hfalaj32.exe

Filesize
90KB

MD5
71ecce75dffd38689772c9a20d6689b9

SHA1
1a5960b36744e9f2e036aec5d62c1bdaacc21888

SHA256
53bbcc18127b38f598e414fcc70564b9d67fce01ba6c9faab2cc17a031e698f1

SHA512
9ab31417535044c68966910f51be620491a7f9dc3b0755488730b8d9b63a7605189a1f2222d509c886dd4a9c903b67dddf7bb30e86fb8618d3dd70c9b257840d

Download Submit
C:\Windows\SysWOW64\Hqpjndio.exe

Filesize
90KB

MD5
ccadb5b04ad4bbe1549d402d104bb154

SHA1
f976b13b961c26a4d2972ef2af17e03e8940bcdd

SHA256
dc185e593a3edf56e409f449fef4c7ca7d9e95d87868ef617e6fb7649fe9ddcd

SHA512
ac34bad5e5082a9f854285befc5d47a38f2344f350bed047aedec15740b407cfef45a469ce1b5db89f91453455cdd221f60bafaf9b1633ad7d86969fd8ef686f

Download Submit
C:\Windows\SysWOW64\Icbldbgi.exe

Filesize
90KB

MD5
b3e70a5513f777fd5a9aebb959dfca4c

SHA1
e79112b794c23663ba42d5c8eaf3d173f5c627fe

SHA256
5dba13f389d491407cf3d32aaf835d2253a780a2284ebc4972beb555a1e369c6

SHA512
f2dbd5ce923272ff13d6562ea9e70768afa2c38645df10413b387cda090af13ad9f36d02e9a425fcef3a75e99c25dab2f26e434d0b6a5927dc1b96b6bf9471df

Download Submit
C:\Windows\SysWOW64\Iekbmfdc.exe

Filesize
90KB

MD5
6cbf7d953cb07647c040fafbb8fa270d

SHA1
a6afd6d838595c47b6016d77ec3ce6f0a45e8d0c

SHA256
f06ebc786e94ed622014aabfa76dfa15f85e80506851d24333214f8003995cf5

SHA512
f1eebc5981e682b6886b152a8f6f0b619762cdb3ea70fa9c92680af07879a86f6f8e7c743589dc7a9231193a18a0eb84394dc69bee61c861340ae36c911495a8

Download Submit
C:\Windows\SysWOW64\Iiodliep.exe

Filesize
90KB

MD5
f710fe9fc67fee6035cbafa9934a36ff

SHA1
e66bf01cb815663c0498b761919eccd6eb2a08ac

SHA256
4b24f10a93f4f6f7805983c4bea595326c1454e8a406b47ef164c1e35eecf41e

SHA512
af7fc61d0bfbdc9580692e3b69dd64ceced4e5508ed87710a6e12868364d88128c711facc0cae8387968e6c0828b0bbf0ba3f6a35ab29d172b2fffa12193d5fa

Download Submit
C:\Windows\SysWOW64\Jadlgjjq.exe

Filesize
90KB

MD5
9a8a400f5aa981281c09bbbc9f6c4903

SHA1
677d155e4b155916c768db00e4700ca526fc2a8c

SHA256
1a65fd445ce1c1f6b5b08789c0846f851ac0c08259fcf600cbb2bd9463fdcbe8

SHA512
27d41cbc4bd9a0dba82568419b08d36a02cb13c96d68ab3e4f4f68d51677ea308efd3ca95bb1808b3ba18201eac880c90903313dea95493aad45dad4d899a8ed

Download Submit
C:\Windows\SysWOW64\Jafilj32.exe

Filesize
90KB

MD5
fa122b62721d90d3ee67716c0b73dec0

SHA1
ca4d8c8c9a02af368d6e8187bc36bb95cb02e51f

SHA256
dd2c85d10b9a60ffe12fafe393f7437bc8df6d429ced9af7b382fced5204a85f

SHA512
8290987748b2a1040c6346acb432ef74c7e39f3256daea20eb78ef9a3c18909f1ef0aa0f0e9a0a06d64d5b0162f0d876035eb0836b607cc0e19f4eebe9cb31cf

Download Submit
C:\Windows\SysWOW64\Jhgnbehe.exe

Filesize
90KB

MD5
cdb37da796e8cfbf34eb73cb5e8d68f4

SHA1
510b04f6e1c1358454179d23be08566479007c32

SHA256
c82d985d8d3580dcf8248cc5689cc1d72f7f970e0cc4d9d46cf9a215072fed53

SHA512
8bb89789817a812b913e191b888296d0c65376b142bee2c51857d631332e6c3a1619d5d13abb32fe55988df82ddbaef289ec75e4369592a378d24bf9119da605

Download Submit
C:\Windows\SysWOW64\Jhndcd32.exe

Filesize
90KB

MD5
3c14d20cca987731ec1a16e13ea251c9

SHA1
ad575784d48cc2c59da7da23c8afc3fe641705a0

SHA256
019b328824737a87d5c16f82f8510d504512abf1f7585dd826e1c37430819f20

SHA512
36839200a8a5fa09e6f10f820debdaed28752b853ba88f6ce445fb22df565615091e647ed07fe00afb12fc7b2b63c2e0eea923c4f07d71b6f523945fcb6bdad2

Download Submit
C:\Windows\SysWOW64\Jifkmh32.exe

Filesize
90KB

MD5
2f733ece2e25c27efc240e432bdc49e0

SHA1
f43c96a5f2a0773381423f204ca7b57d1bf40c37

SHA256
1afca7369eac5778f7e67dbeab8fec672725ae82f5f5369da705c4cab9252db3

SHA512
947c30573849b4142c5021421e7177f650e412f083b978e20799986cb62c9ae71d6165a105d888131f5e88b1edc977512b9ee6bea2e4a98eae22b467d2059905

Download Submit
C:\Windows\SysWOW64\Jocceo32.exe

Filesize
90KB

MD5
b284cea5840e67b8dfdef1b18174aece

SHA1
8a715f9bba51dc8b1b77e150c9bf18a7eefc887d

SHA256
49835922014c217d416241723045831292686a9b0363a9af6235ed98b032258f

SHA512
082e7cc56dcebc5c072646ea2f6b6f727343f54c40873005e362e0e7bbc38fa1ee0008360fd3792b31ae361d7674409c5b50004c1e7346e2ccfd28ff98cc6192

Download Submit
C:\Windows\SysWOW64\Kbjbibli.exe

Filesize
90KB

MD5
ca28522e817a504e37560b5237227b13

SHA1
1f31bd633afb4d83984a6e9a92617ab20db87fde

SHA256
7438689e0f67f4a2fdbe966cfb7a363c843f6a3d04936df2881bb94a4f53ee3c

SHA512
f5e82c41f8376c3b1e6616c3720d028941a85da8f5f1dc4d389a39f6a8b1e0b439a087c4d6c10ae1ffbd907646dc202581ef05b876787db36852ad5ef6f02769

Download Submit
C:\Windows\SysWOW64\Kbokda32.exe

Filesize
90KB

MD5
2e9d822824309f39f4afcb3e35537889

SHA1
9ad5981fc1b4768140145a901e637e2a9c50bb35

SHA256
e49213d76dd4b81e7a6fcc9c78d7639f5d3543eb79e2dd7ad49699499865da85

SHA512
62b72b9ac5559793a2dec677291a4237eba05e9b6e67dbb7db25d658f7fa5d60eb2d10655ed1983242570f11d94eeea4e3f3e051749c77ff82596e74b7b7d45b

Download Submit
C:\Windows\SysWOW64\Kifgllbc.exe

Filesize
90KB

MD5
d441704e142e9a038831f8c86aa5c377

SHA1
60e70ba008e802a96304599e2e0fd7b52472d78a

SHA256
79522a6d45b6ae19479145ba2cf132cfd9d29f448e4d79e3d9d2a025e052748b

SHA512
d6217429af616ab6be2ceb6fa1ffc84bbc47ea0046197ee41f1afb01be76e237e89ea3fdc518618445d2ab53dc1c09c0c81fe17c95ebc29c1607e5b465428f84

Download Submit
C:\Windows\SysWOW64\Kikpgk32.exe

Filesize
90KB

MD5
165132e146343e355d02bca7aa084ba0

SHA1
edfa6e76f6e19ca9273162716a505115c2a9bfc8

SHA256
e930d8f7586e55ad8d3a295c9cab2e76dac8c8ec7e03ad5f4b3ae1f41ce0eb50

SHA512
b521ebb44e2df0ab3d45ac834118b918d3ff4a78413904231425e94fef69a3faa65f4e3921b1fe1ba6593c3f404e17d7a12f6ece30a866dc7a6e57f5701a5ca7

Download Submit
C:\Windows\SysWOW64\Klgpmgod.exe

Filesize
90KB

MD5
0703205b9d65b859602ed0705cd8dd26

SHA1
532fb7a050e4564c011cbcc04e5e0e18f04b6ffa

SHA256
fda6a34ad421c6ecbd11f75474ca7dfab62c6ce6208c097b5422a8a881b7f46d

SHA512
eac38b31cbb4849287a025cee513cf228fd9e23ff1472c4fd660218b7d6b14273dfcb1bd0a9d840b34401933cb09ec54ff07f03a4d6db609428d55f2a0d3d843

Download Submit
C:\Windows\SysWOW64\Lddagi32.exe

Filesize
90KB

MD5
b5b1ca818e860e9ec75d553c1cdb63c4

SHA1
6064b50e641ea88055fd94308187b00a9a75a38f

SHA256
a680e182b1c5c0027a5d04276f535638dce4803a30fe2be38deefa711a623ffd

SHA512
8f61e5559bcb2cdb6d49d33a66a9e4862b5b94d0af501753cd5b8d43fee5978cc8770e6386e29814565f001138a7a7afc27d83a3c58cb18359b16a5be4238af2

Download Submit
C:\Windows\SysWOW64\Ljfckodo.exe

Filesize
90KB

MD5
51fb947b2214f681b83d4e739a857f99

SHA1
c65926e97f8d9f294c9818e178ad4d52d02c3b3f

SHA256
aa55062fd71b9fb15fd3ad48ebd9db0d041324bab9761b325faa34fd90905cbc

SHA512
068032b2833bdffd5b90edece0ba1d10ba53457ce7ce9eae76383701946d2d3f79a774ba8bcffc10441df8091382bc1ad4c31618f65135feea67eb9fff96c8bf

Download Submit
C:\Windows\SysWOW64\Lkoidcaj.exe

Filesize
90KB

MD5
1b6fecc21c5b592097c66197a15b8774

SHA1
2e3f8e4658f9bab6a936dcacbdd87111a76fa757

SHA256
f67cb30827bf3c1934cd88a704fb8fee48a738e18e0ac976297b3e8c24aa69d6

SHA512
411b16c3703b684c837a2d846ce977fb4a1ffe0e2df2dfe958b05fde483d01da7a0d6d4f4bd87fc1d62c1481eb0819a2978ce976cd6f09778855592d2bc96175

Download Submit
C:\Windows\SysWOW64\Llgllj32.exe

Filesize
90KB

MD5
886b9c7edca5a41c2e22e562f825c894

SHA1
848b20c3234de7ca66c0139231101cbb9e05ca38

SHA256
2d9dbc5a9143a6cf83242196ee6b935b466b8d3ab67764f501136392235a78f6

SHA512
42bfe6bd874b1f6ca225a920a375086faac931a590cac180746f45055dc8acdcc2709db95790a2360a5edffc6b922cfe5c01d606bb5ee3303daa6b0d97ade06d

Download Submit
C:\Windows\SysWOW64\Lnobfn32.exe

Filesize
90KB

MD5
69d6ac1e1021e933abb7a3e7d59a10e2

SHA1
c553e2f59463de2a5361210f12e707758e5cc840

SHA256
ad4f198f711d24c16a7ba8604bbef4011f9b1e30e2d379d1b5e78eed5283307f

SHA512
31e3595b6ffa82953c25cf094f9e5ed333a00aba30d4f4e0643de8e303612d06c245329cd92fabd5f6c7e8478166b2ecd498b70980d4153fe299ccb143aa5ae0

Download Submit
C:\Windows\SysWOW64\Lppkgi32.exe

Filesize
90KB

MD5
2fbeb10fd0502ffef2ce2ecccbaf6c75

SHA1
c7dcbe8ca5604fac6edff2ff5bd012b569958799

SHA256
ad6d13f2eb462046c2349b8a60e45da2bcb6459b3ed20b7fb20bf0e2b80b15ae

SHA512
31b13fd6d8fb272874e0bfc1f104221a7bb3d0033fecde26c0569cc2f5aa77b22a9ceff07fb8d29b1eabd718edd88e4e0b10b2d6c29cc4be7209632b95e72ec2

Download Submit
C:\Windows\SysWOW64\Mbmgkp32.exe

Filesize
90KB

MD5
a44ef49a256a802793d09504c5f5b3e8

SHA1
f6b71aed0a0493a0913917332bb914976584f513

SHA256
35bafb14edea87b5d5fca7221727311ec27891ce7a856c7a6d7dbdd69ae80a5f

SHA512
3880ef14fc971a146a78306c7ca9db36461ce577f0c6530736274864b3d24b37af3c5ee38e9755d5e704f906bec93d4aba86a963f1f5c794261c37277e45b778

Download Submit
C:\Windows\SysWOW64\Mglpjc32.exe

Filesize
90KB

MD5
6435911e31876e76c048ad66fe888cee

SHA1
fcbe6688ca31d857593dd60b1456521061407bf4

SHA256
4df0c7cdf59a022dd6b1b342772a9ee358dafd823b120e664dd1d58e7a83fbf9

SHA512
785b9e3a0a8b05d0c61b91552de90ce6fa4273d152487d3e5d67698ee64cb4cc611bd6dda5adb851fc30c0e9fc400391e0cda5c556ed8daecefd2d9e8c42d6f6

Download Submit
C:\Windows\SysWOW64\Mjmiknng.exe

Filesize
90KB

MD5
a302a9c3167e4a4a0879a9b24f9effe3

SHA1
91bfc72a4185c67ebdd9b18b788a3ee29b598ad9

SHA256
e381c50b7a2eb5d9595106f059adc64b859494a45e7e7025947b4cf9b079240b

SHA512
624e5dfef91373325cf2124f4eb5a5c7756da4c409842636ef641793c86f5aea6df8f4a1e6ad47ff4728edae2ff600a022dfe9a31eb33d4549767227b87f2fd0

Download Submit
C:\Windows\SysWOW64\Mkelcenm.exe

Filesize
90KB

MD5
d2913ca7071793bc32dccbe8d8142c8d

SHA1
4e180f510a29863e147469fe68ab028219ebe2ba

SHA256
c6a85171fad9bf36780da9b53a72dbd42ca809613f568844492f02a8982ce338

SHA512
f1d07e9daad45e005bc8d21d6211d2ea02c5a86190e4a73400c9a489ce9479e16e065d36547954fb6cf414fe96f934e3ab0167b90d7b8d14efe72be794a766fc

Download Submit
C:\Windows\SysWOW64\Mliibj32.exe

Filesize
90KB

MD5
db54d3248aa2dbbb65ca6ad8577dedb0

SHA1
6a5f7d0a3c77c82ebe6b60c5c4b4891db3917171

SHA256
5f506ea483b3c9ee828e7ef97d5aa2d176595192a4c8175ea18228b44e9c426b

SHA512
acf63f970216ccbc44408cfed0bd194220885c37b5831b02e9a1891927cd5981957261264811e14776e7b172efd7a2f58e6655bf98ed65cc34d3926db7c09cbd

Download Submit
C:\Windows\SysWOW64\Moloidjl.exe

Filesize
90KB

MD5
abce491f15b9fa26cc5f342584b027de

SHA1
ac460e298b0c3840f2b4e48e601487d92d4e999a

SHA256
fe66542933a7ba58fc7b10094401ab54415c003f47b3635ac092b3742b96df75

SHA512
5d51637304b29a7634a151849dca78bfb38dc7c996fdb4be86da36e930f97379c654002a56c27fdd8d37d7be718d3e6c4c382db33f522bdc7bdbbc3f81797e43

Download Submit
C:\Windows\SysWOW64\Nbmcjc32.exe

Filesize
90KB

MD5
d544018a3a3b00b9e733cf370172b022

SHA1
5970ddec6e6b917b940441979c4df79d1d0a0cff

SHA256
c2247077a6c1b677d139220a34254d98515aea0fb407942c9e149e9cd7163db7

SHA512
0d127ab0197ad8bf3d074ea74edf68183fb7dec811c81d23e61d124fb6bf1aa759eaf2d9f596e98a2eeedfd44c297d97e57d6197fbf7f4e58de8480ae394ed56

Download Submit
C:\Windows\SysWOW64\Nccmng32.exe

Filesize
90KB

MD5
544b4bd94aed4b381a6ee22f2cedf04c

SHA1
b5cd271a92a920fea22cb954caa4c7de03a75cbb

SHA256
d9f9beac32ff3a38c7eea8fc22834d2a472aad56ece5c374be4d0f62d9f5000c

SHA512
ad5e71c2b92c94452c03caff219cae206b8354378fde9117a37b78b622ae8089424c21538e636ec9879f075e64f5f328681bf2d3c704af6c92e54aeff8a9c15b

Download Submit
C:\Windows\SysWOW64\Ndnplk32.exe

Filesize
90KB

MD5
357ae75cb929228d2782d0d1ddfa11b7

SHA1
4d26fcef5395d1ebdc1e016bc51e85b3775b884d

SHA256
e0c803e85d50f695286575a9ba50be3da128508e01826dd6b410a7bce35044d5

SHA512
9cdae1a377b7a56e640cf46587cec87d8b612d1b983e7ae77418a46b850c0f1da37218ec5e5064ecfe7f56079a1733ac6f618922af7c841a73eb3547789334bf

Download Submit
C:\Windows\SysWOW64\Njobpa32.exe

Filesize
90KB

MD5
06098a640f094b762dbc532eb24ff150

SHA1
7cd2afb1b70b7d43f0ea43b5c94eebac09c521dc

SHA256
5d1f807c748eea7b814cf7bceaf45e49cfe4a5143955c7e48feb9005140467a2

SHA512
4f932c88d4bc1aa4a5bd8cab54068edec1ccebd3278284cd2a1106d816aa354bcd3c886c99d0a294edd8f01ce6006d5c29d0bc1378648ba95a98b9547faa47a0

Download Submit
C:\Windows\SysWOW64\Nmpkal32.exe

Filesize
90KB

MD5
ff3f9f980b1a76b5ea20d9b2c8b1a250

SHA1
c8b41146acc218a7cf00316142952211a90c60d3

SHA256
ac8b775b3d9fa025eb91de64c342801c9bd221cebbe3d678dd5400aedf1fd621

SHA512
39041bd0cab6d1f666e3e8fd923dc09328d1f654bb2dfef7ae4755f3d67805b5cad32ce7300e8e51f6b419d72a6414f2330b4676c42052ce8451704c13f2a290

Download Submit
C:\Windows\SysWOW64\Nnfeep32.exe

Filesize
90KB

MD5
1702f9b29cc32b0753627baf27e91460

SHA1
096ab8e573e3dc2681a164d26499309565c25bae

SHA256
8c754f263aaf22f42d61dfc976e8a18d5ccc54a3777f6a63493fd5d0847cfe2b

SHA512
f847aa7fcfc29582b2069a7220d05f67fc36069e0a95ef0ed992dd2bfc6f00490246a4b3b76b2080c74f8f4f5dffeb0e6a4a42e770df428134a650a66cc42301

Download Submit
C:\Windows\SysWOW64\Nplkhh32.exe

Filesize
90KB

MD5
aac03d18b05e3da5b73f4242d091665c

SHA1
7cdaecf8accb80c4a69315cd6fa3bb1cd20b3715

SHA256
435f6f3b402569c942b2803e8112038db6ab7886fedbd5c421c7c237f75ee382

SHA512
98a0c709eb76723c124653eb1d760d75a9c6d65c3778f8ff6864e576ec1c3616e192909b76854623588ceb6e6fb99ff78c4bb525c2f110d0b2247073982284cf

Download Submit
C:\Windows\SysWOW64\Nqgngk32.exe

Filesize
90KB

MD5
8a9f1c214f82d91a223567fd27a71f02

SHA1
e0dc8f055faf84aff6dc74d580df27612279f954

SHA256
a31e48c672fb1d7d270d382d0ce1bc96e287ca971830337f735b72062ad19e5c

SHA512
866726802ea206903a7ffbab5ce6f95c903c7d3b3ce7581159232041172294e3645ebcf4b4ca7501b4acf9c479a9b5d54245c8fc7fc525b77f02dd90618efb31

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
90KB

MD5
fbb9bffd700d898b38abeded15853acd

SHA1
57eec176de92cf749329e410a73cd6262d910f46

SHA256
3f160910eaa513472384fc2c18b1d92b97e2605121e3fe6a9d7b1efde2efecc8

SHA512
72316b0d76268408ac552476e60cd2913cc131c9c77c554a4eec1c86f5d6158c3ec5798ec8868aa2d97388206439b8c34bee6dd510ee2f4c7ca41062135fdf8f

Download Submit
C:\Windows\SysWOW64\Oiiilm32.exe

Filesize
90KB

MD5
6848af70857b688ca805d677d6c10c83

SHA1
69bd25d0ff0f6cfc5cca9aa77bbfddd0b3cd4ce1

SHA256
c5da0aa125733b1812fe4e6b593241ba2e722d60252d0f9a47b9d5abf0b7e73c

SHA512
3723798a495c1101867b5b31bae844e7ef068439ed583e3663720c35d2c0bb1dae8e3c6b3e1493f750bb151dac382c2475b0a8eb1049088881c0b89c1dc8fcd6

Download Submit
C:\Windows\SysWOW64\Opqdcgib.exe

Filesize
90KB

MD5
d7855e880a71063ab9fcb2d2a4919a28

SHA1
0b3eb6f5f6127a1c78a289e4ab0a936571f8d6d8

SHA256
78f7e2529255f9c00102fab0b1838f3c5e1bd73ce0509e49805f508778a755b4

SHA512
b72bec40aa380d940cf0deddf4d72dab183a606fb338b9d313812ed61cba939b069c52cdf96b9587d930414e6669474d31d2de27e4a1b83858791c80a85ded30

Download Submit
\Windows\SysWOW64\Ehiiop32.exe

Filesize
90KB

MD5
94d424ec2dd167d7d380211b75bf0302

SHA1
9bcff8a46ee80f4aaff1d4a3289e688a31b0b48f

SHA256
455267ed9f6ed241b65f158b42c73be1fe1d3eaa5a557f081862de379ff127a1

SHA512
1d9f64c68bf792546a748d33f085f3c29fe74d4b5b2c5614adf1bc973b683f32fbf6b1bbe589bbf94da2d78939efb809991805e8188386ce652dcfbf1d2b23d5

Download Submit
\Windows\SysWOW64\Fldbnb32.exe

Filesize
90KB

MD5
2c28724f9292de5a0931a11babbd85ca

SHA1
a691fd9d7873fdf5a43486bbc881d7bb90a2cf1e

SHA256
6037cc7566ade98dbe4ad33b298d82c84f4380d6422760fba1d326e64a2690b8

SHA512
312f3b96e0e69968e242036045bfe85c03212519063a980c9b08c85fc05e42aeb508c6baec8fd806664fa36ce84c13071014771b669e664f1d6a1282dad1735e

Download Submit
\Windows\SysWOW64\Flmlmc32.exe

Filesize
90KB

MD5
2fae9b0f9daffbcfab09c7f48d288000

SHA1
85ca1f4f67bc4288eb5b0e5adcc7c79a217663f4

SHA256
212747acb42933652ec6b8aff535f1e67c9215b98ee81f5be6984df2255beb05

SHA512
66e64b3c007827cac3636c9fac9383756ad62dd215d4ebdae740012d8ce62a004053d50fef222eadf1b0540c411abf9cde921985e3726a49b39b690604696670

Download Submit
\Windows\SysWOW64\Fondonbc.exe

Filesize
90KB

MD5
ffc9e5649bdb79782d12c34acf30d8fc

SHA1
9c9f4bb40174a1fdbd012ae3a3fe8ad0e19bfa77

SHA256
a02b124a9322010acd4283f6dcb4858eac4235f53ee6a514a3b80b44319ad0ea

SHA512
c105b831247ece5258b252946733a84fe8f4fd0b11eb7b146c215198459153792ab5d635fce15d381f142b16ebccca2390968a334d00a9c96c3725c4e49117b9

Download Submit
\Windows\SysWOW64\Gdpfbd32.exe

Filesize
90KB

MD5
2c895144a4f4c66dc13c8b30dc98305b

SHA1
71bb3c73c4040d582064a6174b8188bbe671cbd6

SHA256
29f6941887453986ad0b4bc534f556ab0ae19affe0aeb068e9948e10b14dad33

SHA512
708af182436261008bf1677f80846faa256e02d676b45c2a2b075b45aa5f14afef42a7d5c2cd15068c1e04338348a2a9339fb9c0fe773c35e4c7967c7775c580

Download Submit
\Windows\SysWOW64\Gjcekj32.exe

Filesize
90KB

MD5
c80f7b07a579972e158fc3b482eff218

SHA1
17af379161870f6a453776e1df6105a1f4e3c1e1

SHA256
207f6718f8f866574dfbe215e44e8162f232eaf274607c468a9c3cb83dccdeba

SHA512
b527b6ae4ea8e41945a2c931e6ecfefd692a8ee49b311e5d47c7525c67d7904efb9b270ed4c3defb0919bb621b4aa6b935e560b0115daa2e4748f066e9f2e956

Download Submit
\Windows\SysWOW64\Gjolpkhj.exe

Filesize
90KB

MD5
7a1d1c0dc9b88518bdd88b5ca813b054

SHA1
6dfe194d1b49ae7dc4e27ca6fce03a324731fd56

SHA256
70b1559f579b75cee9bd921471ccc66679f3947fe75833eac568c98a5ecae58f

SHA512
8e7ac7bf9e7886138c70619ee7dbe08c0dcfe91594d793f4b738ee41907ecd0071868d21beb0c7f74e575ad398f69de55a2ad6a9658b797fcdfe911a94a8721a

Download Submit
\Windows\SysWOW64\Glpdbfek.exe

Filesize
90KB

MD5
7484933230d64deef1d8999d84ae67cd

SHA1
64d57ff40f299104250ad8360e8b72b9a29d41f5

SHA256
69d629203cad8a728a332e1d6066301231346f4802c0f11faf27c51d0bda3929

SHA512
5569b807c8b34c06f58599b5aebf6f2b4c952587dae2fa27463931ca739c65631a41ab31d6b03e4f607dc90941ad2ccdc9348cc94a192dc30ae3ad23da5eeb46

Download Submit
\Windows\SysWOW64\Hikobfgj.exe

Filesize
90KB

MD5
b7e51f2dd35a20c2e9799a30d3267077

SHA1
54f4c7f79479bc5677281688066df21f4980f7f7

SHA256
18409491ef7c497e649477a6c61cebbfadc4201578a10bb582e33cdd5dbad799

SHA512
94ee55c1819b96b964762049158253f2eb09a307df17d96c3eeed5e413e80f117986850eeb3a9fadf8f822d43e02b810c1c2b244bd85f857acb0bda9b0745e46

Download Submit
\Windows\SysWOW64\Ikbndqnc.exe

Filesize
90KB

MD5
b6f0134334c17aaca707a954c4810bd6

SHA1
b243de0e683e1a6f0e6d5fc1250fff610021d088

SHA256
b471b54921e4535e9a77e6594d882c20593715c581e1207feb5084bde8eaf9fe

SHA512
28f9b8417262429dc81a2d19d4667d0e65756483a64ffad51f92b8b35d7a85540e91fa770b5f2541c11a60d38be6b6117e543b604426f60da587c3a691dfae35

Download Submit
\Windows\SysWOW64\Imidgh32.exe

Filesize
90KB

MD5
ab9e03e6f0cac735088a40681e83785e

SHA1
eb09fef0c0d78f99b946b7e622994dc87c87a75c

SHA256
d00254f069bdf5d0ec75c7ad508cff2975e0d323846e98aecc519a70cc44ab02

SHA512
d1a8eaffed37748831291532e3ad629bee51208e66dcf813709f8d998460c95bb1e36b68664b6521e8559eb85a754afb49ffea89adc969438b06f9636b4efbda

Download Submit
memory/320-340-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/320-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-176-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1056-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-112-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1100-327-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1100-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-423-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1708-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-285-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1784-288-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2100-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-351-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2128-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-254-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2168-305-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2268-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-156-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2308-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-265-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2328-210-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2328-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-212-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2336-182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-131-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2404-133-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2404-181-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2404-195-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2424-227-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/2424-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-286-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/2424-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-410-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2496-404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-65-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2592-13-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2592-12-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2620-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-205-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2644-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-392-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2704-398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-81-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2744-87-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2744-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-148-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2796-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-41-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2824-86-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-125-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2856-71-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2860-347-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2860-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-368-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2896-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-49-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2900-56-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2900-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-110-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2900-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-26-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3020-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-178-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3064-177-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3064-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-253-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads