74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
Size

76KB
MD5

d3c5448123c6633a6c074eedb1020c43
SHA1

9404cc10cc68bca24e30fc09aa7808d13648e030
SHA256

74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309
SHA512

041d474f2ad00ac4f3da3d283ab74db68350c9fb55e0b9813e9a09c9dbbab3dde9bd4cf15dc5e5692a9a915cf664b5db6cfb9cd42628f8a3242e6fd33623ca03
SSDEEP

1536:KwyfjPyxVLoTe84SoE/y1n6I9X2T+OcuHioQV+/eCeyvCQ:SPynsTuE/yQcuHrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhclfphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcpgl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgpea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfccmini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jboanfmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kleeqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjjdjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebpchmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkcllmhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhqiegh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojhmjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkjbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhgeao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liibigjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mikooghn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdqclpgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdqclpgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jennjblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laidie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkolmk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhqiegh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagkebpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpdoffo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjqlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghigl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmfchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpekln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knkkngol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcgdgnmc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Minldf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhoig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagkebpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jboanfmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jennjblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemjieol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjfbikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemjieol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kleeqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgpea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbandfkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmgkoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbandfkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgoohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgoohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmfchfo.exe

Executes dropped EXE 53 IoCs

pid	Process
2328	Jkcllmhb.exe
2156	Jfhqiegh.exe
2808	Jkeialfp.exe
2828	Jboanfmm.exe
1748	Jennjblp.exe
2608	Jgljfmkd.exe
2248	Jjjfbikh.exe
1032	Jbandfkj.exe
1228	Jepjpajn.exe
3048	Jkjbml32.exe
2296	Knhoig32.exe
2932	Kagkebpb.exe
2100	Kgqcam32.exe
1592	Kfccmini.exe
2988	Knkkngol.exe
2404	Kcgdgnmc.exe
2160	Kgcpgl32.exe
2484	Kidlodkj.exe
560	Kakdpb32.exe
2020	Kcjqlm32.exe
1224	Kfhmhi32.exe
1996	Kjdiigbm.exe
900	Kleeqp32.exe
576	Kemjieol.exe
376	Klgbfo32.exe
2260	Kpcngnob.exe
2868	Kfmfchfo.exe
2612	Lhnckp32.exe
2600	Lpekln32.exe
2024	Lebcdd32.exe
2908	Lkolmk32.exe
2452	Lojhmjag.exe
2308	Laidie32.exe
3040	Ldgpea32.exe
1632	Lhclfphg.exe
2796	Lmpdoffo.exe
3028	Ldjmkq32.exe
2980	Lghigl32.exe
2372	Lanmde32.exe
2208	Lhgeao32.exe
680	Liibigjq.exe
1880	Mapjjdjb.exe
2964	Mdnffpif.exe
2376	Mkhocj32.exe
1540	Mikooghn.exe
916	Mmgkoe32.exe
1456	Mlikkbga.exe
2884	Mdqclpgd.exe
2728	Mcccglnn.exe
2844	Mgoohk32.exe
2676	Mebpchmb.exe
2588	Minldf32.exe
2052	Mllhpb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2532	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
2532	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
2328	Jkcllmhb.exe
2328	Jkcllmhb.exe
2156	Jfhqiegh.exe
2156	Jfhqiegh.exe
2808	Jkeialfp.exe
2808	Jkeialfp.exe
2828	Jboanfmm.exe
2828	Jboanfmm.exe
1748	Jennjblp.exe
1748	Jennjblp.exe
2608	Jgljfmkd.exe
2608	Jgljfmkd.exe
2248	Jjjfbikh.exe
2248	Jjjfbikh.exe
1032	Jbandfkj.exe
1032	Jbandfkj.exe
1228	Jepjpajn.exe
1228	Jepjpajn.exe
3048	Jkjbml32.exe
3048	Jkjbml32.exe
2296	Knhoig32.exe
2296	Knhoig32.exe
2932	Kagkebpb.exe
2932	Kagkebpb.exe
2100	Kgqcam32.exe
2100	Kgqcam32.exe
1592	Kfccmini.exe
1592	Kfccmini.exe
2988	Knkkngol.exe
2988	Knkkngol.exe
2404	Kcgdgnmc.exe
2404	Kcgdgnmc.exe
2160	Kgcpgl32.exe
2160	Kgcpgl32.exe
2484	Kidlodkj.exe
2484	Kidlodkj.exe
560	Kakdpb32.exe
560	Kakdpb32.exe
2020	Kcjqlm32.exe
2020	Kcjqlm32.exe
1224	Kfhmhi32.exe
1224	Kfhmhi32.exe
1996	Kjdiigbm.exe
1996	Kjdiigbm.exe
900	Kleeqp32.exe
900	Kleeqp32.exe
576	Kemjieol.exe
576	Kemjieol.exe
376	Klgbfo32.exe
376	Klgbfo32.exe
2260	Kpcngnob.exe
2260	Kpcngnob.exe
2868	Kfmfchfo.exe
2868	Kfmfchfo.exe
2612	Lhnckp32.exe
2612	Lhnckp32.exe
2600	Lpekln32.exe
2600	Lpekln32.exe
2024	Lebcdd32.exe
2024	Lebcdd32.exe
2908	Lkolmk32.exe
2908	Lkolmk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkhocj32.exe	Mdnffpif.exe
File opened for modification	C:\Windows\SysWOW64\Mdqclpgd.exe	Mlikkbga.exe
File created	C:\Windows\SysWOW64\Jjjfbikh.exe	Jgljfmkd.exe
File opened for modification	C:\Windows\SysWOW64\Knhoig32.exe	Jkjbml32.exe
File created	C:\Windows\SysWOW64\Kgcpgl32.exe	Kcgdgnmc.exe
File opened for modification	C:\Windows\SysWOW64\Ldjmkq32.exe	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Laidie32.exe	Lojhmjag.exe
File created	C:\Windows\SysWOW64\Lhclfphg.exe	Ldgpea32.exe
File opened for modification	C:\Windows\SysWOW64\Lhclfphg.exe	Ldgpea32.exe
File created	C:\Windows\SysWOW64\Ebkbpapg.dll	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Jfdnao32.dll	Jjjfbikh.exe
File opened for modification	C:\Windows\SysWOW64\Kidlodkj.exe	Kgcpgl32.exe
File created	C:\Windows\SysWOW64\Bmghlppm.dll	Kemjieol.exe
File opened for modification	C:\Windows\SysWOW64\Kfmfchfo.exe	Kpcngnob.exe
File opened for modification	C:\Windows\SysWOW64\Ldgpea32.exe	Laidie32.exe
File created	C:\Windows\SysWOW64\Lanmde32.exe	Lghigl32.exe
File created	C:\Windows\SysWOW64\Jkcllmhb.exe	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
File created	C:\Windows\SysWOW64\Lnlaejfg.dll	Jboanfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jjjfbikh.exe	Jgljfmkd.exe
File created	C:\Windows\SysWOW64\Lijgiokj.dll	Lojhmjag.exe
File created	C:\Windows\SysWOW64\Dafoakfc.dll	Jkeialfp.exe
File created	C:\Windows\SysWOW64\Cnchedie.dll	Kfccmini.exe
File created	C:\Windows\SysWOW64\Lkolmk32.exe	Lebcdd32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhqiegh.exe	Jkcllmhb.exe
File created	C:\Windows\SysWOW64\Jennjblp.exe	Jboanfmm.exe
File created	C:\Windows\SysWOW64\Idmkjp32.dll	Lkolmk32.exe
File created	C:\Windows\SysWOW64\Mdnffpif.exe	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Godaagfg.dll	Lanmde32.exe
File created	C:\Windows\SysWOW64\Mgoohk32.exe	Mcccglnn.exe
File opened for modification	C:\Windows\SysWOW64\Mgoohk32.exe	Mcccglnn.exe
File created	C:\Windows\SysWOW64\Ldgpea32.exe	Laidie32.exe
File created	C:\Windows\SysWOW64\Komhoebi.dll	Mkhocj32.exe
File created	C:\Windows\SysWOW64\Knkkngol.exe	Kfccmini.exe
File opened for modification	C:\Windows\SysWOW64\Kgcpgl32.exe	Kcgdgnmc.exe
File created	C:\Windows\SysWOW64\Ajnncp32.dll	Kidlodkj.exe
File created	C:\Windows\SysWOW64\Kfhmhi32.exe	Kcjqlm32.exe
File created	C:\Windows\SysWOW64\Minldf32.exe	Mebpchmb.exe
File created	C:\Windows\SysWOW64\Modieece.dll	Kcjqlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lojhmjag.exe	Lkolmk32.exe
File created	C:\Windows\SysWOW64\Ihmjnmbc.dll	Jbandfkj.exe
File created	C:\Windows\SysWOW64\Dhcohg32.dll	Knkkngol.exe
File created	C:\Windows\SysWOW64\Lebbii32.dll	Kfhmhi32.exe
File created	C:\Windows\SysWOW64\Lhdpnb32.dll	Kleeqp32.exe
File created	C:\Windows\SysWOW64\Bmjbmidh.dll	Mmgkoe32.exe
File created	C:\Windows\SysWOW64\Dgenpi32.dll	Kgcpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Kakdpb32.exe	Kidlodkj.exe
File created	C:\Windows\SysWOW64\Lpekln32.exe	Lhnckp32.exe
File created	C:\Windows\SysWOW64\Mikooghn.exe	Mkhocj32.exe
File created	C:\Windows\SysWOW64\Ljaplc32.dll	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Mdqclpgd.exe	Mlikkbga.exe
File opened for modification	C:\Windows\SysWOW64\Jkeialfp.exe	Jfhqiegh.exe
File opened for modification	C:\Windows\SysWOW64\Kgqcam32.exe	Kagkebpb.exe
File created	C:\Windows\SysWOW64\Kjdiigbm.exe	Kfhmhi32.exe
File opened for modification	C:\Windows\SysWOW64\Laidie32.exe	Lojhmjag.exe
File opened for modification	C:\Windows\SysWOW64\Mmgkoe32.exe	Mikooghn.exe
File created	C:\Windows\SysWOW64\Bafeoijd.dll	Mgoohk32.exe
File opened for modification	C:\Windows\SysWOW64\Jepjpajn.exe	Jbandfkj.exe
File created	C:\Windows\SysWOW64\Kakdpb32.exe	Kidlodkj.exe
File created	C:\Windows\SysWOW64\Kfmfchfo.exe	Kpcngnob.exe
File created	C:\Windows\SysWOW64\Dldldj32.dll	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Aceapdem.dll	Klgbfo32.exe
File created	C:\Windows\SysWOW64\Lhnckp32.exe	Kfmfchfo.exe
File created	C:\Windows\SysWOW64\Mmgkoe32.exe	Mikooghn.exe
File created	C:\Windows\SysWOW64\Ajojkjfk.dll	Mdqclpgd.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfhmhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbandfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knhoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgqcam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjdiigbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgbfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcngnob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojhmjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlikkbga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jennjblp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhclfphg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgpea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkeialfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikooghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcccglnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgoohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkcllmhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghigl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpekln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfccmini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjqlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebcdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laidie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjmkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgeao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkjbml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdqclpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemjieol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkolmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjpajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibigjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knkkngol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjfbikh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhocj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebpchmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jboanfmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kleeqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpdoffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcgdgnmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnffpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidlodkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjjdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgljfmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhqiegh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmfchfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmgkoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minldf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kagkebpb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jboanfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfccmini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knkkngol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceapdem.dll"	Klgbfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpekln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcncl32.dll"	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpmba32.dll"	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafoakfc.dll"	Jkeialfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidlodkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjmkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghigl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagenl32.dll"	Kgqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcjqlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfljg32.dll"	Mcccglnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhqiegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhqiegh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgenpi32.dll"	Kgcpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmghlppm.dll"	Kemjieol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpekln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lanmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhgeao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbcppkf.dll"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knkkngol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbii32.dll"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnhppoa.dll"	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdljncel.dll"	Kfmfchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laidie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgpea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmgkoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jboanfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcohg32.dll"	Knkkngol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll"	Lpekln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkbpapg.dll"	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll"	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Minldf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbandfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidlodkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofcinac.dll"	Laidie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmnepnb.dll"	Ldjmkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjfbikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnede32.dll"	Lghigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmjnmbc.dll"	Jbandfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jepjpajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcjqlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgpea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2328	2532	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe	29
PID 2532 wrote to memory of 2328	2532	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe	29
PID 2532 wrote to memory of 2328	2532	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe	29
PID 2532 wrote to memory of 2328	2532	74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe	29
PID 2328 wrote to memory of 2156	2328	Jkcllmhb.exe	30
PID 2328 wrote to memory of 2156	2328	Jkcllmhb.exe	30
PID 2328 wrote to memory of 2156	2328	Jkcllmhb.exe	30
PID 2328 wrote to memory of 2156	2328	Jkcllmhb.exe	30
PID 2156 wrote to memory of 2808	2156	Jfhqiegh.exe	31
PID 2156 wrote to memory of 2808	2156	Jfhqiegh.exe	31
PID 2156 wrote to memory of 2808	2156	Jfhqiegh.exe	31
PID 2156 wrote to memory of 2808	2156	Jfhqiegh.exe	31
PID 2808 wrote to memory of 2828	2808	Jkeialfp.exe	32
PID 2808 wrote to memory of 2828	2808	Jkeialfp.exe	32
PID 2808 wrote to memory of 2828	2808	Jkeialfp.exe	32
PID 2808 wrote to memory of 2828	2808	Jkeialfp.exe	32
PID 2828 wrote to memory of 1748	2828	Jboanfmm.exe	33
PID 2828 wrote to memory of 1748	2828	Jboanfmm.exe	33
PID 2828 wrote to memory of 1748	2828	Jboanfmm.exe	33
PID 2828 wrote to memory of 1748	2828	Jboanfmm.exe	33
PID 1748 wrote to memory of 2608	1748	Jennjblp.exe	34
PID 1748 wrote to memory of 2608	1748	Jennjblp.exe	34
PID 1748 wrote to memory of 2608	1748	Jennjblp.exe	34
PID 1748 wrote to memory of 2608	1748	Jennjblp.exe	34
PID 2608 wrote to memory of 2248	2608	Jgljfmkd.exe	35
PID 2608 wrote to memory of 2248	2608	Jgljfmkd.exe	35
PID 2608 wrote to memory of 2248	2608	Jgljfmkd.exe	35
PID 2608 wrote to memory of 2248	2608	Jgljfmkd.exe	35
PID 2248 wrote to memory of 1032	2248	Jjjfbikh.exe	36
PID 2248 wrote to memory of 1032	2248	Jjjfbikh.exe	36
PID 2248 wrote to memory of 1032	2248	Jjjfbikh.exe	36
PID 2248 wrote to memory of 1032	2248	Jjjfbikh.exe	36
PID 1032 wrote to memory of 1228	1032	Jbandfkj.exe	37
PID 1032 wrote to memory of 1228	1032	Jbandfkj.exe	37
PID 1032 wrote to memory of 1228	1032	Jbandfkj.exe	37
PID 1032 wrote to memory of 1228	1032	Jbandfkj.exe	37
PID 1228 wrote to memory of 3048	1228	Jepjpajn.exe	38
PID 1228 wrote to memory of 3048	1228	Jepjpajn.exe	38
PID 1228 wrote to memory of 3048	1228	Jepjpajn.exe	38
PID 1228 wrote to memory of 3048	1228	Jepjpajn.exe	38
PID 3048 wrote to memory of 2296	3048	Jkjbml32.exe	39
PID 3048 wrote to memory of 2296	3048	Jkjbml32.exe	39
PID 3048 wrote to memory of 2296	3048	Jkjbml32.exe	39
PID 3048 wrote to memory of 2296	3048	Jkjbml32.exe	39
PID 2296 wrote to memory of 2932	2296	Knhoig32.exe	40
PID 2296 wrote to memory of 2932	2296	Knhoig32.exe	40
PID 2296 wrote to memory of 2932	2296	Knhoig32.exe	40
PID 2296 wrote to memory of 2932	2296	Knhoig32.exe	40
PID 2932 wrote to memory of 2100	2932	Kagkebpb.exe	41
PID 2932 wrote to memory of 2100	2932	Kagkebpb.exe	41
PID 2932 wrote to memory of 2100	2932	Kagkebpb.exe	41
PID 2932 wrote to memory of 2100	2932	Kagkebpb.exe	41
PID 2100 wrote to memory of 1592	2100	Kgqcam32.exe	42
PID 2100 wrote to memory of 1592	2100	Kgqcam32.exe	42
PID 2100 wrote to memory of 1592	2100	Kgqcam32.exe	42
PID 2100 wrote to memory of 1592	2100	Kgqcam32.exe	42
PID 1592 wrote to memory of 2988	1592	Kfccmini.exe	43
PID 1592 wrote to memory of 2988	1592	Kfccmini.exe	43
PID 1592 wrote to memory of 2988	1592	Kfccmini.exe	43
PID 1592 wrote to memory of 2988	1592	Kfccmini.exe	43
PID 2988 wrote to memory of 2404	2988	Knkkngol.exe	44
PID 2988 wrote to memory of 2404	2988	Knkkngol.exe	44
PID 2988 wrote to memory of 2404	2988	Knkkngol.exe	44
PID 2988 wrote to memory of 2404	2988	Knkkngol.exe	44

C:\Users\Admin\AppData\Local\Temp\74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe
"C:\Users\Admin\AppData\Local\Temp\74393df5b9c2c27e880c7d4c50c46aa48defea721788b31a5c6c403874f16309.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\Jkcllmhb.exe
  C:\Windows\system32\Jkcllmhb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Jfhqiegh.exe
    C:\Windows\system32\Jfhqiegh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Jkeialfp.exe
      C:\Windows\system32\Jkeialfp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Jboanfmm.exe
        
        C:\Windows\system32\Jboanfmm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Jennjblp.exe
        
        C:\Windows\system32\Jennjblp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Jgljfmkd.exe
        
        C:\Windows\system32\Jgljfmkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Jjjfbikh.exe
        
        C:\Windows\system32\Jjjfbikh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Jbandfkj.exe
        
        C:\Windows\system32\Jbandfkj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Jepjpajn.exe
        
        C:\Windows\system32\Jepjpajn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Jkjbml32.exe
        
        C:\Windows\system32\Jkjbml32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Knhoig32.exe
        
        C:\Windows\system32\Knhoig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Kagkebpb.exe
        
        C:\Windows\system32\Kagkebpb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Kgqcam32.exe
        
        C:\Windows\system32\Kgqcam32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Kfccmini.exe
        
        C:\Windows\system32\Kfccmini.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Knkkngol.exe
        
        C:\Windows\system32\Knkkngol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kcgdgnmc.exe
        
        C:\Windows\system32\Kcgdgnmc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Kgcpgl32.exe
        
        C:\Windows\system32\Kgcpgl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Kidlodkj.exe
        
        C:\Windows\system32\Kidlodkj.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Kakdpb32.exe
        
        C:\Windows\system32\Kakdpb32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Kcjqlm32.exe
        
        C:\Windows\system32\Kcjqlm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Kfhmhi32.exe
        
        C:\Windows\system32\Kfhmhi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Kjdiigbm.exe
        
        C:\Windows\system32\Kjdiigbm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Kleeqp32.exe
        
        C:\Windows\system32\Kleeqp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Kemjieol.exe
        
        C:\Windows\system32\Kemjieol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Klgbfo32.exe
        
        C:\Windows\system32\Klgbfo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Kpcngnob.exe
        
        C:\Windows\system32\Kpcngnob.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Kfmfchfo.exe
        
        C:\Windows\system32\Kfmfchfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Lhnckp32.exe
        
        C:\Windows\system32\Lhnckp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Lpekln32.exe
        
        C:\Windows\system32\Lpekln32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Lebcdd32.exe
        
        C:\Windows\system32\Lebcdd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Lkolmk32.exe
        
        C:\Windows\system32\Lkolmk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Lojhmjag.exe
        
        C:\Windows\system32\Lojhmjag.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Laidie32.exe
        
        C:\Windows\system32\Laidie32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Ldgpea32.exe
        
        C:\Windows\system32\Ldgpea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Lhclfphg.exe
        
        C:\Windows\system32\Lhclfphg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Lmpdoffo.exe
        
        C:\Windows\system32\Lmpdoffo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ldjmkq32.exe
        
        C:\Windows\system32\Ldjmkq32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Lghigl32.exe
        
        C:\Windows\system32\Lghigl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Lanmde32.exe
        
        C:\Windows\system32\Lanmde32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Lhgeao32.exe
        
        C:\Windows\system32\Lhgeao32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Liibigjq.exe
        
        C:\Windows\system32\Liibigjq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Mapjjdjb.exe
        
        C:\Windows\system32\Mapjjdjb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Mdnffpif.exe
        
        C:\Windows\system32\Mdnffpif.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Mkhocj32.exe
        
        C:\Windows\system32\Mkhocj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Mikooghn.exe
        
        C:\Windows\system32\Mikooghn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Mmgkoe32.exe
        
        C:\Windows\system32\Mmgkoe32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Mlikkbga.exe
        
        C:\Windows\system32\Mlikkbga.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Mdqclpgd.exe
        
        C:\Windows\system32\Mdqclpgd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Mcccglnn.exe
        
        C:\Windows\system32\Mcccglnn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mgoohk32.exe
        
        C:\Windows\system32\Mgoohk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Mebpchmb.exe
        
        C:\Windows\system32\Mebpchmb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Minldf32.exe
        
        C:\Windows\system32\Minldf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbandfkj.exe

Filesize
76KB

MD5
827b81de49e6818115e13a9628def116

SHA1
f8f4ca0c014fe73dda24a15c9bfb796a0b29d071

SHA256
7b4f08154cb6954bc2bc79a75d7f37f8247a5fc658902acbcd688b6b62759d00

SHA512
c5caff75510fd7b64119d1835d54738c7720fa9664aa35ae3cd7e38b3caf1bd2fed46e86b83102888b8040fa4431a37848b490b925de546d5f352de3df7f256c

Download Submit
C:\Windows\SysWOW64\Jboanfmm.exe

Filesize
76KB

MD5
d5838dc1819720a4babf49a1310a43be

SHA1
69ae9a05a47e37321fd4795b83d3e6489fb122a9

SHA256
67e53829bcdd16757147f404e89224ebc27a790702269f6a59397fdda617df7c

SHA512
d7a4fe90ce4d420398a08759e385b59c5de3f6adce6f27dddb34f4b0c9de20f3f4b225a91f14a1419c58d45fce7dd470f94329ccdd8f60fd911767a2dec57fdd

Download Submit
C:\Windows\SysWOW64\Jennjblp.exe

Filesize
76KB

MD5
2c091b0cd17d589380c93fa28fcf5043

SHA1
d8440b74a6e865dfec012afe9039922c0f21e03e

SHA256
eb2257d88a2b21eac6d5d7ccc3426cad5099b1afefc795bd7f320e73559ef7d0

SHA512
90a9f8a09d352d762b3ded3f7086bfaf6b7857c41a44b1bf0f0b6aecc5ab7f69e15ec2bbdb9947d6ed02fd59934986009338c65f04070b0ed6679b9af9b62e39

Download Submit
C:\Windows\SysWOW64\Jepjpajn.exe

Filesize
76KB

MD5
562e9c8dd70520374042c6280b6f4b91

SHA1
fb17f43feda05ee082811e35d42b6250a61d6f2a

SHA256
055b0f45303587b985516512b40b7f77fbb63f0b3d21c854225e214fc7ae276b

SHA512
f88da7ed63f15e6f0ff0763bca5e881f2f90ee88a1f9a1e606150fbbc9e83a84120a585373b7ae7d8554c6bb8600606f9122148e85094d0332e797c70071101f

Download Submit
C:\Windows\SysWOW64\Jfhqiegh.exe

Filesize
76KB

MD5
6275c84b4c04dde40751431ae3008dc9

SHA1
1084596679c6cb0c00f35a9e51072824ae9dff35

SHA256
2aa36aaaa4a70bffce8d484163c853e9b4bf19cf56a08a48e5b0e1a238bc7b6f

SHA512
04ca9de57ce8c2a34342e5a7eb509cbc4059f942ad04cf88b770a3a1b51a4c41609125c326130af2f548cdc7680226205f8d81c215067113b5b0fdccde78ed45

Download Submit
C:\Windows\SysWOW64\Jgljfmkd.exe

Filesize
76KB

MD5
2725e7dc465ffde2a3b039e8466ee205

SHA1
7cb5006743080ce5fa70b9d9135ff413b3a16240

SHA256
ddb60ed2f3facff8b4ae8ea29708c19be2d4381fd68b4eea8f9f06b70f5d2668

SHA512
878924f9541abf41a344b47ff6db288d4f79704f48266df7a7a9df458999cfc7275a7d465ffc7c8c910c6c251a1a7a41eb599973f0ec3a996e868df7b4739df3

Download Submit
C:\Windows\SysWOW64\Jjjfbikh.exe

Filesize
76KB

MD5
06b9d74d679200d7a4a3c77a0416d847

SHA1
ca6ca4bef480ad37d2bf58dd8894fe8c0c42305f

SHA256
ba0e2b3d46f1c875cd39070b23efc3c203d5f92e2033e677961157ac4c516e8a

SHA512
98c80c8033a4723a78c00ddd9f8a2a2aeeb5ea20d66e647b6c4455dc7f46a5f120eb308d87a26535b331533cbcf6c09e87a1e08a4c26e3dab1d0842434875a0e

Download Submit
C:\Windows\SysWOW64\Jkcllmhb.exe

Filesize
76KB

MD5
7b3ccd8aedc8b2a7e64139666a533266

SHA1
184a813484f88ebe619fb2ae93d1b1e636e8a34a

SHA256
342b87106e92eeac1a2ed58cc1b6cd4e4c181cbfb43c73450c6265062099c15c

SHA512
24febcd22ecbf5a8bbdad16b78ccfd7c80018aa0b5573c2c0777834e3e55e32a92b635e3426713d24162e275406bd7f079ad98db96dd3cd4ff7a37c62d52cb58

Download Submit
C:\Windows\SysWOW64\Jkeialfp.exe

Filesize
76KB

MD5
84d1a2d1eb7b6041eb9b5ffa6d0eae56

SHA1
9a1446d624f79146fb07b1b99b0646bd020b7a16

SHA256
0f5e78e1f029892bb46d702b8fc2c40068e3213f3a6e5091d1cff2ab98103015

SHA512
b25b6924c2e59ad1a3db6ee33f4bcde9ff0d2d3fb6c6a6eaf6c1aa503c66b8cb24c91874839edadca2cc427a373890d83735945ba575fb9c4fdfe9a80c773af4

Download Submit
C:\Windows\SysWOW64\Jkjbml32.exe

Filesize
76KB

MD5
d04ee4a76647ac18174b773e8eb8a8f8

SHA1
65aae58c88108b1376b6d18f3545883e50983832

SHA256
2149fdc97baed020904f03af3dd86bde8a431de56466dfb0dbccd348f5351e4f

SHA512
410a41697fae6fe03a7429390e976d573471e80ae79bade0dd7f23f491bda1aeb4528d6de2eece4b2160c45f2e1df4168892c4aa272356c5a55faff45f39ac42

Download Submit
C:\Windows\SysWOW64\Kagkebpb.exe

Filesize
76KB

MD5
31e0ad6d04eb855a0463e6b19829d3b9

SHA1
c648c140a8b7e86cbdd74c99c3bd309ee0b844ff

SHA256
57efd1d3cccac2240c69bce62dfb1f9b4012e6e2fd5333cdfa9e93e669e729b6

SHA512
a6b6170b94b968f3051f39f1244e34c947f0bcdab39367a24b1c4ae37c5e67f21618bb55901ba14ae154a095d290a9e4d7f75fa89bf26f11e56088e0e505a5e5

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
76KB

MD5
9b9d46a081ab56ee0f42a554e96960cd

SHA1
9fb921144e70436f884f10b968aa8f33729116f5

SHA256
c5fe02f98d57055b1d9776e63d9ca760ee94cfedfed5c94055760bfcdafc30ff

SHA512
e06a2b7120e47252c0780ff6a40f9f3bac03fbc9868e7e355b5520124e10bb1af565c4128ffda414b412ee89327c340aef3ed0781cff16df56fa393fd365e3ca

Download Submit
C:\Windows\SysWOW64\Kcgdgnmc.exe

Filesize
76KB

MD5
d7ddb7da216734f01268ac032dc1e8ed

SHA1
44e4c43c06f879c7ceee06dda571533792f82e1e

SHA256
3ac6d1a7b2a632bcb6f41ad75711b9770a06f7187d44b39518a494b42bf4537f

SHA512
d82a9649ee29d6349fcdedaea942e3ec063733e6b7181d773e97f9cd6767ee72ac7a0de907fbf338761c8776d914bb94ce517018771e0b8f9165489f7e8e40f5

Download Submit
C:\Windows\SysWOW64\Kcjqlm32.exe

Filesize
76KB

MD5
8d7a2e4623ba9ded82b54e738d700395

SHA1
40720192eed1f01cf55477668f5abc10bdc918ea

SHA256
4a9c2be67426ce4200d5aabff7539c12dfd19d0048249bf3f444a7b0541c6e4c

SHA512
e17c6e6a27f79c1e4a180163988bc0025bf5e6b968cae164ef3085cfe5df11ee9b4a3b77f9c7aec4663c32a9f8decef2d22d7bb10b4ebf7d7b9a0fef7be46f38

Download Submit
C:\Windows\SysWOW64\Kemjieol.exe

Filesize
76KB

MD5
f30c33c8478b940c7a6d110e96c34f02

SHA1
607226116877ef34f89373d6b723bab50b4a64e2

SHA256
e96cda8c4e231766dbc25ffb73373ef3856d7c4289ee50762f3af87a5101a28b

SHA512
fd0d4c9cf734cfafe3dd6defa22e6e7979f6b921702493acf12e178e64e7bf4a538cfc703faab0e91fc87dd2bedd06cfa8a0ad08343875ff92d292dadf83fe7c

Download Submit
C:\Windows\SysWOW64\Kfccmini.exe

Filesize
76KB

MD5
77ebadcde9408d130650f878377ba54e

SHA1
9feb4bdec3e5538222125f48a715d8d6d55b5626

SHA256
38342cc69ed610572cfd5d07842b81532dc320a67cd808af841a1df46e1cc86c

SHA512
1fb10683bb9c9c6ef01da5e705d16f576dfadd43d29c5fb4e6c634073f0bb26ebbcab3ddbeab0a654b09476cd54705b62176d2c840fb35c7ed52f5e8aa92e51a

Download Submit
C:\Windows\SysWOW64\Kfhmhi32.exe

Filesize
76KB

MD5
a4ac6681531006b6124b3bd4287c780b

SHA1
e8e0a3c7dc9b502719f53b69304527035b93265b

SHA256
cfbf8145acfbc7dc4da97407210c660426a171167323dd9df7a64f01f109a33e

SHA512
ffdee40f91ac2162d18f0c8fda95809a866485aba7e894eaee581d1e004280015723d0e70822a999d9bb01c58eb92af21a8336b55c8c25987a08f6c216d27e90

Download Submit
C:\Windows\SysWOW64\Kfmfchfo.exe

Filesize
76KB

MD5
e4c23a1f20cd98a76e9b848dad4f4125

SHA1
86ef7e52036ca79de4545cf6a97765c710cf737d

SHA256
933e4777f5b5f069c86c5c5e9581248dfca06f0707cbf3b990678f4febc2bfcb

SHA512
4f92191a03eaf275cf02607a1aa919495fde06fe48a0cdb4e3ad60ed16fbe9a63679076bdce03f17ab04e06708f8e9afa2fb2d500cb7233abacbdce0182b912c

Download Submit
C:\Windows\SysWOW64\Kgcpgl32.exe

Filesize
76KB

MD5
65ab833ae29f00f2042c512dfb49a246

SHA1
62ec79ed7a6495f860ff744ef27c3bcf54ff5e13

SHA256
263998d9ad32f316f740e0195fa086d352c9b8f75346b4430751aa5879d053d1

SHA512
17599f8932ba09c9629a6964568ce075355c89daa739ae776973e4912157f473ab6ef85ebccbcc5101140de685747fdd127a748883ad50662b83021da648cc6b

Download Submit
C:\Windows\SysWOW64\Kgqcam32.exe

Filesize
76KB

MD5
7828562a3cdda461813ccd12bf498eb5

SHA1
ad9f06ce114d66251bbf02e49d3e2d40f157047e

SHA256
0e348a3bfe46f123d1bc3ae620b34b861e09582a7b77c33ad462f5d4d95126e0

SHA512
e5f32b11132163d48a7eeb7d3707eed1c01810d863019b152a523b145303835563df75154137be4b094c8e9edb1157e9079a76e020a7aee1657484bf54247f22

Download Submit
C:\Windows\SysWOW64\Kidlodkj.exe

Filesize
76KB

MD5
ddfaa4e06c7164ff35a58720becf6dbc

SHA1
16151f25c96ca236ba3f54ed5bd89f6332253c8a

SHA256
3043937b198f26f18697907677b0ff980f7bb01f5640727fd0c32e39583118c5

SHA512
026d093747b92eb03a780bbefdf0b4d3b05c90f2a8f433c7c5eeaeae80d3e75d6aa1d189a0921937031fcb980f72065df26d557b281e27967cd121b9daf444bf

Download Submit
C:\Windows\SysWOW64\Kjdiigbm.exe

Filesize
76KB

MD5
58551861c1aa2707a289bcab8e853428

SHA1
a9320e7a3b7f676e75231adfd4fdb6b8094ca25a

SHA256
ada8578f9e45cc1ff1a3b085fe8aaac49c4a4a3037f835e9acbe2eaf5a6c60df

SHA512
4fefbfb6392ce2c27265e441d5f189a67bc64b0c9c77fe6cf602e58c05a981c77a6ea1091dd593aa94c12351e2de6c147e862721e4ac1b06c54310e2a10a81ac

Download Submit
C:\Windows\SysWOW64\Kleeqp32.exe

Filesize
76KB

MD5
04098c1a2f1a7c5f2fe741bfd6c61f56

SHA1
a42f538b9872adf8985b49549edbd71c919f8ccd

SHA256
8807d5dc07636d0f7b7da698d0f95da091cd4981ad3e30efdc4bcb1168007b2c

SHA512
7ba6bea2c40f7e5ced845e3e174e02e0fd2c639b26bc03a5f4ac09851c57c1f2e8ef5e4da492eb9198c4acb9b050742b4b7c65edd9b7a690e4199d94cb3b5a1a

Download Submit
C:\Windows\SysWOW64\Klgbfo32.exe

Filesize
76KB

MD5
6fe45dcc3566d5220d46aad7d4a1eaf6

SHA1
220b1a99ea3f921a9c3c200db1c709c70b42ce4d

SHA256
fcf4f571436a32d11ae4a5cd8129157fcd6585de1ea8aea7a67675959774fc35

SHA512
d58a5edac93cecbb7b7373214a56ae3f96201f25a04e8c569aadeff0036d7e0e01e221acc6da5acf3a76aabef97dc3317bcf20e2f322ab25da7ebf7540f29373

Download Submit
C:\Windows\SysWOW64\Knhoig32.exe

Filesize
76KB

MD5
4da1e2378eeeec7c1ac5f46ca6a1ca3b

SHA1
a67f263f218c20a76d436ffe09ee71a0c450b581

SHA256
4af37988db75991a29832ff94a7a94868a3675e2a9e22466f9c0669cc2e89113

SHA512
a1661d99c60606c3d4422630267e01b6ff5f72b73cfb86580df17765abbd97bd4adf87a6936f8c59e155e5ba7d9db197570ce2ba590e2a6e9981ba9a8e1a26af

Download Submit
C:\Windows\SysWOW64\Knkkngol.exe

Filesize
76KB

MD5
4eef45c69e6a68cec67de34a728f6930

SHA1
2e434f2e08611d8c9cb5621a6418a7a1824cce13

SHA256
f4096abd7cd6c65955b1335dc6742b20b87b2abc41f77463d0c56d73aa56d43d

SHA512
2ba574ceb2d9271004d223170f6e36bdbe3e799c3a6eabe7cfffa9a28375a131f7cbf5ca1e7f7fd93fc57818dc2abb9c3df12ee3f9c5eb00e4091e2645e48cde

Download Submit
C:\Windows\SysWOW64\Kpcngnob.exe

Filesize
76KB

MD5
92a47c61807f24abd4fb530a7c7cce75

SHA1
b7ab4907c01225322f4bfd985235c999b7b154e4

SHA256
b415b4c130b9367bbd47c3a31021427d53f5147f2b0f50ff77e935eb7e8081d0

SHA512
65e8e92a30eb59330d2f1e67a64709c18a1f450e10731fd7dfc017d6c9c1a5f3d127fd8cb4be537be67a7aa650396b842a5808adc85371ab60943bc79fe16777

Download Submit
C:\Windows\SysWOW64\Laidie32.exe

Filesize
76KB

MD5
54de4c7c7dbc1170f855d375467b3ba2

SHA1
3e832ffefe6090fb3394724a0b6efc42bb43f5bd

SHA256
826fd5d216dfd023216c157d0466f84014c24635ef51ef729d6077464edd0aa8

SHA512
0e6f91bbe56e511501b7a2b12a815e31fa92a1266f8de68a6744652f6d618a56480c218bb424e79587b4c1fd62abf760b2d57667694018455ce31ab8ab6bec10

Download Submit
C:\Windows\SysWOW64\Lanmde32.exe

Filesize
76KB

MD5
95363e81ea16de47d54a5657fa7f323a

SHA1
6be4cc481573c589d055bec05f8d54d9b73dda28

SHA256
252585073f709ffdb5b234e52bfe86d954aa3e6f40d5e504e5f5576f5ef9c4fa

SHA512
c1f2ecfeb089910f4420454bf1ebc2d0b94c24f7459af56159c17fe87cbe2160ad26ba38294886f76bbe161bbb4936b4ca46b2c42ef1a0de5796e545de722e6e

Download Submit
C:\Windows\SysWOW64\Ldgpea32.exe

Filesize
76KB

MD5
cb801ae544ad5efaa645b231ce177177

SHA1
e34bdf27cc29937505576b9cbe30d262e382ef3c

SHA256
7eb9fb74b700ccf61dea576472cb2645a5097aa286e8708722349fd35c4a9a8e

SHA512
c42485bf2043275108d65b763e6ed3f8c53fdfd331e7e4955461064693039b043b0ad67a763e9093f93e7c2e9e936f43a99863c30250ac3918ed6d5f86fe70c8

Download Submit
C:\Windows\SysWOW64\Ldjmkq32.exe

Filesize
76KB

MD5
27c0bc562860d8ab9e67e9843892a1f3

SHA1
de39506f1e28400de6d93f383a498568098c7863

SHA256
d4f046a3e9e4d3041d624d69c23c3d9200ff79739d5a148163c554c9053f02a1

SHA512
3f74eb322d5d182d8677450d7e017a65b33fd2aee81a6fe15c729b76051c0af8004f38c7a0105c874333bfdc3c37f97416f1d609fcdd4b8058d5e98128e68d92

Download Submit
C:\Windows\SysWOW64\Lebcdd32.exe

Filesize
76KB

MD5
f1ec8d92478748a73ebf14d4c8ed21c3

SHA1
8742700a46fb5c53a102f3ffc29210dd95f371eb

SHA256
67a04d4b5698f2880ecf5d05fd2fe558b327fc1a06b89d8d7039675f1bc7ece4

SHA512
8138257cdc5e2d0da6001744dd17616c572e7a706dd32e7e8809f45e2371879bb8efad0dfa788fe5d44f3afcd6633d4d195afc931c44652a7bdddda47cc712d0

Download Submit
C:\Windows\SysWOW64\Lghigl32.exe

Filesize
76KB

MD5
4de905267ca4e1b9865644b24660f3c0

SHA1
e9c29e15dbc32588a11f4c8994b15fa86879a97b

SHA256
1c474469e8b18b00473387bdb8e1b570ab3ceec4b141da14497fa82815af52b9

SHA512
9d1ad4f3e627bd2041913a88e37e65a2410432d4b6eb32a01cd40dc8e77d22314be7383c1b86b024ce203ac3dc04f90fa3720a23d6d3fd523c2b108ae37a70f7

Download Submit
C:\Windows\SysWOW64\Lhclfphg.exe

Filesize
76KB

MD5
d1099b0c936584ff68c4a15c81d1112c

SHA1
96dd312b3ccd57c4c2ab9e4eacb24c2c74da66c5

SHA256
0a2cd24ad45a86745cc021aba5d2a2c0128347f381059a96e6ca877589da1835

SHA512
5249550db66702e8b8cddbdb551dbec65f417321da3a8a886c67e4f0c0141778ff38c8fd32401a8525310493a712b72c5dd59ef840b95a858f691d89c653f162

Download Submit
C:\Windows\SysWOW64\Lhgeao32.exe

Filesize
76KB

MD5
0bc19d355509f919d6d3baa5190bb7a2

SHA1
7e06f465b18a01f40903cb893a4aeda60385477f

SHA256
4cb32ae61c5fde737470d34800d2dfe5f59ce3ee0a0f9450e197752556f08ea4

SHA512
718868dfabe7d07211369707ac22bb8007f44ed37b52656d8cfb682ac2e74856b67b9d912084f2d194b2ab9b351faa4f34f60c7928ab1b4fd6d18ce0a96eb859

Download Submit
C:\Windows\SysWOW64\Lhnckp32.exe

Filesize
76KB

MD5
b7c2edde46265edae5ae5038409cee78

SHA1
a6a3bcfa7fb9a926b9fdad9e31ed7031048973b2

SHA256
3d2cdb539cba8eb26e4cfa903ba29da4f9e52c54702aae98c616b38cdb05a567

SHA512
419eb40c63929d657b3d145b798a5631fd6af1f4aa89187a994c27c5d805612026be90ae8c7f8e1fde85569c14bda2281d4f5dff1e1e9fa3f14a363f8279e552

Download Submit
C:\Windows\SysWOW64\Liibigjq.exe

Filesize
76KB

MD5
ac49007ab156c2d756daa53ca9bd347c

SHA1
e1b1a8ff8b57a5010e92570e3ecb30482c150bae

SHA256
78edd940e9bc426868ee9b0a9725ca314e33ae58afda814e0d044acdc40d811b

SHA512
e7936c3d1644940b385b652b18c74ad1862d06a1111987f2a80d5717f05678ea8ecd93ac4c7b665fffc18d015d98a84594c5971a15bd6b66ac29be7713931761

Download Submit
C:\Windows\SysWOW64\Lkolmk32.exe

Filesize
76KB

MD5
537dffd7995ae9f3c7a99b1b20aa6817

SHA1
2a22546a27672cd51eedef640a5ae93cd370b79c

SHA256
4878146b9f5f0e0eea3252653a3058f1b57fb45d7c75125adba98e36fbc7717f

SHA512
2a632df8ae90ec7402074b5a0874544c833ed7bad57299a95bd98a85890cd0217456547472b2aa8c7564ac55bebae0c17415f1536a0406abd1844a0586236cac

Download Submit
C:\Windows\SysWOW64\Lmpdoffo.exe

Filesize
76KB

MD5
dcc7763c684dba49317fef40a5df141f

SHA1
5fc61c582aee7fba1ed2738cbd8e7001642e06c6

SHA256
5e5ebd834f5091b4c2e23f1f255bd7c514a257dfd07817d3aca8a78a371d52a1

SHA512
5d5f5acab8791d66ac4a271d91697952e504c1be61491ffbbc804b85f886f8c5768a72b16455ad6a1328c4328db2a1be65b2340f677b8105296336325e2e8e2d

Download Submit
C:\Windows\SysWOW64\Lojhmjag.exe

Filesize
76KB

MD5
66628f3a47d8f550195415a24e9cb9f9

SHA1
e2228885aa7df068bc2f1e1bafbd2d1575a49cfa

SHA256
222b26da87a84d597ae0b3573f60362cbc075414326f663c6bcfd8e5571ecb3a

SHA512
a09fe997580e54ea60c407bc9ab38cc55c429d6215365739f7bc8400bc3905437a8607443308df147ca31bf6b556cbbfb538735cccd8417827ed2bc78916ba8a

Download Submit
C:\Windows\SysWOW64\Lpekln32.exe

Filesize
76KB

MD5
703f8919c45fda902bf7e12c8b31ac5e

SHA1
f459d21de257dd22c5e21e8fa5747a3a13638f49

SHA256
8a4b56835f030fdda57e4d5272dc485ba3d3ed955f639b0aee2cf6fabc8e0b19

SHA512
07cce86ae2b55b862b30c29b43fadaeda7c6148c47edc21313f49ae2360a3b085ef0e7dd0ea2cdc1e80759dde13f4e2d382f7328940327925ccbb1606462529a

Download Submit
C:\Windows\SysWOW64\Mapjjdjb.exe

Filesize
76KB

MD5
2f642fbfcea848678412ea6c17603e1a

SHA1
a2657c44b01bd8f95902a3c8791e1bf2e9eda69c

SHA256
01cc39751ac31314c24ca96fc69157ee5b22905922d4d2bce220e6dfc483440d

SHA512
971f62c220b37cf2bd2ceec358102fe427513bb3c1a698b01c99eb231e08b736ffe3bec013f63a4c740fef4b2ee54bde4df63f0d1498242ec8fa7c3a5dfaded7

Download Submit
C:\Windows\SysWOW64\Mcccglnn.exe

Filesize
76KB

MD5
0405470fa9ed28e902333f03daff07cc

SHA1
081adc8d1d4c5c965f00a9e23afa381087d69f36

SHA256
07cf95b6f3bd54416956cb9bcc371b1ec3cf58874e6062062bfb5c544bd01a9d

SHA512
ccbf54e2ae5232e6610e5b2fa04b5dad30f71da476c694c0ddc967ff8f367868c3cd3cc0af6073403ec9c90d77477e2bfdebbe63214b54b4fb3c419633145475

Download Submit
C:\Windows\SysWOW64\Mdnffpif.exe

Filesize
76KB

MD5
f5b2f82d8d6a9dd0cbf8997e46a3da46

SHA1
90293363632c4fcf8f4fbb48a56db09552899c9b

SHA256
ae62d448d18b59a6a95ad6521d2078b4b6ee4326b916dd7cc05d2d22e6d31358

SHA512
9ecc60cb80da3eb3cadfb2da2d202491ddc8d0ba0d7e7e84ce58e4483dad8d5d4ae296a98b93f684f9fe2d19e4e98f8558c87d375605b6c273c86f04544a2fc1

Download Submit
C:\Windows\SysWOW64\Mdqclpgd.exe

Filesize
76KB

MD5
f323bafa924459b452175c4c7fb5419b

SHA1
ca7e4c4546b636cd8c30e41c09264edc615c84e4

SHA256
c04dc57362a4c5eafcfa1d9682d6bf24d0404d6c3929026a45eb27a9af2fdb60

SHA512
57b0deac13845dceec3c7300015ef361676ac69d3f1bdf9edfcaa625ae771053469f3d2387ca2629b607069e6551900191d8710df1d2aece68f23ad49a6dda5b

Download Submit
C:\Windows\SysWOW64\Mebpchmb.exe

Filesize
76KB

MD5
374e292aa4ace0d8c55432abf5dac7fe

SHA1
e29d12285ef5011bbd8eaad069d824ae3536dc2b

SHA256
5a17ff9770081feb4408b57b89c5a7db10c7c263152777160876ebb2865062b8

SHA512
4956fc369f4aec99de0b6f11f0272a5dd8f6cf0e14ef3775d82663b7630d9db6e47f50c36c499cc584124deab8f0ab3bc6534f8e514d7d9d16e8408510d0435c

Download Submit
C:\Windows\SysWOW64\Mgoohk32.exe

Filesize
76KB

MD5
46b402740dc7c9e3f097205b2c0088e1

SHA1
63855100b7de7c67a27ef3b4e41a895be250c8dd

SHA256
2565decdbbb28590074a820f71d04d00b5214af7e29b69ceb23c8cbe4e1b2f10

SHA512
3d10f4db6cce9ae04d6ba8d162d1f8fc040e844a353e0f21b601f4079366eea636268d340f9d993837f320321c72b8a2f523dbbdf3317b25ff8903ac6f43b306

Download Submit
C:\Windows\SysWOW64\Mikooghn.exe

Filesize
76KB

MD5
0b9af7068fbba72a236e138ec321dba6

SHA1
4ffe3915bf13a3da9eb55897c7c47a0d9ae298cf

SHA256
6f9d909e88f4254f5afecabe54d1af8269a16c7951632560f2db32b767601f6a

SHA512
880c542d565af128469a502eaebb91d0cb5e8db29d11913e075c3a3cea832b97cbd49d01ed664e6fea9882f82de61d16ee90e510cd25871309e3e1a514cc166f

Download Submit
C:\Windows\SysWOW64\Minldf32.exe

Filesize
76KB

MD5
ae50970a541e458ce81252994a3a6240

SHA1
e5dcf96bdb39504285416f3ca734be4201404178

SHA256
19a0f9f1bb3aaa93cfdcdd29a398dd732b317849c4a7141a63e043b86b36efba

SHA512
6ae47d1225370a22e5708e8cb12bf30d719712539db77bd4c2720ef7f6d3183105a19dda83f7ea0137a7526aad9509a0b95a4daba7271e01c0e7b61add112e8f

Download Submit
C:\Windows\SysWOW64\Mkhocj32.exe

Filesize
76KB

MD5
3731ce773ba5a43241f92d3445463893

SHA1
1e0b2bb31027e4fa128eaee239fb4e5907ab7e4b

SHA256
fdb5fd1d54a7bba72e4b5bf3cf80205a7588c0c5ad3d1ad29302617d2ccd12e6

SHA512
5aa883d1bd828d1c87808a63f4f9435b4f26675e591282622a0c9b89585d9040ce88a5f805d29982c94af2d55e6f4b9ae4ed720d5c6a54978a30c1375fe63c92

Download Submit
C:\Windows\SysWOW64\Mlikkbga.exe

Filesize
76KB

MD5
73af8e8b01ece357ec1231f04bb4de4b

SHA1
13fc4a3f5ad8532fc8d7a84f4d8697b39b85cb9c

SHA256
90b6e68ef5f30d95c7d03d98467782f41fcaf1361a0eb866ffc50e41cc98c594

SHA512
4084451ac18bffa9f487e87c5dc3dc4e054fcf9abfa6770e9f7d98b3388a6fde7f3654ce6504f274980f19f0a14ab4c5a591224df7dfb3071064f17ce9f295cb

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
76KB

MD5
37f6f44e2c6406685aef11db2e5a873e

SHA1
2307a4d7c3491328583e2e3713963f91d82eb77c

SHA256
dc17e98b9322b0586862a9e0211e2587240a281a9d6ed415cf0dac53605e72ae

SHA512
93e979d9b234d69b777ecc291ad5effa28506b29c6e247498b79669c47acb8ca43f6049f092ca91a73be6844306aae16c379a2fa281ca9a240ea037e6240b983

Download Submit
C:\Windows\SysWOW64\Mmgkoe32.exe

Filesize
76KB

MD5
943bd2cc64dc7b75c1cbba063e13ce3f

SHA1
25478390a1940403530b9eb8fd6a09e19913f490

SHA256
bcef5b49c35a3b2612b4ae43f2e05b5684df59030fe8d832bdd77a0eac9d53c0

SHA512
7c030d930a75f6aace727110a9f1b26820dc93f8f70223098117baf715d0dd6ab2b8a7708f1a3bc63affbb497aca152cb57d46be36df4620dfc21bc8ae944596

Download Submit
memory/376-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-319-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/376-320-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/560-256-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/560-252-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/576-308-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/576-310-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/680-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/900-299-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/900-298-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/900-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-115-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1224-277-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1224-276-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1224-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-196-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/1592-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-201-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/1632-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-428-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1748-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-74-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1880-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-288-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1996-287-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1996-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-266-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2020-265-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2024-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-372-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2024-374-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2100-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-34-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2160-235-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2208-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-106-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2248-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-329-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2260-330-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2296-161-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2296-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-405-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2328-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-21-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2372-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-223-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/2404-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-395-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2484-242-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2484-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-246-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2532-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-13-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2532-389-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2532-11-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2532-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-361-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2600-362-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2608-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-87-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2612-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-351-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2796-439-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2796-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-438-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2808-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-60-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-340-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-341-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-461-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2980-462-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2988-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-452-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/3028-450-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/3028-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-417-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3040-416-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3048-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-142-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads