7ee1f6136bdcf062002b699e250a4faaaaf1a15282dfb34b8da643cda3f54aba

Analysis

max time kernel
89s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b89daf0b90eb50eadccb933367445be0N.exe
Size

112KB
MD5

b89daf0b90eb50eadccb933367445be0
SHA1

93e19efb706e2dcf3e747479be659215e771e61a
SHA256

7ee1f6136bdcf062002b699e250a4faaaaf1a15282dfb34b8da643cda3f54aba
SHA512

ca2edee2885a445412355dac9bf5e922c63166697473b47dba4bf7958851006354b0403893b5812577a2e85f5a8cf91834557533e4deff1b653c77495f42a10b
SSDEEP

3072:pa256E3VFZb0j8ahtwvFaTSdC/+lc802eSQ:psEbvIyC2lc856

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnbkodci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfihml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhdjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcblgbfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgoaap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfihml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnnhcknd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biolckgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqdjceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenioenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qoaaqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfdbcing.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niqgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhakecld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bghfacem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denknngk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlghpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmilmkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgfdhbq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcdpacgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqcqpc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bacgohjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b89daf0b90eb50eadccb933367445be0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kqcqpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niqgof32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jghcbjll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgoaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpofpg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdgfpbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lelljepm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkfmmqj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnncii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnncii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lelljepm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngkaaolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okkfmmqj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdonjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnnhcknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdonjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbkodci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlfgehqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Penjdien.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnpeijla.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenioenj.exe

Executes dropped EXE 53 IoCs

pid	Process
2888	Jghcbjll.exe
2944	Jnbkodci.exe
1904	Jgkphj32.exe
3040	Jlghpa32.exe
2808	Kdgfpbaf.exe
2276	Kqqdjceh.exe
3048	Kqcqpc32.exe
1488	Kgmilmkb.exe
2060	Lfdbcing.exe
2300	Lelljepm.exe
1836	Lenioenj.exe
1212	Mgoaap32.exe
1772	Mecbjd32.exe
2056	Mnncii32.exe
2184	Mfihml32.exe
1776	Nfmahkhh.exe
2548	Nmgjee32.exe
2572	Nhakecld.exe
2380	Niqgof32.exe
2152	Nanhihno.exe
2252	Ngkaaolf.exe
2452	Omgfdhbq.exe
672	Okkfmmqj.exe
1240	Opmhqc32.exe
1752	Pkfiaqgk.exe
1948	Pdonjf32.exe
2820	Penjdien.exe
1984	Pniohk32.exe
2976	Qnnhcknd.exe
2724	Qnpeijla.exe
2264	Qoaaqb32.exe
2436	Akmlacdn.exe
2100	Abiqcm32.exe
2164	Akbelbpi.exe
1632	Bghfacem.exe
1656	Bfncbp32.exe
1152	Bacgohjk.exe
2756	Biolckgf.exe
2148	Bcdpacgl.exe
1996	Cnpnga32.exe
2180	Chhbpfhi.exe
1928	Cligkdlm.exe
1504	Chohqebq.exe
1640	Dajiok32.exe
1448	Dkbnhq32.exe
1056	Dpofpg32.exe
2016	Dkekmp32.exe
2656	Dlfgehqk.exe
1408	Denknngk.exe
1676	Dlhdjh32.exe
1944	Dcblgbfe.exe
1600	Dlkqpg32.exe
2168	Eceimadb.exe

Loads dropped DLL 64 IoCs

pid	Process
2776	b89daf0b90eb50eadccb933367445be0N.exe
2776	b89daf0b90eb50eadccb933367445be0N.exe
2888	Jghcbjll.exe
2888	Jghcbjll.exe
2944	Jnbkodci.exe
2944	Jnbkodci.exe
1904	Jgkphj32.exe
1904	Jgkphj32.exe
3040	Jlghpa32.exe
3040	Jlghpa32.exe
2808	Kdgfpbaf.exe
2808	Kdgfpbaf.exe
2276	Kqqdjceh.exe
2276	Kqqdjceh.exe
3048	Kqcqpc32.exe
3048	Kqcqpc32.exe
1488	Kgmilmkb.exe
1488	Kgmilmkb.exe
2060	Lfdbcing.exe
2060	Lfdbcing.exe
2300	Lelljepm.exe
2300	Lelljepm.exe
1836	Lenioenj.exe
1836	Lenioenj.exe
1212	Mgoaap32.exe
1212	Mgoaap32.exe
1772	Mecbjd32.exe
1772	Mecbjd32.exe
2056	Mnncii32.exe
2056	Mnncii32.exe
2184	Mfihml32.exe
2184	Mfihml32.exe
1776	Nfmahkhh.exe
1776	Nfmahkhh.exe
2548	Nmgjee32.exe
2548	Nmgjee32.exe
2572	Nhakecld.exe
2572	Nhakecld.exe
2380	Niqgof32.exe
2380	Niqgof32.exe
2152	Nanhihno.exe
2152	Nanhihno.exe
2252	Ngkaaolf.exe
2252	Ngkaaolf.exe
2452	Omgfdhbq.exe
2452	Omgfdhbq.exe
672	Okkfmmqj.exe
672	Okkfmmqj.exe
1240	Opmhqc32.exe
1240	Opmhqc32.exe
1752	Pkfiaqgk.exe
1752	Pkfiaqgk.exe
1948	Pdonjf32.exe
1948	Pdonjf32.exe
2820	Penjdien.exe
2820	Penjdien.exe
1984	Pniohk32.exe
1984	Pniohk32.exe
2976	Qnnhcknd.exe
2976	Qnnhcknd.exe
2724	Qnpeijla.exe
2724	Qnpeijla.exe
2264	Qoaaqb32.exe
2264	Qoaaqb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bcdpacgl.exe	Biolckgf.exe
File opened for modification	C:\Windows\SysWOW64\Chhbpfhi.exe	Cnpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Chohqebq.exe	Cligkdlm.exe
File opened for modification	C:\Windows\SysWOW64\Mfihml32.exe	Mnncii32.exe
File created	C:\Windows\SysWOW64\Nanhihno.exe	Niqgof32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkaaolf.exe	Nanhihno.exe
File opened for modification	C:\Windows\SysWOW64\Qoaaqb32.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Akbelbpi.exe	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Niqgof32.exe	Nhakecld.exe
File opened for modification	C:\Windows\SysWOW64\Pkfiaqgk.exe	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Gaggmmfa.dll	Bghfacem.exe
File opened for modification	C:\Windows\SysWOW64\Dlfgehqk.exe	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Jlghpa32.exe	Jgkphj32.exe
File opened for modification	C:\Windows\SysWOW64\Lelljepm.exe	Lfdbcing.exe
File created	C:\Windows\SysWOW64\Pbkkql32.dll	Mnncii32.exe
File opened for modification	C:\Windows\SysWOW64\Dlhdjh32.exe	Denknngk.exe
File created	C:\Windows\SysWOW64\Nhakecld.exe	Nmgjee32.exe
File created	C:\Windows\SysWOW64\Abiqcm32.exe	Akmlacdn.exe
File opened for modification	C:\Windows\SysWOW64\Bfncbp32.exe	Bghfacem.exe
File created	C:\Windows\SysWOW64\Hnnacgdn.dll	Cnpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Dlkqpg32.exe	Dcblgbfe.exe
File opened for modification	C:\Windows\SysWOW64\Omgfdhbq.exe	Ngkaaolf.exe
File created	C:\Windows\SysWOW64\Bghfacem.exe	Akbelbpi.exe
File opened for modification	C:\Windows\SysWOW64\Dcblgbfe.exe	Dlhdjh32.exe
File created	C:\Windows\SysWOW64\Aafdca32.dll	Mgoaap32.exe
File created	C:\Windows\SysWOW64\Fbofhpaj.dll	Mfihml32.exe
File created	C:\Windows\SysWOW64\Nggbjggc.dll	Omgfdhbq.exe
File created	C:\Windows\SysWOW64\Chhbpfhi.exe	Cnpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Denknngk.exe	Dlfgehqk.exe
File created	C:\Windows\SysWOW64\Jnbkodci.exe	Jghcbjll.exe
File created	C:\Windows\SysWOW64\Okkfmmqj.exe	Omgfdhbq.exe
File opened for modification	C:\Windows\SysWOW64\Abiqcm32.exe	Akmlacdn.exe
File created	C:\Windows\SysWOW64\Cdmbfk32.dll	Dajiok32.exe
File created	C:\Windows\SysWOW64\Bacgohjk.exe	Bfncbp32.exe
File created	C:\Windows\SysWOW64\Dlfgehqk.exe	Dkekmp32.exe
File opened for modification	C:\Windows\SysWOW64\Kqcqpc32.exe	Kqqdjceh.exe
File created	C:\Windows\SysWOW64\Lfdbcing.exe	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Lelljepm.exe	Lfdbcing.exe
File opened for modification	C:\Windows\SysWOW64\Lenioenj.exe	Lelljepm.exe
File created	C:\Windows\SysWOW64\Pihjghlh.dll	Nmgjee32.exe
File created	C:\Windows\SysWOW64\Dcblgbfe.exe	Dlhdjh32.exe
File created	C:\Windows\SysWOW64\Bfimld32.dll	Kqcqpc32.exe
File created	C:\Windows\SysWOW64\Pdonjf32.exe	Pkfiaqgk.exe
File created	C:\Windows\SysWOW64\Eecpggap.dll	Pdonjf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnpeijla.exe	Qnnhcknd.exe
File opened for modification	C:\Windows\SysWOW64\Biolckgf.exe	Bacgohjk.exe
File created	C:\Windows\SysWOW64\Ngcjbg32.dll	Chhbpfhi.exe
File created	C:\Windows\SysWOW64\Jgbpkc32.dll	Denknngk.exe
File opened for modification	C:\Windows\SysWOW64\Jgkphj32.exe	Jnbkodci.exe
File opened for modification	C:\Windows\SysWOW64\Kqqdjceh.exe	Kdgfpbaf.exe
File created	C:\Windows\SysWOW64\Nmgjee32.exe	Nfmahkhh.exe
File created	C:\Windows\SysWOW64\Qoaaqb32.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Ipojic32.dll	Biolckgf.exe
File created	C:\Windows\SysWOW64\Kgmilmkb.exe	Kqcqpc32.exe
File opened for modification	C:\Windows\SysWOW64\Lfdbcing.exe	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Lenioenj.exe	Lelljepm.exe
File created	C:\Windows\SysWOW64\Cligkdlm.exe	Chhbpfhi.exe
File created	C:\Windows\SysWOW64\Cifoem32.dll	Dcblgbfe.exe
File created	C:\Windows\SysWOW64\Dhmbnh32.dll	Kdgfpbaf.exe
File created	C:\Windows\SysWOW64\Mnncii32.exe	Mecbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Niqgof32.exe	Nhakecld.exe
File opened for modification	C:\Windows\SysWOW64\Akmlacdn.exe	Qoaaqb32.exe
File created	C:\Windows\SysWOW64\Fcdcfmgg.dll	Qoaaqb32.exe
File created	C:\Windows\SysWOW64\Dlkqpg32.exe	Dcblgbfe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	2168	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfihml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkfmmqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkqpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghcbjll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnncii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmlacdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nanhihno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfncbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbelbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfmahkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgfdhbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Denknngk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgkphj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqcqpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mecbjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfiaqgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnnhcknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b89daf0b90eb50eadccb933367445be0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkaaolf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qoaaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhbpfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chohqebq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkekmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlfgehqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lelljepm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pniohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnpeijla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlhdjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqqdjceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opmhqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abiqcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacgohjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbkodci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgoaap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenioenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdonjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Penjdien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlghpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdbcing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cligkdlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhakecld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcdpacgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgfpbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niqgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bghfacem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgmilmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biolckgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcblgbfe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgoaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Penjdien.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcblgbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlkqpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnbkodci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emadmmop.dll"	Jgkphj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgoaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jghcbjll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgkphj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnncii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnnhcknd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcblgbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cligkdlm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlkqpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lelljepm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglnpia.dll"	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkicc32.dll"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mecbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bacgohjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b89daf0b90eb50eadccb933367445be0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biolckgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chohqebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejqea32.dll"	Chohqebq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmbnh32.dll"	Kdgfpbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dlkqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaggmmfa.dll"	Bghfacem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfihml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmep32.dll"	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll"	Pdonjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdcfmgg.dll"	Qoaaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagof32.dll"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnacgdn.dll"	Cnpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll"	Chhbpfhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kqqdjceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lenioenj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhakecld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbodi32.dll"	Nhakecld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niqgof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqefea32.dll"	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlfgehqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafdca32.dll"	Mgoaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhbpfhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfimld32.dll"	Kqcqpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngkaaolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlghpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnkhh32.dll"	Kqqdjceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgmilmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcfcjo32.dll"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biolckgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chohqebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmbfk32.dll"	Dajiok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2888	2776	b89daf0b90eb50eadccb933367445be0N.exe	30
PID 2776 wrote to memory of 2888	2776	b89daf0b90eb50eadccb933367445be0N.exe	30
PID 2776 wrote to memory of 2888	2776	b89daf0b90eb50eadccb933367445be0N.exe	30
PID 2776 wrote to memory of 2888	2776	b89daf0b90eb50eadccb933367445be0N.exe	30
PID 2888 wrote to memory of 2944	2888	Jghcbjll.exe	31
PID 2888 wrote to memory of 2944	2888	Jghcbjll.exe	31
PID 2888 wrote to memory of 2944	2888	Jghcbjll.exe	31
PID 2888 wrote to memory of 2944	2888	Jghcbjll.exe	31
PID 2944 wrote to memory of 1904	2944	Jnbkodci.exe	32
PID 2944 wrote to memory of 1904	2944	Jnbkodci.exe	32
PID 2944 wrote to memory of 1904	2944	Jnbkodci.exe	32
PID 2944 wrote to memory of 1904	2944	Jnbkodci.exe	32
PID 1904 wrote to memory of 3040	1904	Jgkphj32.exe	33
PID 1904 wrote to memory of 3040	1904	Jgkphj32.exe	33
PID 1904 wrote to memory of 3040	1904	Jgkphj32.exe	33
PID 1904 wrote to memory of 3040	1904	Jgkphj32.exe	33
PID 3040 wrote to memory of 2808	3040	Jlghpa32.exe	34
PID 3040 wrote to memory of 2808	3040	Jlghpa32.exe	34
PID 3040 wrote to memory of 2808	3040	Jlghpa32.exe	34
PID 3040 wrote to memory of 2808	3040	Jlghpa32.exe	34
PID 2808 wrote to memory of 2276	2808	Kdgfpbaf.exe	35
PID 2808 wrote to memory of 2276	2808	Kdgfpbaf.exe	35
PID 2808 wrote to memory of 2276	2808	Kdgfpbaf.exe	35
PID 2808 wrote to memory of 2276	2808	Kdgfpbaf.exe	35
PID 2276 wrote to memory of 3048	2276	Kqqdjceh.exe	36
PID 2276 wrote to memory of 3048	2276	Kqqdjceh.exe	36
PID 2276 wrote to memory of 3048	2276	Kqqdjceh.exe	36
PID 2276 wrote to memory of 3048	2276	Kqqdjceh.exe	36
PID 3048 wrote to memory of 1488	3048	Kqcqpc32.exe	37
PID 3048 wrote to memory of 1488	3048	Kqcqpc32.exe	37
PID 3048 wrote to memory of 1488	3048	Kqcqpc32.exe	37
PID 3048 wrote to memory of 1488	3048	Kqcqpc32.exe	37
PID 1488 wrote to memory of 2060	1488	Kgmilmkb.exe	38
PID 1488 wrote to memory of 2060	1488	Kgmilmkb.exe	38
PID 1488 wrote to memory of 2060	1488	Kgmilmkb.exe	38
PID 1488 wrote to memory of 2060	1488	Kgmilmkb.exe	38
PID 2060 wrote to memory of 2300	2060	Lfdbcing.exe	39
PID 2060 wrote to memory of 2300	2060	Lfdbcing.exe	39
PID 2060 wrote to memory of 2300	2060	Lfdbcing.exe	39
PID 2060 wrote to memory of 2300	2060	Lfdbcing.exe	39
PID 2300 wrote to memory of 1836	2300	Lelljepm.exe	40
PID 2300 wrote to memory of 1836	2300	Lelljepm.exe	40
PID 2300 wrote to memory of 1836	2300	Lelljepm.exe	40
PID 2300 wrote to memory of 1836	2300	Lelljepm.exe	40
PID 1836 wrote to memory of 1212	1836	Lenioenj.exe	41
PID 1836 wrote to memory of 1212	1836	Lenioenj.exe	41
PID 1836 wrote to memory of 1212	1836	Lenioenj.exe	41
PID 1836 wrote to memory of 1212	1836	Lenioenj.exe	41
PID 1212 wrote to memory of 1772	1212	Mgoaap32.exe	42
PID 1212 wrote to memory of 1772	1212	Mgoaap32.exe	42
PID 1212 wrote to memory of 1772	1212	Mgoaap32.exe	42
PID 1212 wrote to memory of 1772	1212	Mgoaap32.exe	42
PID 1772 wrote to memory of 2056	1772	Mecbjd32.exe	43
PID 1772 wrote to memory of 2056	1772	Mecbjd32.exe	43
PID 1772 wrote to memory of 2056	1772	Mecbjd32.exe	43
PID 1772 wrote to memory of 2056	1772	Mecbjd32.exe	43
PID 2056 wrote to memory of 2184	2056	Mnncii32.exe	44
PID 2056 wrote to memory of 2184	2056	Mnncii32.exe	44
PID 2056 wrote to memory of 2184	2056	Mnncii32.exe	44
PID 2056 wrote to memory of 2184	2056	Mnncii32.exe	44
PID 2184 wrote to memory of 1776	2184	Mfihml32.exe	45
PID 2184 wrote to memory of 1776	2184	Mfihml32.exe	45
PID 2184 wrote to memory of 1776	2184	Mfihml32.exe	45
PID 2184 wrote to memory of 1776	2184	Mfihml32.exe	45

C:\Users\Admin\AppData\Local\Temp\b89daf0b90eb50eadccb933367445be0N.exe
"C:\Users\Admin\AppData\Local\Temp\b89daf0b90eb50eadccb933367445be0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\Jghcbjll.exe
  C:\Windows\system32\Jghcbjll.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Jnbkodci.exe
    C:\Windows\system32\Jnbkodci.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Jgkphj32.exe
      C:\Windows\system32\Jgkphj32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\Jlghpa32.exe
        
        C:\Windows\system32\Jlghpa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\Kdgfpbaf.exe
        
        C:\Windows\system32\Kdgfpbaf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Kqqdjceh.exe
        
        C:\Windows\system32\Kqqdjceh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Kqcqpc32.exe
        
        C:\Windows\system32\Kqcqpc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kgmilmkb.exe
        
        C:\Windows\system32\Kgmilmkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Lfdbcing.exe
        
        C:\Windows\system32\Lfdbcing.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Lelljepm.exe
        
        C:\Windows\system32\Lelljepm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Lenioenj.exe
        
        C:\Windows\system32\Lenioenj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Mgoaap32.exe
        
        C:\Windows\system32\Mgoaap32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Mecbjd32.exe
        
        C:\Windows\system32\Mecbjd32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Mnncii32.exe
        
        C:\Windows\system32\Mnncii32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mfihml32.exe
        
        C:\Windows\system32\Mfihml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nfmahkhh.exe
        
        C:\Windows\system32\Nfmahkhh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Nmgjee32.exe
        
        C:\Windows\system32\Nmgjee32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Nhakecld.exe
        
        C:\Windows\system32\Nhakecld.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Niqgof32.exe
        
        C:\Windows\system32\Niqgof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Nanhihno.exe
        
        C:\Windows\system32\Nanhihno.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Ngkaaolf.exe
        
        C:\Windows\system32\Ngkaaolf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Omgfdhbq.exe
        
        C:\Windows\system32\Omgfdhbq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Okkfmmqj.exe
        
        C:\Windows\system32\Okkfmmqj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Opmhqc32.exe
        
        C:\Windows\system32\Opmhqc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Pkfiaqgk.exe
        
        C:\Windows\system32\Pkfiaqgk.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Pdonjf32.exe
        
        C:\Windows\system32\Pdonjf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Penjdien.exe
        
        C:\Windows\system32\Penjdien.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Pniohk32.exe
        
        C:\Windows\system32\Pniohk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Qnnhcknd.exe
        
        C:\Windows\system32\Qnnhcknd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Qnpeijla.exe
        
        C:\Windows\system32\Qnpeijla.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Qoaaqb32.exe
        
        C:\Windows\system32\Qoaaqb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Akmlacdn.exe
        
        C:\Windows\system32\Akmlacdn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Abiqcm32.exe
        
        C:\Windows\system32\Abiqcm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Akbelbpi.exe
        
        C:\Windows\system32\Akbelbpi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bghfacem.exe
        
        C:\Windows\system32\Bghfacem.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bfncbp32.exe
        
        C:\Windows\system32\Bfncbp32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Bacgohjk.exe
        
        C:\Windows\system32\Bacgohjk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Biolckgf.exe
        
        C:\Windows\system32\Biolckgf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bcdpacgl.exe
        
        C:\Windows\system32\Bcdpacgl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Cnpnga32.exe
        
        C:\Windows\system32\Cnpnga32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Chhbpfhi.exe
        
        C:\Windows\system32\Chhbpfhi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Cligkdlm.exe
        
        C:\Windows\system32\Cligkdlm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Chohqebq.exe
        
        C:\Windows\system32\Chohqebq.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Dajiok32.exe
        
        C:\Windows\system32\Dajiok32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Dkbnhq32.exe
        
        C:\Windows\system32\Dkbnhq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Dpofpg32.exe
        
        C:\Windows\system32\Dpofpg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Dkekmp32.exe
        
        C:\Windows\system32\Dkekmp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Dlfgehqk.exe
        
        C:\Windows\system32\Dlfgehqk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Denknngk.exe
        
        C:\Windows\system32\Denknngk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Dlhdjh32.exe
        
        C:\Windows\system32\Dlhdjh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dcblgbfe.exe
        
        C:\Windows\system32\Dcblgbfe.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dlkqpg32.exe
        
        C:\Windows\system32\Dlkqpg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 140
        55⤵
        Program crash
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abiqcm32.exe

Filesize
112KB

MD5
b7380629f5d9ede811d4c4a7e723747f

SHA1
f99d63e35a3d35e077a8584794ca896bd42fca1e

SHA256
87a048b38ea029715b847fe4e04f24a4c94f952f4a13b579e085aadb5d7a866b

SHA512
3b0259e3ce1bca8574a42fe31f221e2ecbf0677202d2e591241394bea84c835a836f02267e9be2d44be1d28c703d3d5fa1f1eb211283c9d6ade25cd886e5a9de

Download Submit
C:\Windows\SysWOW64\Akbelbpi.exe

Filesize
112KB

MD5
1305f4a0efeeb94810756e0d3deb9914

SHA1
58774480764686cd17174080efc7f5cb0844e5f8

SHA256
c81dd01d5b5a8737b6ae1f5bfab211d550b6908f86f9ed7f7e501bec45d55703

SHA512
28afb140b37b84af3d7b9abee3088262a38380d65850e166f8fe4a54ac54c5696b6456d7930dca024d701854cb8970e142ee8b624529d5016ec0caba4105b958

Download Submit
C:\Windows\SysWOW64\Akmlacdn.exe

Filesize
112KB

MD5
71e1308845465711acecff60f9536fe8

SHA1
99ae701625491c10198fda5e1ba83d5f4edde09c

SHA256
2b026b1442daaeb1f057ab264f1814dacfc0cbc5a7e160e8cc88312eba851cd7

SHA512
ad643cad32ff0a7e95d523250f69a59c83aecf706d790a992c4b7f1ae901bd8e05291326584630308b138d36f0dfaa6120fc2198f1d10a8113f0ccddc046125e

Download Submit
C:\Windows\SysWOW64\Bacgohjk.exe

Filesize
112KB

MD5
e0db072b9978b6b7ac8b8d14cb8a7a14

SHA1
bc12927a60cd6b314cc5bf1bfad5ba8c08b59425

SHA256
c1b5dea7b92eb02b23262ee8c9f483091f93961a8708af61201f4060c0087bf6

SHA512
08d1e403a6499fd457ba2396e81299abb13cf550508799454b6a7c44645d9ec32923514f7e2699d07fd64f8509a556e2793a00deac75482ebf7753a3d244cf2a

Download Submit
C:\Windows\SysWOW64\Bcdpacgl.exe

Filesize
112KB

MD5
ae40c5aada5a16bb9356401ee3f255e3

SHA1
1cd144399eda40794eebe3db6318725f464a6d1b

SHA256
38d560e20c58f0632b4fff7b279ae51847ac140e9a96805f9573fce0224deca0

SHA512
ef4493f2d1dd909dacd925694728f472b578fb931ff41f7c831d2106ccd3769480584e76a9479795b075e2cbaadcb24fd93cfee5fac78e4a0d8fd6c284de7197

Download Submit
C:\Windows\SysWOW64\Bfncbp32.exe

Filesize
112KB

MD5
2387dd41f7e3871e458914a18cd6afae

SHA1
f1072a2c743e20a212af1d5ea5acd1c98a17f1f6

SHA256
f6b20de8a670986dc3b0dacb6a51a794ed10912df5553434eaf5d5eba6e84f2f

SHA512
379cd9d298af73e41362b7b4ea8450255392c70397971c5bce1997591cce7396658fa15c25a01ae047245085d85a3b7229f1ddacf86fe294e714aa3e8afc6850

Download Submit
C:\Windows\SysWOW64\Bghfacem.exe

Filesize
112KB

MD5
bbe3d090a25444c198c1a1defd30c316

SHA1
26623d2928d7941dbebc90f6b011cd915071a197

SHA256
acb77e9c06ae7d1029de95a4b0957e336ee62f26946d442d79db509e9e8d1e2d

SHA512
473cd40a18ad1fe7d90fbc3415ac961944be1cb3216d0b5ad7a048b6ca08215cd9a5f243cf0e7e1ff962abc70837054ab82c22a6feafc1d861834265cab1b6f8

Download Submit
C:\Windows\SysWOW64\Biolckgf.exe

Filesize
112KB

MD5
b966a5b71f60e0b07930236ece861587

SHA1
6ae70447d6ae6961c658e5cdbb02d50f58c4b6d5

SHA256
26bf9528e841d97f0b6e42aabc6f048ebb0704174bd56b49c70d24efd7cc9e63

SHA512
0801ad504966f53ce09f87556f0b860c1534d99d29116fbe5d98e746aecb0803ac3756f7ba4e92405e40fb806506efc7cfd84c791560ee8d7fa9fd164cbf7f88

Download Submit
C:\Windows\SysWOW64\Chhbpfhi.exe

Filesize
112KB

MD5
ca3f54b5457d1f9f838202356b0f471a

SHA1
049a614c853812cce21c59474938c5510e5bb195

SHA256
371921ef0e89a161e4b6ff0aaf6aace50e08f26f9c0a62991ace4add66d3756a

SHA512
03e851b64798c900e74872b665dd6bf5904bd2a949351a490f64fbd1514e777a53b8deb3fbd61e6008b53fe85635f71891799f6a77299b4d4ab5fce31415d9bd

Download Submit
C:\Windows\SysWOW64\Chohqebq.exe

Filesize
112KB

MD5
4b884b3959ddc75b729a4a7ce5efb6e1

SHA1
27e0b701fbda5c0bb810afae75b16b3458e7f12d

SHA256
28a95e99dcdde0a1b0fe68bf6db5563f54e8a658bfd477e9a861c6d2f6d4c56c

SHA512
5eb10d62796de125a5c71d078a2fb1131043ade07bf117aaebb1c07f44fcaea8a1b425a755a9ab0de6834478349f767b1e229ae22368d7789663d3efd5fee3db

Download Submit
C:\Windows\SysWOW64\Cligkdlm.exe

Filesize
112KB

MD5
95a30d50c358cd0fd8e0b7968385c78a

SHA1
95b9e3e2ba0b70b4785b6c8af7b6076075631623

SHA256
059c404c9b917173513be5e778db992cffcaaf6ccf4f7bcd57043d01fca44a8a

SHA512
79de476b4a4ec332e590a85dee96b0bb8b1d699700e129395bcf5a38249ec9552d1569f0c0940f5efe1e6b83d9833f23ded44ce48df69e091412fd45003774d4

Download Submit
C:\Windows\SysWOW64\Cnpnga32.exe

Filesize
112KB

MD5
90cc3b37f9572205b145a6c4c9b1df0b

SHA1
b5060aaecccfdd0b1db00e5f0bdc7a26f86bc6f5

SHA256
c7b9a4c125bd592320dc23dca7b6058b96b919091760841c319498639e31ef50

SHA512
59d301b709ee0a0e65fd821dad00fd837728e78f1adaf089125abaff38639e06c4372b1d8b7eb40325b6168ba557c1beb0fed831d06dfad966eb42747d6c6167

Download Submit
C:\Windows\SysWOW64\Dajiok32.exe

Filesize
112KB

MD5
69c72c58f56cb40a65c6957946611420

SHA1
7bb11f7ce5c9e568d1a49bb2f4f1f88b1dc2979b

SHA256
93383c05ab05a5c5e02cac0385fbe320cf96dfdd6695d2f0d736c65d833802f2

SHA512
800925d83fca138ddf919f56ae5106bf9c7e43b53aa3951857f0001e748d7158e8e7fc5239be71d2dbfa097298187d0b5ae541fb765b4748653334196d64c55c

Download Submit
C:\Windows\SysWOW64\Dcblgbfe.exe

Filesize
112KB

MD5
8a99fc6be7dd6fd4e710e7639be660f9

SHA1
e92d9587ee8ce3765ca0d5701052fa69b03d512e

SHA256
690db57014c42a42fde7d7b06645637eb35d8fac59873764c82742c3abcf26e9

SHA512
1b9779045457d7320a0385bd3f928a995264c9d35645c8ca8c3a888e6f11e146879eb2d9800751f513595a360596b1bb10d6d1d54ab807d9205c378f0991ad3b

Download Submit
C:\Windows\SysWOW64\Denknngk.exe

Filesize
112KB

MD5
40f5de8aacba75722aaa14958c4120a7

SHA1
77d0b7831e4c0fc583246ce5f6511da8b9372560

SHA256
8fc368f40b1c0e8b504067f3daf270ba569a23a307bfe5fc33a53ab0cb850847

SHA512
b74c5e2f0bb0cab43058c2a1d3cd6847dc5bc8fa3755ff6388b83f64d097458d38cfdfcfcc08d60c33c12189ab81a6e6d8c0993a6f7dea271ce718dd4f5af37d

Download Submit
C:\Windows\SysWOW64\Dkbnhq32.exe

Filesize
112KB

MD5
79ced8ca6c1e75bce071bffc9fb50dc4

SHA1
be1ca2f575fb80929ee9c2f324ce37b91ba0bbdf

SHA256
678aeea6efaf2430468827a8d61449f74830c57730fbaabae6b3fb6b1c2e2482

SHA512
df7e58e57564ed52d63c616fade2206ed593fb3144cb9d849876de34d5bd3d31b8adfe0eaf9451bc25d3831277313fed8ea7776699b3b37ddd81c1792d6126ec

Download Submit
C:\Windows\SysWOW64\Dkekmp32.exe

Filesize
112KB

MD5
75a81e91cc573ef7d9c0d2b9f5da0d8d

SHA1
707719f7dabda55f3a81eec4933c704a67cfae52

SHA256
759d79c36f62e827c25fe79a9c1df9f23330e55dfc28f13a4e7a81edd306dbeb

SHA512
0935b2a4365528dcceb99af1733515e3ce70e5e517a45c62544c0963199778911b3fef6de6acba6f9b378cfa526ce8ca49d436f4d44d91e409f627848e4ca973

Download Submit
C:\Windows\SysWOW64\Dlfgehqk.exe

Filesize
112KB

MD5
75b106e4b56eb1dc6f1cc8fec5fb69a5

SHA1
ac5dd1a1c16c2e21da066d22cfa4e232d2380e56

SHA256
23678b3da7ab98d5931b192d81c75efdc5cbdac6bb536887b7e178dd1244d9cd

SHA512
cffd73aee34e2268f7fb0ecc3db084ce31f27d72a244a7e95d057fabae9b0cbdb52a0ff79fe8ce991433e0d741eefb4973fbe069e4854eb2bf74215e66323439

Download Submit
C:\Windows\SysWOW64\Dlhdjh32.exe

Filesize
112KB

MD5
c0dd88662e7e4bc27bb7114a6a1929dd

SHA1
7b5f41ddd32b9c026f440c9738561a9958c94272

SHA256
dbd748be056945199ca0e3941f1a5ff5d40f719da8032f34e52b43abf1bbafc4

SHA512
3c7a6fa36af2b24900f32717bd78451e52d81f060b001b38f7310c454c405ba3c2c10ccd5e81a88eb50edbe28b082dcf83b32228afb6e8850a07e38f909f4570

Download Submit
C:\Windows\SysWOW64\Dlkqpg32.exe

Filesize
112KB

MD5
bfdedbe21ee7305698d56efa0157cf83

SHA1
fbd14a28fa86326561c2e0fd4c0c8de88b2a80f8

SHA256
76322b1a739ef9c08c4e69da1521e2fcd873ae5cbf6057030eb8bb35fc2192b4

SHA512
f60be21300db9e99b6fe5c99bc8e17193d9291ce110d05ca556c25c8302adb4f16cac0a3fe0da0a905129f453672b7ab29e4702fa65555bd8cba9982d9ab94be

Download Submit
C:\Windows\SysWOW64\Dpofpg32.exe

Filesize
112KB

MD5
50f19193958b7a727216d5726efbaf99

SHA1
124316766e9f16ce1b5d3c0bb70229d4c80d4ade

SHA256
08440787d42b18c66bc3d89dfad35851cea273d7f83e35f9725c828269d1dd57

SHA512
bf3cdcabda6d950cd1606e4ac94c5f28c0719a7bf6eebf5cdfc9f7f0f6fa1eb49522cc738b642c55581efeee056916b3a411f5b769e95626c7b379b68f9c998b

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
112KB

MD5
1a2e3d13a4b210887fd62a01d3b1d44c

SHA1
7f2e45b72cef11e5df7620192dd5f62d2397e99c

SHA256
4f9a6f24d05f60d1d72f93f1bfd7fd7ba8d60f74199c02ea187f2f9ff62426c2

SHA512
c735109906c5fec864939325238c95ac932d214827f3abb5a780d534533586271437de2fea6690063ef1cbe04a29d3c7bbb72af69cf45682025065810db6e399

Download Submit
C:\Windows\SysWOW64\Imgmggec.dll

Filesize
7KB

MD5
d85f72c3023dfe87bc155bcd7017e4f3

SHA1
9f4c7e949d98961f92afd59deb0a1f9362c07104

SHA256
b6a92884bcb6e55c937a02251d006c571bfc7992866294f994646ae1705c36af

SHA512
69586b0fc32f921ddc9c9d061acb5a90a3046c399121c086f299c3628d3a342b252eac60504e3d846a10b45351b10d44eac711bd12b367966e56b551067e7096

Download Submit
C:\Windows\SysWOW64\Jgkphj32.exe

Filesize
112KB

MD5
18b64a032c6d2738a98ba75fb7639ed6

SHA1
f8b10f1511b20df80e490a869a108839b8138703

SHA256
5a3ed20f9273716d51137a9e28205e259755be7a6ebeb1f4975a7d5376e70030

SHA512
69d43a8369f2f71bf2815578b6c23c3470d1953eb2ec3a70ef2b47a3ac1fbcd87c66b41b0fd85793b99b3fb7d4b52090f9fc20603f5b2adadf577bbefdf7002c

Download Submit
C:\Windows\SysWOW64\Jnbkodci.exe

Filesize
112KB

MD5
c75771b32468719004f9be6efcf6ce97

SHA1
be02486fbaeb34bb50c3c696a2891c05e2e1bd88

SHA256
e05f38cca27fbff9b00bdd3d35971630f731a2b8dad44e785795ec2957dc096e

SHA512
34aeae7c851e664bcc8714bb11f461307884b285157f426caf77e1c92be5ab2f2ceb4ab89aa73b109070dff86f17ec749d9ed48ccda3b17a48f4a22cb592cb80

Download Submit
C:\Windows\SysWOW64\Nanhihno.exe

Filesize
112KB

MD5
a77127c4c79215c3756272437f002dc2

SHA1
da0115a74b5a0cf12e490c436c85d8a4460a5696

SHA256
0f544819b0e01b0a1ba2d5de1a3b6e683f74a3840d83c4a456184e9cb4fc8d90

SHA512
c9f333398b2a235d3e8ac5440d454697067785af8031a52580ba9acfc478628b13c9fa06a3262c3db7c8fd557c3e9547469dc2e8bec1c763f9badc9be5f6f381

Download Submit
C:\Windows\SysWOW64\Nfmahkhh.exe

Filesize
112KB

MD5
0c9f81ed66156f3005d2558708372f7e

SHA1
e4d8a2f793edbb31ff6c53c9bcf94879a35a2f46

SHA256
7684b907eb86ba62c6c7a8111ecbd28987aae824dfb206f96ba6db3bd60a0a54

SHA512
007dd7b49da22aa61e0f243f815c7c4a86b234f7eaad86deca7684c06c661f0c1803c6a07b511e3f2af3c5e82882f3025e0ecdd04d19281c21835b5e8f771a75

Download Submit
C:\Windows\SysWOW64\Ngkaaolf.exe

Filesize
112KB

MD5
475a45c22e5cb9115fd60a18c12a1ea6

SHA1
85a636e95352ff057fbc31fab80f503d97f026dd

SHA256
eb4028484b91b1cbf00621fbdcceca90d0b975289d330f30c3dd6a9e723e3c88

SHA512
3aa7306a7d77d56efcd2a268d1a43b3002bec3a7b2566dab4563a5d2a64104a4a9d3a3ca94193be34ffa94bb2742288c03081feb05bb3bfc72f0a1e7828057c8

Download Submit
C:\Windows\SysWOW64\Nhakecld.exe

Filesize
112KB

MD5
b5e4bc10c2375a1ad9c762240d9faf6a

SHA1
168fcaa0f091fd5299c394a5086652b2b72e4c89

SHA256
a95b9862fc44d47c55d720d8b2b90a9b3d276a20e84b00c1fbb8366d3ea5d458

SHA512
30ea54546764a5d0679dc053e45f1205185912bcc0c79bcbec7c86d2644fbaba3cfe4dbd0352c0fa8f5f693bd76078c7bd601cb37290315681eb7ec2209d881e

Download Submit
C:\Windows\SysWOW64\Niqgof32.exe

Filesize
112KB

MD5
5ac44ddeda0f8232cb7918b7c5638d26

SHA1
d3fe481eb844629caf86241db100d89ac3b06ca3

SHA256
c19aadf30f070fa5917cbd0189b15a6387d3d11cd929a6fddc4d20e9c0a30d1d

SHA512
683cf3b3dccfa68125e9580c27ca7dcb2c7fb82f10635fff03aaa1a6069d4505f2d28f965956c5bb12619b1f64c5faf8b45cacc0b1cd202fd2942acb97e9cb00

Download Submit
C:\Windows\SysWOW64\Nmgjee32.exe

Filesize
112KB

MD5
179c8b9f1e548406911ef9471709e7e8

SHA1
b26e6dec46e3ee44b806379ffaec7857a7f2b262

SHA256
480cd23626464782e2bf430b8fe1dc0a1288e9a00f508c3c4d8de96ca1e5a37f

SHA512
de4527303197118f7d1a41c33910b2e382597e0c8b96be2f5f7f02afe076cb0312187530f1af66b7ff9e98abb4d45a371aab599d3ca3a449bb2a1ff6e14cdef1

Download Submit
C:\Windows\SysWOW64\Okkfmmqj.exe

Filesize
112KB

MD5
9e3341ba1f97f5b522a9f5f04b9ad751

SHA1
74a02dd0b49e1ff0494245d579270bd90b515f45

SHA256
16941d9971147239ef43373ca0de7ad3dfdd28d0d45c707f21876d8276dd48f3

SHA512
e90094a613bc846e5d0b942e1b23e3d9afb908fd8b436419272687af67941c34532f93c8fab725e09de8ed5be937551846b88e41b2b4d69d24a2e4256bc6dbd0

Download Submit
C:\Windows\SysWOW64\Omgfdhbq.exe

Filesize
112KB

MD5
51377d2892af9ec83347c6e7c1d03b4f

SHA1
dcfe96ba88417f8d2b24f458a4adc2838e159c42

SHA256
cbccd07a08f6acde0f5f57a7d5e3e2a77f15cf5f0e1d71b0e8f5dc808dbda17a

SHA512
d482bd6e808ef1e82d2f47cbb9ba18432ebf5ad3c3fb47adc083847fa3e1d33964e09383cd0924710da33063e36a2134606f2396d2933ba77d208371f715144b

Download Submit
C:\Windows\SysWOW64\Opmhqc32.exe

Filesize
112KB

MD5
e1f0a4ca7e7818ddc1fd7660e5edb6bf

SHA1
bf166e7d4260134f4f59ce3c2c83d7df94e706bf

SHA256
01ea074ee244b9955f28029fd77d7542d74b44795bae78b3f70bd59aacd8a42d

SHA512
18cadf209a1f6040dbc49a379a4f353653e44de2e1896d04eff2a3552004785cde8731d4a4338f74f8784b5868136b915c6c1be05b69dcbab23b3b73311baeb3

Download Submit
C:\Windows\SysWOW64\Pdonjf32.exe

Filesize
112KB

MD5
4817d21cb18323804b40412f9cb5acb8

SHA1
2eb064ed67eb1dddbee0602b653ede6d691044d4

SHA256
4671661c474d60652ddf5ed13e9db7063445c1937f2d0cb93a45b41f849548d5

SHA512
676660d3b8f0386029b7cfcc0507baae5edaa1619dc10a979529953e5103816e9800940359784e235df66ddd78682cc2f1e672ba427216c9f685b30fa0602abd

Download Submit
C:\Windows\SysWOW64\Penjdien.exe

Filesize
112KB

MD5
38a96e539d2514df6e2bc6c491a42508

SHA1
cb633af254db86c8ac824431090ddfb151adf4e7

SHA256
946b1c911bfbed4f8a7dbcfc895aff92dc5a62d97dd09f1f6ea36f4f2df34206

SHA512
5675ae607b09f563e4906feb82ffb71e96c5c5c8c4153583449a560cdbea127c8440ce74c1341fe50bc303117a8bda9d667f6c2f3bee0536160f33e58214262d

Download Submit
C:\Windows\SysWOW64\Pkfiaqgk.exe

Filesize
112KB

MD5
2bab7943e9ee63fddf6d30ea31b8535e

SHA1
e5b456a217fae27cfe8f971c112686f237237ae2

SHA256
7df8a85f1417f64d609ed12df9ee8f07d94f7c7e5d519cc8985212b75bc013e5

SHA512
6c023d66852a6e00baf8c90ae590c2c02b3d1db3b85f258f1e995fa5583ac0d15c4f88c6d4f8f60e85b1a8b7eed5998d9df9906c149888194a7ab190079472b5

Download Submit
C:\Windows\SysWOW64\Pniohk32.exe

Filesize
112KB

MD5
a818ecd865edae5cbc3e99e1c7a363ea

SHA1
d4d5bdb706e11d69fab088de03286de3e6cf9c19

SHA256
6fcfd8b37e30e6e8ab5704e86b075b44ecee7947c3dbc51fc77a828d45c6746c

SHA512
40177290b60412966801fa2a20181bd3e51003d382f387b601ddbf466384eb32d98ffb174ab804d0055f1cde8866b8f4062b6b53b3786e8593d40086b75d69de

Download Submit
C:\Windows\SysWOW64\Qnnhcknd.exe

Filesize
112KB

MD5
8b47aefd0f2248c92ef87c0dc55f4457

SHA1
510da371b1fffdd72698f23301518ccee5a68af1

SHA256
071e1d17bcf7edc91268bf31b847650d3486dd1661c1e37716179a0b96f00ac4

SHA512
b63df2bf712e936e2f47f353ca99b8c1fbb84e1af48b2ae34acdf3bc0f65a69c63f264c74f216894c4659f28a5c5a2d8276517d1d121b02c868abfdf9c3b7444

Download Submit
C:\Windows\SysWOW64\Qnpeijla.exe

Filesize
112KB

MD5
46c445ae561e8c0478ed9da9b7a32b15

SHA1
882233c04793171808be04c0c3230403e61217f1

SHA256
461426477c945c779e10424e2cb26561dc13cf943dafcdb85bf6c77fa06d0b83

SHA512
2730b4fe7577e43f219c44b983a327696460a9790c319422137bd85f5b6d3aae00003faafe5a0a48072266f811501987184595133f60643cda5c7d7c58df58e2

Download Submit
C:\Windows\SysWOW64\Qoaaqb32.exe

Filesize
112KB

MD5
9ffa0b4d61d438b042949db4ad1b3758

SHA1
98c38d4d091bca99092961a8257837dc2b755cba

SHA256
c4a2cf5587cd396d114bb9975f28e4e9694d3cfbf5b6fe5f01994943954605c8

SHA512
f774018f775b582f49067b47adec3bc826eb06568e86b9ff434abd143bb33a4138053f10e2fc41f3ed627f5199061ac9ba8959bc06889945907eadb1a2d9eec6

Download Submit
\Windows\SysWOW64\Jghcbjll.exe

Filesize
112KB

MD5
c7069d4a8f1ee6038ce30b962363646d

SHA1
9a6e0df65312f757e7e0d555ff544f3062a740a4

SHA256
2c555b013a86614283344188c997c47fcc8a761d56610090ff5137326d89b774

SHA512
5df46ed35679415bd272384558d2d43782ed5e2093d66434a7822509ed985e2716a4cf042fff3aa49e7916a80c0148660efe2c6dd79f9e662d019779bd63b8c4

Download Submit
\Windows\SysWOW64\Jlghpa32.exe

Filesize
112KB

MD5
7c8b7de385d7a3dea9396193cc97e4f1

SHA1
4bf0c9ab241bcbf88d191a247ce1da91790e6991

SHA256
89591b47b3ca524c8603bdf00e9910b2f3d2abfff4bd251878110f13f4759ccd

SHA512
c9ae18af2e22c3d41c1e0a7f21355a32b3855630828f73795aea0119c5b0af2631a9ec7f92614304ec4603d13248ef2789c995317b42f8dbcd17bffb4d9e78df

Download Submit
\Windows\SysWOW64\Kdgfpbaf.exe

Filesize
112KB

MD5
db057de61b28b3f1952bd1b9bd70a500

SHA1
d21a19b77c88109b9068ca084d8d7bea79eb830e

SHA256
5d009b8e732dbcdf478a87854b3c6c5e90cbbb0136d9db5fc74bf4d94b3f7ed1

SHA512
1ac2602457b9797033efbea3eece811dba75a697cc76631e425a6d9570b30f3fb59cdb9e49006baeeed099f103d08260feff078b42c77ea2f7fd6816f6e4ca8e

Download Submit
\Windows\SysWOW64\Kgmilmkb.exe

Filesize
112KB

MD5
49a3fc291aea0d19b75c57683781f2e9

SHA1
754153152a1cd24bd383dd35827c96b3c92504a6

SHA256
13a09caff12e61aac04fb993ed0d86426ad348e035f289f573c81fc55ba0ea93

SHA512
eeff8d4bfaa12df0096298518022f8dece9a3db8412d149ff0220600d7bd57e5a761afb4dd07d0ad82c827efe25315468ed88aece8567222981ba1960383e16f

Download Submit
\Windows\SysWOW64\Kqcqpc32.exe

Filesize
112KB

MD5
b32170f2527e9e8d8cf10779d1973727

SHA1
cb883b29437f27c6659b7548298e8cea38f2f4d9

SHA256
2e790ddb2ed07d5881893afcfea8cf442861f4257e022f41b6506d78429fb714

SHA512
6de5a6a91cda152f78039810d7fc0f59c1529e22336cc5cce4dd2bef3b33672d1675ac8e13fc9c881940b97b0dd4736ada5e34d02fd3ad9d4167fe812380250c

Download Submit
\Windows\SysWOW64\Kqqdjceh.exe

Filesize
112KB

MD5
8ff3304f5d3b3ad935c599fc808eee07

SHA1
9bdaa978eceebc94de15c68ba222df1e0b0b8504

SHA256
c6e89c5dd88d0ae7bdef1a94218ad6b2ebfc6d3346cada40b654a428efb28858

SHA512
05cb686ca21bc2eb70594d7e0eaaf868535a2aa133cc3153a8c461bd459b9ee36eab89040e94eca316838c96233ad8578785e3929998ec13cc6bf31476c91456

Download Submit
\Windows\SysWOW64\Lelljepm.exe

Filesize
112KB

MD5
bf9b556b0579826fe5060d97f55f319f

SHA1
66a10896c9601bbe774756fc78054a7dfc837273

SHA256
811155823d15bb779a819fe832f7194c2ffdf0c27cd4d4f190e1b556a781004b

SHA512
7b909981686adcf18801dc778ad03e86f02e613ad0369ef186c1ee2f9741d9aec4e2cd70c01a8a25c32a22679b6013791ec25cbf3aa8dd18cedaa47d790e4942

Download Submit
\Windows\SysWOW64\Lenioenj.exe

Filesize
112KB

MD5
eeb9630696ff5e321698961831b0b161

SHA1
abfc3a721f2406f2fd0f578e78c7645e1860419d

SHA256
b7b4b00bfe5ae183863f509d12e304f604391bcd908dcb7e33986c2300dfe18a

SHA512
041d5471d7bc68b2c1823ab71dc52861815bd1a5d1a223f9c98598fe45782f045fd68b41aba290e13301160e2ea5a64dbf3368d498496ac1619616915176b4a4

Download Submit
\Windows\SysWOW64\Lfdbcing.exe

Filesize
112KB

MD5
7fe95b17d7b625898432dc0414c88468

SHA1
a447e1a3da1f9497ee9706b90e8501b6b65903a5

SHA256
c9693832eb94cce7d59c1f016feccc8f21cbb6aa4f06b5ba8051ae1cf0d95540

SHA512
41b88b72f2f6115b3dd487fbb4190c6b81ec23bf21fdc927519be4245523ab66df042ab7dd3802e9720188e82ff1e415712cedba020a9f3def0c6c2e85df4cb6

Download Submit
\Windows\SysWOW64\Mecbjd32.exe

Filesize
112KB

MD5
2b95142bcba5d1df28e1fd0a6430e58e

SHA1
46514bd08989c906c58bc5f002e8d4e695ee2f96

SHA256
39c854a74126d3ee8f2e4046c781a434dc97191cc71aae84bed6c785ae7cce79

SHA512
ff440ca27f6d0d26267d87e694cfee2bf6291491d082e548febb770fb65c1a24a2e157ff1b3b83077bce39645ea46996c333edaecd01a035acf22533c629e670

Download Submit
\Windows\SysWOW64\Mfihml32.exe

Filesize
112KB

MD5
c2331ca3e68b5ea1b736f65ffbdcab18

SHA1
e28bb1570930732e81522be09b5ad0f236d099a7

SHA256
7f7a262d97df8fe0acafadd6ff9e612712008397fc40e01251cd8af089a19953

SHA512
43221f9011fc4b8afd748256dc8d8e4ba62861d3902b4c4b3da65e28254edcbe1cf5c626b8a5b74088cead9cc122b0e5613b6ed5baf9d0a2eb19ee764912a506

Download Submit
\Windows\SysWOW64\Mgoaap32.exe

Filesize
112KB

MD5
21ce205ba89f6ed4885e86c2cf5a8335

SHA1
ecade8356cc058807b76f1f124689ff22fbbed7e

SHA256
83e74afe9c84117283e1517a6a454fa0d6e9ea1fbcd9cfb977144bd17b5092e4

SHA512
109e9c3734c6abb3d8fb312e31243ef8b7ed6d0275f41e7ee2a30f633b40451ee952b3f0508f0d1ef5c25cdff348533955c6bccd0600943e2a8a05e59055f1dd

Download Submit
\Windows\SysWOW64\Mnncii32.exe

Filesize
112KB

MD5
4130764295323bae93af63fb2ec8322a

SHA1
380582b7834e0d579c757a848475a61e8400a4b4

SHA256
6797e29e3bc6c738aa3b3d7bbc32fd70d81bc03b90e2d27e88a1e9ce37972da5

SHA512
c297f4b920d4eaf7a85d13cc6310571cd931a5c5e663cb6fff21a04dd8dfe4f4159b9bd2cde6494e3a33fc0fd42503a4156de91665947f676cad0f4ff66d9a8a

Download Submit
memory/672-299-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/672-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/672-295-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1152-444-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1152-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-309-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1240-310-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1240-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1656-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-321-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1752-320-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1752-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-180-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1772-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-219-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1776-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-47-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1928-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-501-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1948-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-331-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1984-353-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1984-352-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1984-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1996-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1996-475-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/2056-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-129-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2060-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-466-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2148-467-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2152-262-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2152-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2152-266-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2164-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-491-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2180-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-490-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2184-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-277-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2252-276-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2252-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-385-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2276-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-254-0x0000000001BD0000-0x0000000001C13000-memory.dmp

Filesize
268KB

Download
memory/2380-255-0x0000000001BD0000-0x0000000001C13000-memory.dmp

Filesize
268KB

Download
memory/2380-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-287-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2452-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-288-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2548-232-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2548-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-233-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2572-243-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2572-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-245-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2724-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-375-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2756-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-454-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2756-455-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2776-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-12-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2776-370-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2776-7-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2776-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-74-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2808-79-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2808-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-341-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2820-342-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2820-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-362-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2976-363-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3040-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-102-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/3048-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads