dc3472d196604071e89728d9f3f9b7ae09db748e427a6a1b7c54547289b8ee03

Analysis

max time kernel
93s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 11:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
Size

368KB
MD5

ad20e2ae0898d2aa50f46fa4ba4671b0
SHA1

7ae86fe45b2f7ae5448dd8ef1f11cc432fa3c437
SHA256

dc3472d196604071e89728d9f3f9b7ae09db748e427a6a1b7c54547289b8ee03
SHA512

bdac51f0edd358f375a72dd5863bd4189b1ea22a77890c0ed71eb969fe75227ccaaba9532d1181770f313b1b52740491431beaac1135dcf98c199d47bb4ce304
SSDEEP

6144:t1J92WV6IE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOJfTo9FI6:r32eiaAD6RrI1+lDMEAD6Rr2NWL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbgdkgm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfkhbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fclmem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aenileon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pahjgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophanl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pacqlcdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pahjgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddagi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekoljgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdbhcfjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbhnpplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmnoll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqpjndio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlnbmikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfjjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mookod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhegcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlnbmikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimhfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgpnjkgi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edmnnakm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahaqm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cifdmbib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpfkhbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefpfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpaoape.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmmcae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agilkijf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmcae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgfjjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncpgeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kikpgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijmdql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdbhcfjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hklhca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcnhcdkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhdjdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aenileon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obopobhe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gocnjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcgpiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hklhca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iamjghnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpiihgoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjmiknng.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgqpjch.exe

Executes dropped EXE 59 IoCs

pid	Process
2404	Mgfjjh32.exe
2832	Ncpgeh32.exe
2800	Nhdjdk32.exe
2780	Odmgnl32.exe
2676	Ophanl32.exe
2536	Popkeh32.exe
1648	Pacqlcdi.exe
2312	Pahjgb32.exe
2316	Agilkijf.exe
2960	Aenileon.exe
2996	Akbgdkgm.exe
640	Bkgqpjch.exe
2108	Bgpnjkgi.exe
1696	Cifdmbib.exe
2384	Cafbmdbh.exe
1528	Cmmcae32.exe
2244	Dpbenpqh.exe
2124	Elpldp32.exe
2292	Edmnnakm.exe
1448	Epdncb32.exe
1988	Fpfkhbon.exe
2352	Fefpfi32.exe
1916	Fclmem32.exe
2012	Gocnjn32.exe
2380	Ghmohcbl.exe
2556	Gcgpiq32.exe
684	Gcimop32.exe
2820	Hqpjndio.exe
2868	Hmfkbeoc.exe
2936	Hklhca32.exe
2608	Hkpaoape.exe
840	Iamjghnm.exe
2948	Iimhfj32.exe
1240	Ijmdql32.exe
3008	Jnafop32.exe
2600	Jekoljgo.exe
1976	Jaaoakmc.exe
2708	Jdbhcfjd.exe
1356	Kpiihgoh.exe
2420	Kkajkoml.exe
2172	Kihcakpa.exe
2064	Kikpgk32.exe
2436	Lddagi32.exe
1672	Lahaqm32.exe
2464	Lhbjmg32.exe
1688	Lhegcg32.exe
472	Lcnhcdkp.exe
948	Mglpjc32.exe
872	Mjmiknng.exe
956	Mbhnpplb.exe
1548	Mlnbmikh.exe
2860	Mbkkepio.exe
2176	Mookod32.exe
2796	Nkjeod32.exe
2188	Nmnoll32.exe
1628	Opqdcgib.exe
1568	Obopobhe.exe
2944	Ofmiea32.exe
2560	Ohnemidj.exe

Loads dropped DLL 64 IoCs

pid	Process
3012	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
3012	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
2404	Mgfjjh32.exe
2404	Mgfjjh32.exe
2832	Ncpgeh32.exe
2832	Ncpgeh32.exe
2800	Nhdjdk32.exe
2800	Nhdjdk32.exe
2780	Odmgnl32.exe
2780	Odmgnl32.exe
2676	Ophanl32.exe
2676	Ophanl32.exe
2536	Popkeh32.exe
2536	Popkeh32.exe
1648	Pacqlcdi.exe
1648	Pacqlcdi.exe
2312	Pahjgb32.exe
2312	Pahjgb32.exe
2316	Agilkijf.exe
2316	Agilkijf.exe
2960	Aenileon.exe
2960	Aenileon.exe
2996	Akbgdkgm.exe
2996	Akbgdkgm.exe
640	Bkgqpjch.exe
640	Bkgqpjch.exe
2108	Bgpnjkgi.exe
2108	Bgpnjkgi.exe
1696	Cifdmbib.exe
1696	Cifdmbib.exe
2384	Cafbmdbh.exe
2384	Cafbmdbh.exe
1528	Cmmcae32.exe
1528	Cmmcae32.exe
2244	Dpbenpqh.exe
2244	Dpbenpqh.exe
2124	Elpldp32.exe
2124	Elpldp32.exe
2292	Edmnnakm.exe
2292	Edmnnakm.exe
1448	Epdncb32.exe
1448	Epdncb32.exe
1988	Fpfkhbon.exe
1988	Fpfkhbon.exe
2352	Fefpfi32.exe
2352	Fefpfi32.exe
1916	Fclmem32.exe
1916	Fclmem32.exe
2012	Gocnjn32.exe
2012	Gocnjn32.exe
2380	Ghmohcbl.exe
2380	Ghmohcbl.exe
2556	Gcgpiq32.exe
2556	Gcgpiq32.exe
684	Gcimop32.exe
684	Gcimop32.exe
2820	Hqpjndio.exe
2820	Hqpjndio.exe
2868	Hmfkbeoc.exe
2868	Hmfkbeoc.exe
2936	Hklhca32.exe
2936	Hklhca32.exe
2608	Hkpaoape.exe
2608	Hkpaoape.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbpilaid.dll	Aenileon.exe
File created	C:\Windows\SysWOW64\Hekohm32.dll	Cmmcae32.exe
File created	C:\Windows\SysWOW64\Lahaqm32.exe	Lddagi32.exe
File opened for modification	C:\Windows\SysWOW64\Mbhnpplb.exe	Mjmiknng.exe
File created	C:\Windows\SysWOW64\Aqkohg32.dll	Ijmdql32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpgeh32.exe	Mgfjjh32.exe
File created	C:\Windows\SysWOW64\Bgpnjkgi.exe	Bkgqpjch.exe
File created	C:\Windows\SysWOW64\Jdbhcfjd.exe	Jaaoakmc.exe
File created	C:\Windows\SysWOW64\Bngnoa32.dll	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Dpbenpqh.exe	Cmmcae32.exe
File created	C:\Windows\SysWOW64\Epdncb32.exe	Edmnnakm.exe
File created	C:\Windows\SysWOW64\Hkpaoape.exe	Hklhca32.exe
File created	C:\Windows\SysWOW64\Ofmiea32.exe	Obopobhe.exe
File created	C:\Windows\SysWOW64\Ihgmjcla.dll	Popkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Kkajkoml.exe	Kpiihgoh.exe
File created	C:\Windows\SysWOW64\Ldbjfdld.dll	Kihcakpa.exe
File created	C:\Windows\SysWOW64\Eipnnj32.dll	Lhbjmg32.exe
File created	C:\Windows\SysWOW64\Opqdcgib.exe	Nmnoll32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Ofmiea32.exe
File created	C:\Windows\SysWOW64\Lngjjj32.dll	Bgpnjkgi.exe
File created	C:\Windows\SysWOW64\Nclgagoq.dll	Gcimop32.exe
File created	C:\Windows\SysWOW64\Iamjghnm.exe	Hkpaoape.exe
File opened for modification	C:\Windows\SysWOW64\Opqdcgib.exe	Nmnoll32.exe
File created	C:\Windows\SysWOW64\Biddoj32.dll	Ophanl32.exe
File opened for modification	C:\Windows\SysWOW64\Aenileon.exe	Agilkijf.exe
File created	C:\Windows\SysWOW64\Oleiokho.dll	Fpfkhbon.exe
File created	C:\Windows\SysWOW64\Cebplg32.dll	Gocnjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hqpjndio.exe	Gcimop32.exe
File created	C:\Windows\SysWOW64\Lhbjmg32.exe	Lahaqm32.exe
File created	C:\Windows\SysWOW64\Ionqcpbl.dll	Cifdmbib.exe
File created	C:\Windows\SysWOW64\Ghmohcbl.exe	Gocnjn32.exe
File opened for modification	C:\Windows\SysWOW64\Iamjghnm.exe	Hkpaoape.exe
File created	C:\Windows\SysWOW64\Ihfmfdjf.dll	Mlnbmikh.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Ofmiea32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfjjh32.exe	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
File created	C:\Windows\SysWOW64\Edmnnakm.exe	Elpldp32.exe
File created	C:\Windows\SysWOW64\Hpmjno32.dll	Fclmem32.exe
File created	C:\Windows\SysWOW64\Iimhfj32.exe	Iamjghnm.exe
File opened for modification	C:\Windows\SysWOW64\Mjmiknng.exe	Mglpjc32.exe
File opened for modification	C:\Windows\SysWOW64\Fclmem32.exe	Fefpfi32.exe
File created	C:\Windows\SysWOW64\Jqngde32.dll	Mgfjjh32.exe
File created	C:\Windows\SysWOW64\Lenapcbd.dll	Ncpgeh32.exe
File created	C:\Windows\SysWOW64\Bfqgmn32.dll	Agilkijf.exe
File opened for modification	C:\Windows\SysWOW64\Bkgqpjch.exe	Akbgdkgm.exe
File created	C:\Windows\SysWOW64\Hpmmdj32.dll	Akbgdkgm.exe
File opened for modification	C:\Windows\SysWOW64\Elpldp32.exe	Dpbenpqh.exe
File created	C:\Windows\SysWOW64\Fpfkhbon.exe	Epdncb32.exe
File opened for modification	C:\Windows\SysWOW64\Kpiihgoh.exe	Jdbhcfjd.exe
File created	C:\Windows\SysWOW64\Liakqjpo.dll	Lahaqm32.exe
File opened for modification	C:\Windows\SysWOW64\Lhegcg32.exe	Lhbjmg32.exe
File created	C:\Windows\SysWOW64\Mookod32.exe	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Mgfjjh32.exe	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
File opened for modification	C:\Windows\SysWOW64\Pahjgb32.exe	Pacqlcdi.exe
File created	C:\Windows\SysWOW64\Kihcakpa.exe	Kkajkoml.exe
File opened for modification	C:\Windows\SysWOW64\Mbkkepio.exe	Mlnbmikh.exe
File created	C:\Windows\SysWOW64\Cifdmbib.exe	Bgpnjkgi.exe
File opened for modification	C:\Windows\SysWOW64\Iimhfj32.exe	Iamjghnm.exe
File opened for modification	C:\Windows\SysWOW64\Jnafop32.exe	Ijmdql32.exe
File created	C:\Windows\SysWOW64\Lcnhcdkp.exe	Lhegcg32.exe
File created	C:\Windows\SysWOW64\Ahlghold.dll	Bkgqpjch.exe
File created	C:\Windows\SysWOW64\Cafbmdbh.exe	Cifdmbib.exe
File opened for modification	C:\Windows\SysWOW64\Jekoljgo.exe	Jnafop32.exe
File created	C:\Windows\SysWOW64\Fdldjnpc.dll	Lhegcg32.exe
File created	C:\Windows\SysWOW64\Nkjeod32.exe	Mookod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1404	2560	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hklhca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamjghnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cafbmdbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pahjgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdmbib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbenpqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edmnnakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefpfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcgpiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mglpjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqpjndio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkajkoml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkkepio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agilkijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbgdkgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnafop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pacqlcdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpiihgoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahaqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlnbmikh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjeod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfjjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpnjkgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gocnjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijmdql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddagi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmiea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnhcdkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnoll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obopobhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclmem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdbhcfjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbjmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqdcgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophanl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpfkhbon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iimhfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekoljgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjmiknng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbhnpplb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mookod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpgeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmfkbeoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kihcakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikpgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhdjdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgqpjch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmcae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghmohcbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcimop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkpaoape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaaoakmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aenileon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elpldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdncb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhegcg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddagi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhdjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgmjcla.dll"	Popkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionqcpbl.dll"	Cifdmbib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghmohcbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmebeij.dll"	Gcgpiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjjogi.dll"	Hmfkbeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjincg32.dll"	Jekoljgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddagi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll"	Mbhnpplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcckc32.dll"	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcnl32.dll"	Nhdjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odmgnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ophanl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll"	Pahjgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleiokho.dll"	Fpfkhbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lahaqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhdjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpgdb.dll"	Odmgnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Popkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cifdmbib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hqpjndio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hqpjndio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kihcakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkajkoml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkajkoml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmifofko.dll"	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmmdfgc.dll"	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll"	Mookod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpbenpqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpbenpqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hklhca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll"	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pahjgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gocnjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcnhcdkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cifdmbib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbaqhmq.dll"	Epdncb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpfkhbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll"	Fclmem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfmfdjf.dll"	Mlnbmikh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjeod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aenileon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpiihgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbhnpplb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlnbmikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfhmqhk.dll"	Hkpaoape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mookod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnqligpm.dll"	Pacqlcdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pacqlcdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfepbh.dll"	Jaaoakmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdblbha.dll"	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgpnjkgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhegcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenapcbd.dll"	Ncpgeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cafbmdbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll"	Cmmcae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noieei32.dll"	Dpbenpqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2404	3012	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe	29
PID 3012 wrote to memory of 2404	3012	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe	29
PID 3012 wrote to memory of 2404	3012	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe	29
PID 3012 wrote to memory of 2404	3012	ad20e2ae0898d2aa50f46fa4ba4671b0N.exe	29
PID 2404 wrote to memory of 2832	2404	Mgfjjh32.exe	30
PID 2404 wrote to memory of 2832	2404	Mgfjjh32.exe	30
PID 2404 wrote to memory of 2832	2404	Mgfjjh32.exe	30
PID 2404 wrote to memory of 2832	2404	Mgfjjh32.exe	30
PID 2832 wrote to memory of 2800	2832	Ncpgeh32.exe	31
PID 2832 wrote to memory of 2800	2832	Ncpgeh32.exe	31
PID 2832 wrote to memory of 2800	2832	Ncpgeh32.exe	31
PID 2832 wrote to memory of 2800	2832	Ncpgeh32.exe	31
PID 2800 wrote to memory of 2780	2800	Nhdjdk32.exe	32
PID 2800 wrote to memory of 2780	2800	Nhdjdk32.exe	32
PID 2800 wrote to memory of 2780	2800	Nhdjdk32.exe	32
PID 2800 wrote to memory of 2780	2800	Nhdjdk32.exe	32
PID 2780 wrote to memory of 2676	2780	Odmgnl32.exe	33
PID 2780 wrote to memory of 2676	2780	Odmgnl32.exe	33
PID 2780 wrote to memory of 2676	2780	Odmgnl32.exe	33
PID 2780 wrote to memory of 2676	2780	Odmgnl32.exe	33
PID 2676 wrote to memory of 2536	2676	Ophanl32.exe	34
PID 2676 wrote to memory of 2536	2676	Ophanl32.exe	34
PID 2676 wrote to memory of 2536	2676	Ophanl32.exe	34
PID 2676 wrote to memory of 2536	2676	Ophanl32.exe	34
PID 2536 wrote to memory of 1648	2536	Popkeh32.exe	35
PID 2536 wrote to memory of 1648	2536	Popkeh32.exe	35
PID 2536 wrote to memory of 1648	2536	Popkeh32.exe	35
PID 2536 wrote to memory of 1648	2536	Popkeh32.exe	35
PID 1648 wrote to memory of 2312	1648	Pacqlcdi.exe	36
PID 1648 wrote to memory of 2312	1648	Pacqlcdi.exe	36
PID 1648 wrote to memory of 2312	1648	Pacqlcdi.exe	36
PID 1648 wrote to memory of 2312	1648	Pacqlcdi.exe	36
PID 2312 wrote to memory of 2316	2312	Pahjgb32.exe	37
PID 2312 wrote to memory of 2316	2312	Pahjgb32.exe	37
PID 2312 wrote to memory of 2316	2312	Pahjgb32.exe	37
PID 2312 wrote to memory of 2316	2312	Pahjgb32.exe	37
PID 2316 wrote to memory of 2960	2316	Agilkijf.exe	38
PID 2316 wrote to memory of 2960	2316	Agilkijf.exe	38
PID 2316 wrote to memory of 2960	2316	Agilkijf.exe	38
PID 2316 wrote to memory of 2960	2316	Agilkijf.exe	38
PID 2960 wrote to memory of 2996	2960	Aenileon.exe	39
PID 2960 wrote to memory of 2996	2960	Aenileon.exe	39
PID 2960 wrote to memory of 2996	2960	Aenileon.exe	39
PID 2960 wrote to memory of 2996	2960	Aenileon.exe	39
PID 2996 wrote to memory of 640	2996	Akbgdkgm.exe	40
PID 2996 wrote to memory of 640	2996	Akbgdkgm.exe	40
PID 2996 wrote to memory of 640	2996	Akbgdkgm.exe	40
PID 2996 wrote to memory of 640	2996	Akbgdkgm.exe	40
PID 640 wrote to memory of 2108	640	Bkgqpjch.exe	41
PID 640 wrote to memory of 2108	640	Bkgqpjch.exe	41
PID 640 wrote to memory of 2108	640	Bkgqpjch.exe	41
PID 640 wrote to memory of 2108	640	Bkgqpjch.exe	41
PID 2108 wrote to memory of 1696	2108	Bgpnjkgi.exe	42
PID 2108 wrote to memory of 1696	2108	Bgpnjkgi.exe	42
PID 2108 wrote to memory of 1696	2108	Bgpnjkgi.exe	42
PID 2108 wrote to memory of 1696	2108	Bgpnjkgi.exe	42
PID 1696 wrote to memory of 2384	1696	Cifdmbib.exe	43
PID 1696 wrote to memory of 2384	1696	Cifdmbib.exe	43
PID 1696 wrote to memory of 2384	1696	Cifdmbib.exe	43
PID 1696 wrote to memory of 2384	1696	Cifdmbib.exe	43
PID 2384 wrote to memory of 1528	2384	Cafbmdbh.exe	44
PID 2384 wrote to memory of 1528	2384	Cafbmdbh.exe	44
PID 2384 wrote to memory of 1528	2384	Cafbmdbh.exe	44
PID 2384 wrote to memory of 1528	2384	Cafbmdbh.exe	44

C:\Users\Admin\AppData\Local\Temp\ad20e2ae0898d2aa50f46fa4ba4671b0N.exe
"C:\Users\Admin\AppData\Local\Temp\ad20e2ae0898d2aa50f46fa4ba4671b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Mgfjjh32.exe
  C:\Windows\system32\Mgfjjh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\Ncpgeh32.exe
    C:\Windows\system32\Ncpgeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\Nhdjdk32.exe
      C:\Windows\system32\Nhdjdk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Odmgnl32.exe
        
        C:\Windows\system32\Odmgnl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\Ophanl32.exe
        
        C:\Windows\system32\Ophanl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Popkeh32.exe
        
        C:\Windows\system32\Popkeh32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Pacqlcdi.exe
        
        C:\Windows\system32\Pacqlcdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Pahjgb32.exe
        
        C:\Windows\system32\Pahjgb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Agilkijf.exe
        
        C:\Windows\system32\Agilkijf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Aenileon.exe
        
        C:\Windows\system32\Aenileon.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Akbgdkgm.exe
        
        C:\Windows\system32\Akbgdkgm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Bkgqpjch.exe
        
        C:\Windows\system32\Bkgqpjch.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Bgpnjkgi.exe
        
        C:\Windows\system32\Bgpnjkgi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Cifdmbib.exe
        
        C:\Windows\system32\Cifdmbib.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Cafbmdbh.exe
        
        C:\Windows\system32\Cafbmdbh.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Cmmcae32.exe
        
        C:\Windows\system32\Cmmcae32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Dpbenpqh.exe
        
        C:\Windows\system32\Dpbenpqh.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Elpldp32.exe
        
        C:\Windows\system32\Elpldp32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Edmnnakm.exe
        
        C:\Windows\system32\Edmnnakm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Epdncb32.exe
        
        C:\Windows\system32\Epdncb32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Fpfkhbon.exe
        
        C:\Windows\system32\Fpfkhbon.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Fefpfi32.exe
        
        C:\Windows\system32\Fefpfi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Fclmem32.exe
        
        C:\Windows\system32\Fclmem32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Gocnjn32.exe
        
        C:\Windows\system32\Gocnjn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ghmohcbl.exe
        
        C:\Windows\system32\Ghmohcbl.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Gcgpiq32.exe
        
        C:\Windows\system32\Gcgpiq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Gcimop32.exe
        
        C:\Windows\system32\Gcimop32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Hqpjndio.exe
        
        C:\Windows\system32\Hqpjndio.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Hmfkbeoc.exe
        
        C:\Windows\system32\Hmfkbeoc.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Hklhca32.exe
        
        C:\Windows\system32\Hklhca32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Hkpaoape.exe
        
        C:\Windows\system32\Hkpaoape.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Iamjghnm.exe
        
        C:\Windows\system32\Iamjghnm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Iimhfj32.exe
        
        C:\Windows\system32\Iimhfj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Ijmdql32.exe
        
        C:\Windows\system32\Ijmdql32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Jnafop32.exe
        
        C:\Windows\system32\Jnafop32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Jekoljgo.exe
        
        C:\Windows\system32\Jekoljgo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Jaaoakmc.exe
        
        C:\Windows\system32\Jaaoakmc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Jdbhcfjd.exe
        
        C:\Windows\system32\Jdbhcfjd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Kpiihgoh.exe
        
        C:\Windows\system32\Kpiihgoh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Kkajkoml.exe
        
        C:\Windows\system32\Kkajkoml.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Kihcakpa.exe
        
        C:\Windows\system32\Kihcakpa.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Kikpgk32.exe
        
        C:\Windows\system32\Kikpgk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Lddagi32.exe
        
        C:\Windows\system32\Lddagi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Lahaqm32.exe
        
        C:\Windows\system32\Lahaqm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Lhbjmg32.exe
        
        C:\Windows\system32\Lhbjmg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Lhegcg32.exe
        
        C:\Windows\system32\Lhegcg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Lcnhcdkp.exe
        
        C:\Windows\system32\Lcnhcdkp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Mglpjc32.exe
        
        C:\Windows\system32\Mglpjc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Mjmiknng.exe
        
        C:\Windows\system32\Mjmiknng.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Mbhnpplb.exe
        
        C:\Windows\system32\Mbhnpplb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Mlnbmikh.exe
        
        C:\Windows\system32\Mlnbmikh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Mbkkepio.exe
        
        C:\Windows\system32\Mbkkepio.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Mookod32.exe
        
        C:\Windows\system32\Mookod32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Nkjeod32.exe
        
        C:\Windows\system32\Nkjeod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Nmnoll32.exe
        
        C:\Windows\system32\Nmnoll32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Opqdcgib.exe
        
        C:\Windows\system32\Opqdcgib.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Obopobhe.exe
        
        C:\Windows\system32\Obopobhe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Ofmiea32.exe
        
        C:\Windows\system32\Ofmiea32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 140
        61⤵
        Program crash
        
        PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agilkijf.exe

Filesize
368KB

MD5
24d569d9d21c5ba38974cd6250c42210

SHA1
91ecc576fb4e4dd5b44f245210e1130926bdc30b

SHA256
32261df0d440ee7105f688db33d4419715b3982c491d84f6b37caba2b31a55c5

SHA512
9260e920ebe3034d51f1dd269328287ccc723ca1a78ade9a4ea49977bad7c6b4ec92b6d3ea94370fb4a213d451b4afa31abed59fc3e7256ab0c5dd48361fff33

Download Submit
C:\Windows\SysWOW64\Cmmcae32.exe

Filesize
368KB

MD5
0eb5fcce8d81e73ce67a00b5a996f8b0

SHA1
38b3ccce5e72ba8dd67e2d55c8b9d37f49b0e89b

SHA256
6b0bf84278b5701452554aacdcd5448b6386d0389b68d105833b7b8ea0ecb253

SHA512
b8ae239c5116c688a3024790ec18ddb2e4ea3d2c5552bae563197bef1c280f06a570b0902cf1660c80f6d66521716e4345bf2ea5a472961fddda041cf5451a72

Download Submit
C:\Windows\SysWOW64\Dpbenpqh.exe

Filesize
368KB

MD5
068c128e7cd89de22605670bb24eaf78

SHA1
76f3f14921929c2c9663b74e6eb51d14d590ac32

SHA256
633000f710618b287c2530ce5126cbc61fca3dac4c22026be806c56f0dddd2d6

SHA512
06e37840ec54317118997b26126e8c48075fb83c484bfe085e684f78e612fa775b9a3cf8f64bf853121d16886679e73c6616c70139712980dda5949e6235a799

Download Submit
C:\Windows\SysWOW64\Edmnnakm.exe

Filesize
368KB

MD5
938ae33fe73fef3e52d6edb7dfb656cf

SHA1
6c49e643a61494f076c04483a9c793bbb14113d5

SHA256
c922a7e070f9dd7cde2faca98ad113611c1c2c770c1f8fe554e04f8aef268954

SHA512
e63ae02e543d5ac277fa60f6b6642138f1f12bafe4d879990ed4e2a0f3575a2c8406c5ddac8ae904408740f5d60527e13249ee315da0405baaf4e1120e12dbc2

Download Submit
C:\Windows\SysWOW64\Elpldp32.exe

Filesize
368KB

MD5
219e7b6a5ab2404882db4c65c0d74fb4

SHA1
6b6fd564b5cdbb58270cf287a1279635d9b4d833

SHA256
3715bf8068b370cd60700b2816d65ce99cd6750feed86ea20e6b5bfabb1f714a

SHA512
ab245762ad81e160f0c9ca8283dea66bc4f6ccde022613d961e9e6e982510269d8195d1320a9e51049b5661f086cf57eecae4a7baae2e6dacd371beb3366a78e

Download Submit
C:\Windows\SysWOW64\Epdncb32.exe

Filesize
368KB

MD5
45850e1a4953c29a044234ff0794cb8b

SHA1
8f3290933bde80ff6bb9a5a9f3f11d0a923b821f

SHA256
a962c8de1f5a1b22a1d456069c70074b28ef86e5b9c6b60c850a8319c12cf34a

SHA512
7799d771d714aa3a11f98638ae5cba6d734f00634d4854673c232c5596d73352afc2db8cac746abd2fdbaa5627e014d42a9b02008aa7780976f464234dc441a2

Download Submit
C:\Windows\SysWOW64\Fclmem32.exe

Filesize
368KB

MD5
64881ec2884d9a9d1e88919ea8e40151

SHA1
2180c2b0df2561f7695d1731727b17043d73df47

SHA256
bdc5b4c1ebdd8c936ec24b9f4ab6211e5327ab7b2704307c06e6e867a8683928

SHA512
186ba29f9dc005c61125d18e7e1dee1bf58b46261991f6413b66153ede53cd9f71dec20e594e3d360f0fb8abae513e03cac63727b220db8052aaedd6ce64309f

Download Submit
C:\Windows\SysWOW64\Fefpfi32.exe

Filesize
368KB

MD5
c4368c933eb1169f6b143e29ebe9a2b7

SHA1
bc044e136ac27b10ee49eca24ceb37c4eb04c375

SHA256
bea7cbc3365269dde6d0509017796dfc7e0deda1c47e89c249ca961aba2b9a4d

SHA512
c4e2ef35814264830df90db9108b544ceed208387fa99b9a608ae3484b807b0147a619371d22c10d3d4b02f071ec0970e21658881c85cda08d178b50a24e55e7

Download Submit
C:\Windows\SysWOW64\Fpfkhbon.exe

Filesize
368KB

MD5
9500ac19941cd38e0e0b12c67a6b7991

SHA1
382d49dddc1942f0e518e932ca8b39b087111982

SHA256
863c9bb6480ed239bf4cb4eb4abf1bd9aea81a5e79b358c94e50bffa9e32ebe7

SHA512
81b85fac256f464ee33f9251e8167f8f115d45b2a291c27bbec6db104f9675bffc9ac21c7e1a107bbfb14c72fa81798c999587222894aba3680244149ac33342

Download Submit
C:\Windows\SysWOW64\Gcgpiq32.exe

Filesize
368KB

MD5
af2f8a83754aec6d221b37ea1d50b2fd

SHA1
5dc5daaf9ee89adf25e386726d320f4e45a7702c

SHA256
e3adccc3f57afb1bc85844807032c6bf95634af72c867e1fe76bddab49f8641a

SHA512
84bd965974f550d6ddea99c9bddcdc6fd14cb7a5afc41a17871176aeee11ab57623b87ce1989460626537068e4afba56d60875779d48dcae02103ae27aab5020

Download Submit
C:\Windows\SysWOW64\Gcimop32.exe

Filesize
368KB

MD5
4d857fc5e5ee683d353b67e3df0e939f

SHA1
c487255759001bebcef655bfdf6ed4ebaf8345b2

SHA256
8a9846fd047ee983a09aea66e3f94c89d93ce341f17254db1555744f59100b88

SHA512
b53405023d74695a21967f50988f6f52f0125f062771d4309eefec2385e437d0e27034a994af0fd8e22d1923e63083b5bfa53936fac9ef03fdc9275c9c1edb2c

Download Submit
C:\Windows\SysWOW64\Ghmohcbl.exe

Filesize
368KB

MD5
2152bb2df4494e375559a762d9c2665b

SHA1
02f58d513b7c837da2aa4612c9e6d333bbd4f2dd

SHA256
0f8bbfc883effb3b6683ec35e8e339c1177df8c61d5e51e6f455ea470e2ef979

SHA512
b782c1c1f0622e1b05e3ae0e36bcf8e5b5c9acafd8b3af510b48bff28531af64a3980c48a9133f5c4e4299cc210b54083c9fe230fd54c7a97ed136c3a3b52721

Download Submit
C:\Windows\SysWOW64\Gocnjn32.exe

Filesize
368KB

MD5
07300bcfbcf6efc2f1472102054a2b20

SHA1
f259695b7f6e0a51e887d9a0b9f9822e14152705

SHA256
42ef97edb96c50eaf12a9f81ab7fe564be27f6203f624547663e66518acc28ab

SHA512
41eb85d12afcd7adbb4034ee37ab384e445ce454a442a183e0e3967193bc4a9a0f19fd9c4f91a4f5e1e60a56028a20ac7b2f7e989b75e87b63c8bade2674b994

Download Submit
C:\Windows\SysWOW64\Hklhca32.exe

Filesize
368KB

MD5
7e8c210944a60c90f5a837d83721fcd5

SHA1
044e7b50bb06f45d2bfbc645414cea89eaa121db

SHA256
239ea095e688662f743d5df0a8c47282fc4f2087ba95673f1dd58a2363f48e70

SHA512
9093b608eaa3f912214580cf307bfe2232f07f43242b015196d714a56af0e8868c416078f07b2c40d672733d499e697d91b6d00f42b9059d48f96f444895a97e

Download Submit
C:\Windows\SysWOW64\Hkpaoape.exe

Filesize
368KB

MD5
bc8fa3bd970bb5387f49cb054dc9b428

SHA1
4f16fe96ca751bbee8f093ddd12aae3953c7f7fb

SHA256
7aec1ac286795336a5dee27b258b6c2db82bfa8ed020fc7b61d50c90f31a4e1a

SHA512
c68e20d1a667410c3c07bec34610440ef5896c2eb50a7dc0f2a1d29fca7c09bd55262e2a5a65297cc2a492595c6f4d36fbe61807c5525fd5448e4a53ce425c40

Download Submit
C:\Windows\SysWOW64\Hmfkbeoc.exe

Filesize
368KB

MD5
f7a2e3e1551864f116c6d8852c0a67e8

SHA1
0e6693c124c98721a9174aff7cb940673d801e3b

SHA256
411b5b155c30c70596080494f916c017f809281ee55843815e6dbc7ad0f4522f

SHA512
10febe2dee02ad8675e738041a7ef73be1fd532ebf38868af5decb229d209ceb8acc44ed67aa0e3791370230bd786b2dbcb113eac197e6d8b24700c02770ea67

Download Submit
C:\Windows\SysWOW64\Hqpjndio.exe

Filesize
368KB

MD5
416e1992df4a53ee72907c682bb8412b

SHA1
4295adeb5214af5ed1e14907363d78dfa82e3d01

SHA256
709c91fe2a7304cfbb27a77e22921127beaaaae7b52827ce7b00ff5d7fa706c2

SHA512
c19566abdbebf598f1823cd7ea92d8fc79b0ce359e405625ad4dd171a48b8911d99a2751543c2c9f72409f321c6bb7b8fd7b066c8cb8e0af8f200c4bea1861e7

Download Submit
C:\Windows\SysWOW64\Iamjghnm.exe

Filesize
368KB

MD5
8e8904747e50384d6c3a296c49cc6790

SHA1
ae63afe5dfb2ad6a2cfb5ec5126b5838e965ca23

SHA256
92ede2a8feb11ba211ec7dbe1891a3539623ea44cc84e2f155d6d1c6de6768b3

SHA512
9fb519e0301281f0cc4821d13cdb6a2c2f4699ef5346e832ee9c6f9457918ea253dc85faa6e9a639801f321fca4c72fe712e41599f885962c6ea9866a1863c9e

Download Submit
C:\Windows\SysWOW64\Iimhfj32.exe

Filesize
368KB

MD5
5d2aa716cba929061070ab9ff534ede8

SHA1
ff573bf6ec7815a5b084fd95858df87126e9b5e9

SHA256
485abaf1f7b4aab48deac5cee3fdc4c75997b015026906d3677f3016cefb8f64

SHA512
15b0de1c401c9f7c9d6f85637d5c047972cf2078702c224603bec456a751212a7a201b149b253fd49da3cd83dc2c1adfe3e018004fc016ee7502f6d19ec35e8f

Download Submit
C:\Windows\SysWOW64\Ijmdql32.exe

Filesize
368KB

MD5
21e31fa9346582ca4557cdf06a6f50b6

SHA1
2d9d989173adef9125cb9027fac6db78278463a5

SHA256
74371fca28a7a34f80e1294ca28377a7f59ec7772cb80736a4d81d8a2cbc1ac0

SHA512
fbcc494338e644fa9eb85c4b59c27ab0448bf99ded7eb5a896e0a4c6b5c4900e86d9aaef8061a0d2a8350f5e94c450012a85009293249a5369b9bb1e712864d2

Download Submit
C:\Windows\SysWOW64\Jaaoakmc.exe

Filesize
368KB

MD5
083385b776ec5eed309fd6a0dbfb2d9d

SHA1
dcba8e68d8b35d9bf7e3bf72de609e6f872a03be

SHA256
d1a7bdb3f732da2625b2b241888689b3ae15e19cab1c3ba295b45d0c4e936c59

SHA512
31730e42d0b1e74513719cf97b6875ba08a51f389bf184586a94d6aee90eaeb963178c8ce54294e967f42baa993fa366c983500a5aa9e745a6d21afabd25f8b1

Download Submit
C:\Windows\SysWOW64\Jdbhcfjd.exe

Filesize
368KB

MD5
0276529880282ddd095ea5dbe15331e8

SHA1
b1d3c8bd7b9339321b7f1ba0c8869b11587f117c

SHA256
fafb499be2c684458d09ca72ee6f3ebde6e2c5b4be86a93d71ef180ff4998adb

SHA512
ca84a00285feb2268aed051e2211c33037e549779ca6d633b1ff3ea59d992fda52ce6e82eff34c90f4be7af6c1de05252be52765bed5bd2583897a3f17e12c6b

Download Submit
C:\Windows\SysWOW64\Jekoljgo.exe

Filesize
368KB

MD5
a81be48e06c56e7652859d8b9bf2e7ae

SHA1
b78a58a3e7de29ca34717a7edfb27975c0b8a6f1

SHA256
61bcd3dbb14d7121e3bde1a8d56884a742d4e215694d6994d695dd1204654c2c

SHA512
a7b1008f46847478c0567ddf73212fdc7e3a029eff0dae76e3950e86961d2644fbaa456c682ebf0e874b4f33ab233a0076f332ae0de481783af96b53388e5022

Download Submit
C:\Windows\SysWOW64\Jnafop32.exe

Filesize
368KB

MD5
511c59850ce592406ae416b4ebd4f1c1

SHA1
56c71a9b8debc248282f2a64d692a093d4ebda94

SHA256
afa762a06131061e0bea374ae421701a144d4fbd1f4e10ab558389f533df88a3

SHA512
dba080297e6ef7c3dc9f58b7ff74e8f0a420c87ca66eb62713d336dd987b6e4f60477adb73b6757643e6b6b8f3c61c5875ee0bd0d8e456991ae79664b06b720f

Download Submit
C:\Windows\SysWOW64\Kihcakpa.exe

Filesize
368KB

MD5
ebae9fdc9263ec79c9e5e015648891f6

SHA1
7ae323611c1cc57aee11584166a6edeec2e5ffa4

SHA256
78ca014c5f2b29af0e413c076aeb14ccdf9b59ddb957f736effd112ba960e3c3

SHA512
3e269c2b8237066f53920c738d33e36bd2972aac406684ebfd2b9e621d64f3614dc23bce0fb44ae9d8b17ef86c109ead4788864e009571b8bb6071d8946d7f15

Download Submit
C:\Windows\SysWOW64\Kikpgk32.exe

Filesize
368KB

MD5
dace86f077b29d61d837edb9727059e7

SHA1
5f1cfa7df392643c16f06950dfcf9c9e33e6102e

SHA256
aab01abf57156db73abeea409e8d0b212d50af929ace6416b8032ebc6eb82a9b

SHA512
264c27a1815d355b20cc078bba3c8d2914ff230ee3ed4e0e3fa3386b6cfd44934b525593a63dda1364e7631c5c16a8eabfeaa5639bc6d04f5fc547422a2f97ef

Download Submit
C:\Windows\SysWOW64\Kkajkoml.exe

Filesize
368KB

MD5
eb8e37bfa8acb21c64e8033692a0972d

SHA1
49d29ccfaeb249448036576fe9af7fb9debc5b83

SHA256
8982d8daa8d829d5b4b546ec0df8c9cd21094f85da842e33734ea8b94983bb5d

SHA512
cac810bec8a083657e480e6660d2e6f4eff5ce2d34c01e2a4c518ce60ab7c850d3a7c2dd3ba63c68f9425a55a8a29b6b7c89b73809a9ee1ce837af95a38c8346

Download Submit
C:\Windows\SysWOW64\Kpiihgoh.exe

Filesize
368KB

MD5
24f64a174403ba8d5da0785bdd660faa

SHA1
52a4150392973221ca3e3a9c8e3af9ab2fd69b14

SHA256
42b625469815ec4b284621fd860e4be38a9e35dc006884c253b4b46b79fa8e3e

SHA512
6ec9ec30363b5bc46e618866f0a79c8678f3c759a9b54446809d6ebfdcab91540fff0a13d910b7731b80b1cd3123471b07f7e0f3fd3ae647d9066ab65d5c0da6

Download Submit
C:\Windows\SysWOW64\Lahaqm32.exe

Filesize
368KB

MD5
058c144d30b69a1678844dd73ca45ef9

SHA1
2c351fba39e0142880b36f59bfe4b8023168e40c

SHA256
2b1ec4bed4044c6ae36223f5f1a2f7fe0db2d38424b012131076e09bb08584e8

SHA512
0a71b3f952be6f7c34a8e196673ce4e5ebc01e4a3068c45c42d71288a5032f8339bb28cea85799fe328ee0357021acd2372ffb7b9a430d856bd22a230d978345

Download Submit
C:\Windows\SysWOW64\Lbkdpgdb.dll

Filesize
7KB

MD5
040b887070ef9510dc27802f52451862

SHA1
99d17374249b217692ac7f4701ac2542d5a7e1a1

SHA256
3203ba03f84ab40a243f3ea66daeac6b0af7a0d71bd543bd1c48c94ddc704890

SHA512
5ce6385cd8f6db56f87c3343e3ecc74874c20a43b78b3a821d3063d2726b45812d6f673bff9276d5d9744ba9bdf5be0b2296a6cf5a6ce2aa384b4bc9e5c6172c

Download Submit
C:\Windows\SysWOW64\Lcnhcdkp.exe

Filesize
368KB

MD5
1a7a7564ca69c8f69aeb583551bb5424

SHA1
f1b45412709d81732f9aac4559db5628d3059482

SHA256
4a0ecccaf57e7f4d130e9bdc6f9feff28cb5085ebef7c6501d187920e86f4a09

SHA512
4c9fe76310ca94d1df927199c411dd82c1d2ab1c20422e662903d55d8a418134d27c6f2fb38efde28f726f31539a524c6dd9936e3b769c7f12525c8ab2fc331c

Download Submit
C:\Windows\SysWOW64\Lddagi32.exe

Filesize
368KB

MD5
19c60370edbd45399d7e34ae61864641

SHA1
777258333e2096809ccff110fe15392155972425

SHA256
9325927ca4e65dc1127715bfa92a38b1963d56eea39941b3568ede6293670468

SHA512
43def7cfa2d38f84c233b07877c783d76ab4fea978f99ec902c54f730febbb19decb6308f0f58fd0a94df580594a8cb3a8b9ad6e18be008cfc802c3387708b33

Download Submit
C:\Windows\SysWOW64\Lhbjmg32.exe

Filesize
368KB

MD5
559215cb25fbf0f25ea299426026733b

SHA1
7b1cc35643757b6271767db37380af7cd5910944

SHA256
ec37c32da5de90adcefe1d83090f34452e12b4db3b7c260d9ad9419e6c89b28d

SHA512
facb31e5c089242cd618571555ba42f26eb5c698de756a1611f970738783e3158282d50ff415aeace7d3f59e4c111bdef58c04e8cfba837ee05f50a1be18b5e1

Download Submit
C:\Windows\SysWOW64\Lhegcg32.exe

Filesize
368KB

MD5
3727447c12442695dd7a66b334ea1b4b

SHA1
fceeb1e56320fa5143ac8c9dbef5dae14b109680

SHA256
9e535ac6697eddb42cf27f98ad19748f57f4d30cb5861bacc8f381bd4cb3ca45

SHA512
4c82650cce7c1b09e2352881a153d4939a0973c94861d69b2be264faa1b9894d4886dc5fba3675b836e409c1e561f21ae02feb244162796202b85ad59f2783d0

Download Submit
C:\Windows\SysWOW64\Mbhnpplb.exe

Filesize
368KB

MD5
5fd89a6340be6489a01c5b8fba9079ac

SHA1
56c614c4445e3c6f9630974126744f052c9c0467

SHA256
b567878f459d5ca5532aab4eec7b7300278f9f74e3fdb4ad741c4e44f286bb1c

SHA512
366d8abf7b80f43c8cdab67076cdca04bda0b68d227c91ac7b6a3253df172f784003f7d81425f8d629929500b205d26ecc40127de009cf1b4a7664815652d237

Download Submit
C:\Windows\SysWOW64\Mbkkepio.exe

Filesize
368KB

MD5
83880beec9fba066a72ffa211f2249ab

SHA1
e441cd19e7b3c46c378adcaa7db31fc9e3df5eac

SHA256
c3e2dfd686c677621418c40f99c32159d667fd85e5bd4459abfaf4fb98b40c08

SHA512
9285f8191c3e65ee47c9f17b944ac3b16c9f1af2a04cc1ab6eb111d59402bbc6f164749b5f4bca90a95ecdaf262aa76c94c5698a080c1b9fc547729a0cdcbffb

Download Submit
C:\Windows\SysWOW64\Mglpjc32.exe

Filesize
368KB

MD5
13dd64cd3bcf5d76b163bd4cc56066ba

SHA1
9c6006c94689803be2d7047380775ce7887be664

SHA256
3d140a88bbd1ed994217ac2e610726ed55de8b7d3590b4ddfb8323c58830caf5

SHA512
e4f5e5450c441dc32b80b2193aa7b9c44977ff37beca14ff61a5019d969d8620b6db2c7035c3a2afcec2d8352c1d7d871a237320583a13fb745e1acb1b73fa23

Download Submit
C:\Windows\SysWOW64\Mjmiknng.exe

Filesize
368KB

MD5
de9a5a44e4c524533afebba3575fa509

SHA1
2ece4c6d6d0966121ee150e925f1f125049d6f22

SHA256
5616d238d2ee372d0bf9848a9fa640ffd13ee7b2617458adffdb029df8f62e4f

SHA512
5905107e877a57857cd0279020a5c0d9709298b4388271b4f932eb958bebf2b0382de4bd70b869ca8a608097404dfcde99893f89c22c567358b75d9010bb9e81

Download Submit
C:\Windows\SysWOW64\Mlnbmikh.exe

Filesize
368KB

MD5
281bbd230bf32890337c77d7ac1a03c9

SHA1
b2a54de96aea3330dfc103d1358eeca98a7f0c42

SHA256
662d92c14742003e4ce73478fc1e8c1ede965178f57e073456e9367c6ae543b7

SHA512
651070fe9e3745d005bd1c8c63de8be53fb4457ec44ef29cc927184b3dc2d4c948be4101dcac1e69dccb4b0d6b93616c253b13417011986065a59c03d809c23b

Download Submit
C:\Windows\SysWOW64\Mookod32.exe

Filesize
368KB

MD5
d008201ca1788e5a648d548a3c5e888c

SHA1
f0129facdf8e46cd113f7ca1e296e56286330693

SHA256
ce28dfbd854c4d1b48d71479b584cc8c94adeeb6fe92716b822aed5b6e10b12c

SHA512
05ed2f379ca3b90131e6767b7f2341b0b99a15a509ff65d5298b23e77c0b68db2befd5e59220d08ce976c0b121647df98f3e3ff46f1db86ad6c4f65c5cbbfbab

Download Submit
C:\Windows\SysWOW64\Nkjeod32.exe

Filesize
368KB

MD5
db8f474663c24be9e3289aa1efa81435

SHA1
4649d4f01c4a038fc77cd8c8344a04cd8e3de514

SHA256
e047cf7771f2738ab32dc39da05c220e94125f1460d098c8a53e3c5de775f69b

SHA512
0bfe2284029d485b2963e4683f9731f3c0e2d46a2259f542a51ebf603a015ad1640392be6639694aa36fc2739f7f5cd70407c3837a56b37fbc8750bf435e443b

Download Submit
C:\Windows\SysWOW64\Nmnoll32.exe

Filesize
368KB

MD5
d761542728217c7294b42b3629fc0c91

SHA1
5a8f372b3de84caf8a6f658c9152fb7b2af6e17a

SHA256
bede1c5a29fdd1d199e60276970da603599e557614f287652c814fc05db6a972

SHA512
ec412f6a86e43cf46b1108e3d1587f98ba402611a48fe8dcfa0e1258d0c510613a0fb1edd6ed7f427c63610a7a76ec6e86d854c31861282d2c1bace6acbf51be

Download Submit
C:\Windows\SysWOW64\Obopobhe.exe

Filesize
368KB

MD5
bdef8d481edc129c74a6b7f1a0d75bde

SHA1
b16702a7312dd8f0915070d3f0b88569bcbc6738

SHA256
a7cf1aa26c35031b83ea42e01e90d29acfe50798766e7dc253a3a8a3fcd9946e

SHA512
918e3180ad522c9079075e74667578fb516518b34c78a5c33c92e3acde642b69015c7387403e0b2030ba0cb8d84797e71b0f39b17578001634ec0afdbf1ed112

Download Submit
C:\Windows\SysWOW64\Ofmiea32.exe

Filesize
368KB

MD5
e0ee5d32470e343546bad4b4d6ce3917

SHA1
ca3db7545de812cd12cb34be8628daa031c5a61f

SHA256
d9c1db2d96e2c09140d0f4e73eeb15bc212317217635c669848e3289881615fc

SHA512
74ae8814115bc3e001a0878b3a55da1a588cd74335216ea2fdbd69d1e18b38fbf548571087d51266bb431a3463265fdd1e7217d85f320c9e74bcdbb8773bd2c9

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
368KB

MD5
65700f9666a8276f11d8b03295523f27

SHA1
c6eccc1eef080db235c472bbb498334397d75a12

SHA256
cfd82ff936ed46b0276f1593d9d6afe457526fadda7c86660f322d4fe739d748

SHA512
9d02084fe8a9e79ccf9b32543116b45758a48933dcba8b08df0d1f7948bb1491703869143fdd606bdc2e73f17b3e65aad4aecb735a319ce8f5e4b6da4f0134e7

Download Submit
C:\Windows\SysWOW64\Opqdcgib.exe

Filesize
368KB

MD5
53bcc142ff33024f7d6ac03dd1074006

SHA1
49a1ef499e60275dcbd9a1012b580f6e48abfd81

SHA256
fc7524c211a8946bb79af2901a2524b6672002b148a8ef1d1948451a9713ee54

SHA512
53e7571a6006e0e8fff2907857037a64652f1cbdfff8d3aad71ebe5d3a8446f1841f54a02943aae028e0e0d0a69a30ed7d26dfc67f92dbb29fe2e3720cc9e9e2

Download Submit
\Windows\SysWOW64\Aenileon.exe

Filesize
368KB

MD5
78c9337f7e67e121313a79aa99ff2f06

SHA1
a13556fe3200c39174f8cbea334c8f416437c4db

SHA256
abf32d51c979a53b8af54d7fc0af911a201701cf4608be6b42534583aa534516

SHA512
7a8d8514102a417e867516d3a31af5f5ce758d27c3e188be134fe98dfd9472a3ca86c0e2c11f7f8204720ef0a189f68559731abb4c0820c6e3d65ae66b9127da

Download Submit
\Windows\SysWOW64\Akbgdkgm.exe

Filesize
368KB

MD5
cde94729b8f47bd8b0bd554f096321a4

SHA1
d408a77a6e4b072c24b01884ed90fef46acf5548

SHA256
10865f1a144d8f291c806460d2cfe2f0531569643a810781d44a3c6ed9936190

SHA512
d9f055e68877e552eb10fdc5d1fe56aba12661bf4b133f27f6d76e2fd87c327103995d723c6609415d6c1539ed0ab56c1b0eca1138db51ad57fa5d71153e0d4b

Download Submit
\Windows\SysWOW64\Bgpnjkgi.exe

Filesize
368KB

MD5
99536516b07b7aa65f4d93af91e03444

SHA1
0e77d67c553f8f63b9470a04c90bd175c98b7786

SHA256
9497541b49f6d3ae15a516189eeb0d339858d9064ad8302fa724ebc601333368

SHA512
9003f9972ad8245c63afafb9ae3bb5fb09fc7285f34cffcc4edc6ab7ed53d6d548d12ff621bdca7d81235c67bcf5a425a594b5db858fd2c11eee978ae462adb6

Download Submit
\Windows\SysWOW64\Bkgqpjch.exe

Filesize
368KB

MD5
43353b2ed9b46706fcc91d4e742f6484

SHA1
67b5c845d09e1ad35b62a4d09980a232047e9f0d

SHA256
21aeb91d9a66e7fed80663a604164c5ddd1781308d63a0a9ac9cfdb9ae92213c

SHA512
c67a569801942935eee84787f20a884fc97ed57497b0dcfedbbf3498a0dd746e86133c60f53fc6da7c70c62dfa34f34e03d8a470fbc8e401ab78bb00bc8c965c

Download Submit
\Windows\SysWOW64\Cafbmdbh.exe

Filesize
368KB

MD5
840a38a6c9fdfc0c1712800428986b0e

SHA1
3e9f2898f39d773a62dcf655e41112101b4619c2

SHA256
084ff3d08b7cfc609266a70b409661d3e0e59f05bb6a5abd696bb34d1684dc39

SHA512
316df62472f7d5123d54be60b56df17a98abd9601754e26aaa428cd40d26d092ad5d012c7af39867b62e76b79d7b834022f20bae3ca10b9af9edefd5fece7208

Download Submit
\Windows\SysWOW64\Cifdmbib.exe

Filesize
368KB

MD5
8d00b3e2368de39925c97be951b53565

SHA1
d76e588533a7fa5f55495a629d20db5daba2b5f6

SHA256
4ec6febbc31e988fa225295353316c75303fd49c93bc7e022a069932f1159155

SHA512
419e3044d9443a631d7330e9eefde6132c81d4c8a659c02c45fde25d503b24baf820b932fb65eeaaaee9b66786aa92b3aa27369d22badfdc1e50923c613735f0

Download Submit
\Windows\SysWOW64\Mgfjjh32.exe

Filesize
368KB

MD5
0f67d01663a36cc10c5f78c4eb6e15fc

SHA1
5c536444bb26b43f985e9dcac43b7ba80e8e43cd

SHA256
ad48b39cb387400dfcc4a31d3ea40001f1a93fc670536c3aa9c3e16e02113e46

SHA512
8bea2267a2b2eb95e618eb5e617ae10fe581df9510a339eadc60b3e974ca03ac9722836888fd706c6d4e681ec31c4439e45cece0a5a98236e2a2c4b00c633d22

Download Submit
\Windows\SysWOW64\Ncpgeh32.exe

Filesize
368KB

MD5
5975ae5e5ce431784a04ce7cdca9f8bd

SHA1
634ce3fc96bf8e54a0ca124c6e0428ef267a7a82

SHA256
b88ca52c6a6afa6dc246d65874d42431ef866b8f5785c4ff71e70272c7a1c868

SHA512
973452d7e925f47464998ffdea8d4683f1e80d31fd0420547b80f2e4f1971812906113114f548a1308b4fcd94789726b834a8bcc469777d5c581486ed504124c

Download Submit
\Windows\SysWOW64\Nhdjdk32.exe

Filesize
368KB

MD5
c3ebb4e1e79cc4fccf07565dc42ad89c

SHA1
c28dfb5479ac91a6f9e8852208ac56bd92c75053

SHA256
5d8a15b0f80f99ce1ef12f8b1c0ed4a3b517970f9f2e264e9c79bf2d2cb53de9

SHA512
4d57d447b9a3b18b213d6691679f2da35dfa4bfd067aec9eb0e79d9603d0b5a661325563508845a837e472020b9dd4444b3174100e817ecfd97b2ff30baae605

Download Submit
\Windows\SysWOW64\Odmgnl32.exe

Filesize
368KB

MD5
0c28cfe1a6398337aa26f9a81075f911

SHA1
528e5860ad1f799777894aa5ad932a00e44f88c8

SHA256
1ab1311c7e92ee642849d16d3ea257656e531bf07d526d92de29d1286226619f

SHA512
acf9b41c994b43d8261496c621a37b38ae4b3d7d3a217c2d7158cf814b09371dfa087eb079edd8ee99ca4f85ab210f75133f1a30ecbb3584f403f4a1f062bd96

Download Submit
\Windows\SysWOW64\Ophanl32.exe

Filesize
368KB

MD5
9298eb131ced35de55dbdd7e1cd5441f

SHA1
97c3b5c1a159c107302510591ffc51420f034665

SHA256
bd4a2cb28f6c2c2b18ac9ebdc170a3a94f01fe35c2b659bdb1d70a68fa10cafe

SHA512
da3f82fe743d6413e80be94125ce6e4b4946d22adf94ad5d50b15f4ae9cb0542544a2fdcc1d97638e49d027e4909580aebe27d8c0813e9ade1fb4ac6d61fe41d

Download Submit
\Windows\SysWOW64\Pacqlcdi.exe

Filesize
368KB

MD5
e4ace8fa1c05970522e71819db35a654

SHA1
002d21742c42d18aab835c06adb513b44efadf73

SHA256
c53db38c8978b22a4b8dd26a00558a87428a16f3991b07947f4ec52d70880f23

SHA512
fb92097e9cb8bd4b833f41707758d5a6f4d8ffcf58b1832b8a9939ad7845fade2a02d6934681abb53808396dc02b4654601219fbc3ce26098e3b3e8fd9f2d899

Download Submit
\Windows\SysWOW64\Pahjgb32.exe

Filesize
368KB

MD5
a27504f9a4fb5a7cdc1194e261045045

SHA1
d70feda5839a2795b7d077d76a96362e1122d851

SHA256
6702a111f966e5ad017ccc7f22d9eb709ec977d15a6fcff22acf67ce3a958fda

SHA512
f50ebec405702743f07dbab8143c9d3df95c728fd27caa784315dc150ed7b285889bfd98517075c14bba31abca9d9a17ed212008bb30feb5dce00a991b52434b

Download Submit
\Windows\SysWOW64\Popkeh32.exe

Filesize
368KB

MD5
5b9c74a5b747f5236328024916f01dc7

SHA1
51c4534c15f52455de2b8712d511e7097debb8fc

SHA256
73aeed4ccf7be6d58c1848f80251a31ec2a9ecbfd87066fe974385edf2673027

SHA512
e38ad043d03d6659eb65be139ee1f4d65eced4ea0d7fbf198260678c8f0cb610577cc40d24847311a0e5ccaf7fde172ce31271b869c5937e60073c3d0cba9dbc

Download Submit
memory/640-172-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/640-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/640-479-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/684-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-399-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/1240-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1356-470-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-268-0x0000000000320000-0x0000000000359000-memory.dmp

Filesize
228KB

Download
memory/1448-264-0x0000000000320000-0x0000000000359000-memory.dmp

Filesize
228KB

Download
memory/1448-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1528-219-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1528-226-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1648-412-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1648-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1648-106-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1696-203-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1696-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-300-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1916-298-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1976-456-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1976-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1976-455-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1988-278-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1988-273-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-279-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2012-309-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2012-310-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2108-189-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2124-245-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2124-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-235-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2292-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2312-432-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2312-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2312-120-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2312-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2316-123-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2316-134-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2316-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2316-443-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2352-286-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/2352-290-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/2352-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2380-320-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2380-321-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2380-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2384-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2384-217-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2404-343-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-25-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/2536-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-89-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2556-333-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2556-332-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2556-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2600-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-75-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2676-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2708-467-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2708-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-67-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2780-378-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2780-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-367-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2800-49-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2800-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2820-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-35-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/2832-360-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/2832-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-366-0x0000000000490000-0x00000000004C9000-memory.dmp

Filesize
228KB

Download
memory/2868-364-0x0000000000490000-0x00000000004C9000-memory.dmp

Filesize
228KB

Download
memory/2868-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2936-379-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2936-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2948-411-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2948-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2960-444-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2960-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2960-463-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2960-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2960-148-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/2996-162-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2996-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-469-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3008-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-7-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download
memory/3012-12-0x00000000001B0000-0x00000000001E9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads