083978bc3c08a5326dd4a55a7ac0e258d8aabfee8670764913aa311fc3fb88ed

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa0e916d48b3c88161f19237d04883a0N.exe
Size

1.1MB
MD5

aa0e916d48b3c88161f19237d04883a0
SHA1

95447324e44bad07cc9e3b64cd326c9b126a8cd6
SHA256

083978bc3c08a5326dd4a55a7ac0e258d8aabfee8670764913aa311fc3fb88ed
SHA512

f1b13b9f9d090ea5fe0422eda61c20001006ea6771605cc8cc6ca4a4a6e1af2d05fec926df20f758eca6519d1b4292cfab7ee4447cb0380701b52079516a1dc1
SSDEEP

24576:iferQg5Wm0BmmvFimm0MTP7hm0BmmvFimm0HkEyDucEQX:iUQg5SiLi0kEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmfgkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckcnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbboiknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iilceh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddqgdii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljjhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dckcnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflndjin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgppmpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jddqgdii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhikae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Engjkeab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmlckehe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aa0e916d48b3c88161f19237d04883a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	aa0e916d48b3c88161f19237d04883a0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmlckehe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpfke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgppmpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edofbpja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghddnnfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhdqma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghddnnfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdolbbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iilceh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ialadj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehaolpke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hflndjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ialadj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljjhdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Engjkeab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmfgkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpfke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edofbpja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdqma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhikae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbboiknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipdolbbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgdcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehaolpke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfjfik32.exe

Executes dropped EXE 30 IoCs

pid	Process
2140	Dckcnj32.exe
2688	Dfpfke32.exe
2824	Ehaolpke.exe
2560	Egkehllh.exe
2568	Edofbpja.exe
1976	Engjkeab.exe
1520	Gmlckehe.exe
2736	Ghddnnfi.exe
2804	Hflndjin.exe
2608	Hbboiknb.exe
1400	Hhdqma32.exe
848	Ipdolbbj.exe
2504	Iilceh32.exe
1820	Icgdcm32.exe
388	Ialadj32.exe
1584	Jneoojeb.exe
1360	Jgppmpjp.exe
1636	Jddqgdii.exe
2980	Kfjfik32.exe
1408	Llbnnq32.exe
236	Lmfgkh32.exe
3044	Ljjhdm32.exe
3060	Mmkafhnb.exe
2188	Mfebdm32.exe
2684	Mhikae32.exe
2808	Npiiafpa.exe
2904	Nahfkigd.exe
2764	Nkqjdo32.exe
2596	Nobpmb32.exe
2700	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
2080	aa0e916d48b3c88161f19237d04883a0N.exe
2080	aa0e916d48b3c88161f19237d04883a0N.exe
2140	Dckcnj32.exe
2140	Dckcnj32.exe
2688	Dfpfke32.exe
2688	Dfpfke32.exe
2824	Ehaolpke.exe
2824	Ehaolpke.exe
2560	Egkehllh.exe
2560	Egkehllh.exe
2568	Edofbpja.exe
2568	Edofbpja.exe
1976	Engjkeab.exe
1976	Engjkeab.exe
1520	Gmlckehe.exe
1520	Gmlckehe.exe
2736	Ghddnnfi.exe
2736	Ghddnnfi.exe
2804	Hflndjin.exe
2804	Hflndjin.exe
2608	Hbboiknb.exe
2608	Hbboiknb.exe
1400	Hhdqma32.exe
1400	Hhdqma32.exe
848	Ipdolbbj.exe
848	Ipdolbbj.exe
2504	Iilceh32.exe
2504	Iilceh32.exe
1820	Icgdcm32.exe
1820	Icgdcm32.exe
388	Ialadj32.exe
388	Ialadj32.exe
1584	Jneoojeb.exe
1584	Jneoojeb.exe
1360	Jgppmpjp.exe
1360	Jgppmpjp.exe
1636	Jddqgdii.exe
1636	Jddqgdii.exe
2980	Kfjfik32.exe
2980	Kfjfik32.exe
1408	Llbnnq32.exe
1408	Llbnnq32.exe
236	Lmfgkh32.exe
236	Lmfgkh32.exe
3044	Ljjhdm32.exe
3044	Ljjhdm32.exe
3060	Mmkafhnb.exe
3060	Mmkafhnb.exe
2188	Mfebdm32.exe
2188	Mfebdm32.exe
2684	Mhikae32.exe
2684	Mhikae32.exe
2808	Npiiafpa.exe
2808	Npiiafpa.exe
2904	Nahfkigd.exe
2904	Nahfkigd.exe
2764	Nkqjdo32.exe
2764	Nkqjdo32.exe
2596	Nobpmb32.exe
2596	Nobpmb32.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mhikae32.exe	Mfebdm32.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Mhikae32.exe
File opened for modification	C:\Windows\SysWOW64\Nahfkigd.exe	Npiiafpa.exe
File opened for modification	C:\Windows\SysWOW64\Gmlckehe.exe	Engjkeab.exe
File opened for modification	C:\Windows\SysWOW64\Hflndjin.exe	Ghddnnfi.exe
File created	C:\Windows\SysWOW64\Hedkhm32.dll	Hhdqma32.exe
File opened for modification	C:\Windows\SysWOW64\Mmkafhnb.exe	Ljjhdm32.exe
File opened for modification	C:\Windows\SysWOW64\Dckcnj32.exe	aa0e916d48b3c88161f19237d04883a0N.exe
File created	C:\Windows\SysWOW64\Onmfnc32.dll	Hbboiknb.exe
File created	C:\Windows\SysWOW64\Adlqbf32.dll	Kfjfik32.exe
File created	C:\Windows\SysWOW64\Mfebdm32.exe	Mmkafhnb.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Mhikae32.exe
File created	C:\Windows\SysWOW64\Pfknaf32.dll	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Nkqjdo32.exe	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Edofbpja.exe	Egkehllh.exe
File created	C:\Windows\SysWOW64\Hhdqma32.exe	Hbboiknb.exe
File opened for modification	C:\Windows\SysWOW64\Jneoojeb.exe	Ialadj32.exe
File opened for modification	C:\Windows\SysWOW64\Kfjfik32.exe	Jddqgdii.exe
File created	C:\Windows\SysWOW64\Ipdolbbj.exe	Hhdqma32.exe
File created	C:\Windows\SysWOW64\Iilceh32.exe	Ipdolbbj.exe
File opened for modification	C:\Windows\SysWOW64\Llbnnq32.exe	Kfjfik32.exe
File created	C:\Windows\SysWOW64\Cobcakeo.dll	Llbnnq32.exe
File created	C:\Windows\SysWOW64\Dhompmdf.dll	Dfpfke32.exe
File created	C:\Windows\SysWOW64\Iialocke.dll	Ghddnnfi.exe
File created	C:\Windows\SysWOW64\Hbboiknb.exe	Hflndjin.exe
File opened for modification	C:\Windows\SysWOW64\Hbboiknb.exe	Hflndjin.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mmkafhnb.exe
File created	C:\Windows\SysWOW64\Npiiafpa.exe	Mhikae32.exe
File created	C:\Windows\SysWOW64\Egkehllh.exe	Ehaolpke.exe
File opened for modification	C:\Windows\SysWOW64\Egkehllh.exe	Ehaolpke.exe
File created	C:\Windows\SysWOW64\Njlacdcc.dll	Jddqgdii.exe
File opened for modification	C:\Windows\SysWOW64\Ljjhdm32.exe	Lmfgkh32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqjdo32.exe	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Fkohmocc.dll	Nahfkigd.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Dfpfke32.exe	Dckcnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ehaolpke.exe	Dfpfke32.exe
File created	C:\Windows\SysWOW64\Jpfncf32.dll	Ehaolpke.exe
File opened for modification	C:\Windows\SysWOW64\Hhdqma32.exe	Hbboiknb.exe
File opened for modification	C:\Windows\SysWOW64\Ipdolbbj.exe	Hhdqma32.exe
File created	C:\Windows\SysWOW64\Geiabo32.dll	Jgppmpjp.exe
File created	C:\Windows\SysWOW64\Qieiiaad.dll	Nkqjdo32.exe
File created	C:\Windows\SysWOW64\Ljjhdm32.exe	Lmfgkh32.exe
File created	C:\Windows\SysWOW64\Ajenah32.dll	Ljjhdm32.exe
File created	C:\Windows\SysWOW64\Nobpmb32.exe	Nkqjdo32.exe
File created	C:\Windows\SysWOW64\Gabmfl32.dll	Dckcnj32.exe
File created	C:\Windows\SysWOW64\Ehaolpke.exe	Dfpfke32.exe
File opened for modification	C:\Windows\SysWOW64\Ialadj32.exe	Icgdcm32.exe
File created	C:\Windows\SysWOW64\Jddqgdii.exe	Jgppmpjp.exe
File opened for modification	C:\Windows\SysWOW64\Engjkeab.exe	Edofbpja.exe
File opened for modification	C:\Windows\SysWOW64\Iilceh32.exe	Ipdolbbj.exe
File created	C:\Windows\SysWOW64\Llbnnq32.exe	Kfjfik32.exe
File opened for modification	C:\Windows\SysWOW64\Lmfgkh32.exe	Llbnnq32.exe
File created	C:\Windows\SysWOW64\Engjkeab.exe	Edofbpja.exe
File opened for modification	C:\Windows\SysWOW64\Icgdcm32.exe	Iilceh32.exe
File created	C:\Windows\SysWOW64\Ialadj32.exe	Icgdcm32.exe
File created	C:\Windows\SysWOW64\Kfjfik32.exe	Jddqgdii.exe
File opened for modification	C:\Windows\SysWOW64\Jddqgdii.exe	Jgppmpjp.exe
File created	C:\Windows\SysWOW64\Pnbogaqb.dll	Lmfgkh32.exe
File created	C:\Windows\SysWOW64\Fnickdla.dll	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Lqpnnk32.dll	Engjkeab.exe
File opened for modification	C:\Windows\SysWOW64\Ghddnnfi.exe	Gmlckehe.exe
File created	C:\Windows\SysWOW64\Qhchihim.dll	Hflndjin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2412	2700	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkqjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpfke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmlckehe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddqgdii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhdqma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ialadj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iilceh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckcnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghddnnfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbboiknb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa0e916d48b3c88161f19237d04883a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Engjkeab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdolbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljjhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nahfkigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobpmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkehllh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbnnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkafhnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhikae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edofbpja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jneoojeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgppmpjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehaolpke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflndjin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmfgkh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifefbd32.dll"	aa0e916d48b3c88161f19237d04883a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipdolbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ialadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhikae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkohmocc.dll"	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hflndjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhchihim.dll"	Hflndjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmfnc32.dll"	Hbboiknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkecbl32.dll"	Icgdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll"	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmfgkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll"	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qieiiaad.dll"	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehaolpke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfncf32.dll"	Ehaolpke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coblakbp.dll"	Edofbpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hflndjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfjfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljjhdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	aa0e916d48b3c88161f19237d04883a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aa0e916d48b3c88161f19237d04883a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	aa0e916d48b3c88161f19237d04883a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Engjkeab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmfgkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljjhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edofbpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgcql32.dll"	Iilceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenah32.dll"	Ljjhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhikae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	aa0e916d48b3c88161f19237d04883a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iialocke.dll"	Ghddnnfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgppmpjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiabo32.dll"	Jgppmpjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llbnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmfl32.dll"	Dckcnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhompmdf.dll"	Dfpfke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmlckehe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmlckehe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdngaom.dll"	Ialadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmden32.dll"	Egkehllh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edofbpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hedkhm32.dll"	Hhdqma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iilceh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpfke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll"	Mhikae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfknaf32.dll"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejfepch.dll"	Ipdolbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jddqgdii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nobpmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dckcnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhdqma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipdolbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgefap32.dll"	Jneoojeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2140	2080	aa0e916d48b3c88161f19237d04883a0N.exe	30
PID 2080 wrote to memory of 2140	2080	aa0e916d48b3c88161f19237d04883a0N.exe	30
PID 2080 wrote to memory of 2140	2080	aa0e916d48b3c88161f19237d04883a0N.exe	30
PID 2080 wrote to memory of 2140	2080	aa0e916d48b3c88161f19237d04883a0N.exe	30
PID 2140 wrote to memory of 2688	2140	Dckcnj32.exe	31
PID 2140 wrote to memory of 2688	2140	Dckcnj32.exe	31
PID 2140 wrote to memory of 2688	2140	Dckcnj32.exe	31
PID 2140 wrote to memory of 2688	2140	Dckcnj32.exe	31
PID 2688 wrote to memory of 2824	2688	Dfpfke32.exe	32
PID 2688 wrote to memory of 2824	2688	Dfpfke32.exe	32
PID 2688 wrote to memory of 2824	2688	Dfpfke32.exe	32
PID 2688 wrote to memory of 2824	2688	Dfpfke32.exe	32
PID 2824 wrote to memory of 2560	2824	Ehaolpke.exe	33
PID 2824 wrote to memory of 2560	2824	Ehaolpke.exe	33
PID 2824 wrote to memory of 2560	2824	Ehaolpke.exe	33
PID 2824 wrote to memory of 2560	2824	Ehaolpke.exe	33
PID 2560 wrote to memory of 2568	2560	Egkehllh.exe	34
PID 2560 wrote to memory of 2568	2560	Egkehllh.exe	34
PID 2560 wrote to memory of 2568	2560	Egkehllh.exe	34
PID 2560 wrote to memory of 2568	2560	Egkehllh.exe	34
PID 2568 wrote to memory of 1976	2568	Edofbpja.exe	35
PID 2568 wrote to memory of 1976	2568	Edofbpja.exe	35
PID 2568 wrote to memory of 1976	2568	Edofbpja.exe	35
PID 2568 wrote to memory of 1976	2568	Edofbpja.exe	35
PID 1976 wrote to memory of 1520	1976	Engjkeab.exe	36
PID 1976 wrote to memory of 1520	1976	Engjkeab.exe	36
PID 1976 wrote to memory of 1520	1976	Engjkeab.exe	36
PID 1976 wrote to memory of 1520	1976	Engjkeab.exe	36
PID 1520 wrote to memory of 2736	1520	Gmlckehe.exe	37
PID 1520 wrote to memory of 2736	1520	Gmlckehe.exe	37
PID 1520 wrote to memory of 2736	1520	Gmlckehe.exe	37
PID 1520 wrote to memory of 2736	1520	Gmlckehe.exe	37
PID 2736 wrote to memory of 2804	2736	Ghddnnfi.exe	38
PID 2736 wrote to memory of 2804	2736	Ghddnnfi.exe	38
PID 2736 wrote to memory of 2804	2736	Ghddnnfi.exe	38
PID 2736 wrote to memory of 2804	2736	Ghddnnfi.exe	38
PID 2804 wrote to memory of 2608	2804	Hflndjin.exe	39
PID 2804 wrote to memory of 2608	2804	Hflndjin.exe	39
PID 2804 wrote to memory of 2608	2804	Hflndjin.exe	39
PID 2804 wrote to memory of 2608	2804	Hflndjin.exe	39
PID 2608 wrote to memory of 1400	2608	Hbboiknb.exe	40
PID 2608 wrote to memory of 1400	2608	Hbboiknb.exe	40
PID 2608 wrote to memory of 1400	2608	Hbboiknb.exe	40
PID 2608 wrote to memory of 1400	2608	Hbboiknb.exe	40
PID 1400 wrote to memory of 848	1400	Hhdqma32.exe	41
PID 1400 wrote to memory of 848	1400	Hhdqma32.exe	41
PID 1400 wrote to memory of 848	1400	Hhdqma32.exe	41
PID 1400 wrote to memory of 848	1400	Hhdqma32.exe	41
PID 848 wrote to memory of 2504	848	Ipdolbbj.exe	42
PID 848 wrote to memory of 2504	848	Ipdolbbj.exe	42
PID 848 wrote to memory of 2504	848	Ipdolbbj.exe	42
PID 848 wrote to memory of 2504	848	Ipdolbbj.exe	42
PID 2504 wrote to memory of 1820	2504	Iilceh32.exe	43
PID 2504 wrote to memory of 1820	2504	Iilceh32.exe	43
PID 2504 wrote to memory of 1820	2504	Iilceh32.exe	43
PID 2504 wrote to memory of 1820	2504	Iilceh32.exe	43
PID 1820 wrote to memory of 388	1820	Icgdcm32.exe	44
PID 1820 wrote to memory of 388	1820	Icgdcm32.exe	44
PID 1820 wrote to memory of 388	1820	Icgdcm32.exe	44
PID 1820 wrote to memory of 388	1820	Icgdcm32.exe	44
PID 388 wrote to memory of 1584	388	Ialadj32.exe	45
PID 388 wrote to memory of 1584	388	Ialadj32.exe	45
PID 388 wrote to memory of 1584	388	Ialadj32.exe	45
PID 388 wrote to memory of 1584	388	Ialadj32.exe	45

C:\Users\Admin\AppData\Local\Temp\aa0e916d48b3c88161f19237d04883a0N.exe
"C:\Users\Admin\AppData\Local\Temp\aa0e916d48b3c88161f19237d04883a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Dckcnj32.exe
  C:\Windows\system32\Dckcnj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Dfpfke32.exe
    C:\Windows\system32\Dfpfke32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Ehaolpke.exe
      C:\Windows\system32\Ehaolpke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\Egkehllh.exe
        
        C:\Windows\system32\Egkehllh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\Edofbpja.exe
        
        C:\Windows\system32\Edofbpja.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Engjkeab.exe
        
        C:\Windows\system32\Engjkeab.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Gmlckehe.exe
        
        C:\Windows\system32\Gmlckehe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Ghddnnfi.exe
        
        C:\Windows\system32\Ghddnnfi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Hflndjin.exe
        
        C:\Windows\system32\Hflndjin.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Hbboiknb.exe
        
        C:\Windows\system32\Hbboiknb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Hhdqma32.exe
        
        C:\Windows\system32\Hhdqma32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ipdolbbj.exe
        
        C:\Windows\system32\Ipdolbbj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Iilceh32.exe
        
        C:\Windows\system32\Iilceh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Icgdcm32.exe
        
        C:\Windows\system32\Icgdcm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Ialadj32.exe
        
        C:\Windows\system32\Ialadj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Jneoojeb.exe
        
        C:\Windows\system32\Jneoojeb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Jgppmpjp.exe
        
        C:\Windows\system32\Jgppmpjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Jddqgdii.exe
        
        C:\Windows\system32\Jddqgdii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Kfjfik32.exe
        
        C:\Windows\system32\Kfjfik32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Llbnnq32.exe
        
        C:\Windows\system32\Llbnnq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Lmfgkh32.exe
        
        C:\Windows\system32\Lmfgkh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\Ljjhdm32.exe
        
        C:\Windows\system32\Ljjhdm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Mmkafhnb.exe
        
        C:\Windows\system32\Mmkafhnb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Mfebdm32.exe
        
        C:\Windows\system32\Mfebdm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Mhikae32.exe
        
        C:\Windows\system32\Mhikae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Nahfkigd.exe
        
        C:\Windows\system32\Nahfkigd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Nkqjdo32.exe
        
        C:\Windows\system32\Nkqjdo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Nobpmb32.exe
        
        C:\Windows\system32\Nobpmb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfpfke32.exe

Filesize
1.1MB

MD5
de7c6aca91a42383993a536fa230560e

SHA1
ca6ecdd4b1236255d0e09f7164078cd4f3d697fa

SHA256
cae32aa8a84f8400630841fccfbb0c276fca83da4e5970a352ae6a44c035f3b7

SHA512
924e22d2280c1ebb36c516d4145a9cea442d740fdeb2b6d2ac069f28b0e76ed992ab45e5fbc3e7ba46e779ce2e60969562d0cf5f00c2d33888a7177ef26da97c

Download Submit
C:\Windows\SysWOW64\Edofbpja.exe

Filesize
1.1MB

MD5
87d0403cef358f0360a07a901217803a

SHA1
e85ce10fac1355e00423b23fdadb905df26b0187

SHA256
d12508d6349c41f48b08aa5ed59d3f6583be2fca8ee1ed172322a2181799e199

SHA512
60b2c291ceef85c8a0abccfef18974ecb7d73bdecf343a74ea4373ccdbaec932119d84dd22bbbd09a9c729584fd7e706139b3822c2581c379c5bc62ed1f28533

Download Submit
C:\Windows\SysWOW64\Egkehllh.exe

Filesize
1.1MB

MD5
3fbd2a3bedea74efc1eee34e48147fcc

SHA1
ffa11eeeccf085247af4f4c502c108dde6ed3a8e

SHA256
cb9ec6edc08756d1c65f67ccedbdd56407f0bbedd0ebde90592bb19264e2cd27

SHA512
158666ecdf6fa36f92d1e1340217864393e565d8428cdcc5c9e6e62deeea964521579b5350f3acd7a55d14433bb0dcfca21d55b88f0e447e3af2d52bffc7f3c6

Download Submit
C:\Windows\SysWOW64\Engjkeab.exe

Filesize
1.1MB

MD5
7315846182b057e0e096e7d33b6c8930

SHA1
ec9caf9fc464946e02cda8557e70d982056a4f07

SHA256
dc381cf4ea1d772beaed74ff6d771eb8da89364ec6f715c52d0ed57221b033f4

SHA512
804f36fac542a5a2bca164dc02116856dd7fafc50335723f21eeee293cddbea96b5bf2dec17dac281648d22758d858d4ca9216ec85638d884b411e516708df88

Download Submit
C:\Windows\SysWOW64\Ghddnnfi.exe

Filesize
1.1MB

MD5
e2ac31df4ef6121e5b3448dbfc0ee7bd

SHA1
cb61d90126154f5d6cc4de9e90b4c42307aba767

SHA256
91ef97a54e4733fa41bfa8f83e165f8aebce489b65e46323805e7d9a2ad4da5b

SHA512
7171c765173e3b05d3948fa821cfbcf24355402540a1598b8bb8e7e51c5abaf95e6a536a3aaab749f3c38d512ab1ed7659c06cf75f141b993dff4a95d75f92b8

Download Submit
C:\Windows\SysWOW64\Hbboiknb.exe

Filesize
1.1MB

MD5
2c0286917aed7debbcbb6a6ed5fc076a

SHA1
1f55b7376653e782bc7a9c3444f6b737d5760eea

SHA256
171a40fb3857fe18162c5d3f9eb040dceacfdf5a8f7dfba71bed6cb68a35c53b

SHA512
954bcaa4e4be13ea7b91897ab176f4ebc1e10af844f7721ceecd203e01d8dd2c1412d80b985f995218bafc098320a01607d9921cc473eba2ce3643853d9ac750

Download Submit
C:\Windows\SysWOW64\Hflndjin.exe

Filesize
1.1MB

MD5
70dcde92d8fed9d620fdc89bde9d9069

SHA1
398df1eec768f23c021407a0f58eae0d4aecb88b

SHA256
96a5e9c24cbe6e6507759660b00a86fade2c288830207bd4543fbaf65de43f92

SHA512
44fe8746eb19826a0d2c288c235a115ca9d9bb111b028af3add2ec4d7e6fe056960a16e8ef3ed05bda340cb4683c0e20893726a401b538c03f2b0930e5d15dcc

Download Submit
C:\Windows\SysWOW64\Hhdqma32.exe

Filesize
1.1MB

MD5
db34ea45f665e71aabe085088c981edb

SHA1
53e67a454dfe056935620d746331d8edb40e2928

SHA256
131133265e6257f84506dc6aecdef7235ba9b9b861547463feda27d51d74c7fb

SHA512
b1dd29ee070aaf0a4bf4602b1951754b84499b87950a618ee08bb0e2d04cdd66a99220c6b0ed10fb9704950f299976f67a584cf70570df9e2d3e1769cbc0044d

Download Submit
C:\Windows\SysWOW64\Ialadj32.exe

Filesize
1.1MB

MD5
004f5cb7c000618771c2a5f684b0c1ad

SHA1
d2ffb2fb6cee9f0b4fec76275e9d258c68f0fe47

SHA256
9f601d4fd6e01790ee9b42c2b68248a052cb286a2d171de992f5538710a8aaa0

SHA512
e3b1e9c3ba3a04034369877ec50528c5ce567bbef5c11055628512fde542739b32cdc97a8c733b087abc201874fca94c28b9f85cb3d6bdb4bfc060ffb497ea7a

Download Submit
C:\Windows\SysWOW64\Iilceh32.exe

Filesize
1.1MB

MD5
3f9513c7c80ae2be8a0492e5d3f28abd

SHA1
aecda47fb97c1edc9d2d09c850363b36c1190432

SHA256
9b20045e9ddc990034518802ef037b098cc0368f7e84a4eae230dd3afa451cbd

SHA512
9a7ba2c6cf02304b03df1eda2e16bd9171f71f75c9e4e77e427731c75e74bb72b463e10d62a3a508a12b78f5ddcb31d87efdc2d217c8f380b2d844355fc69799

Download Submit
C:\Windows\SysWOW64\Ipdolbbj.exe

Filesize
1.1MB

MD5
0f4a84b8d0caaedb76e8fefce7babe5a

SHA1
fabde292366f97b80da9af44bba06d5869eeda04

SHA256
933e3d08f898f1d1b95431d52ec17c23514304cf096ed12c372886346ae525f4

SHA512
ed67bb8d991bdf702e4312497dea74999c7b7f203d2fd3f3b31f37ccf9645e85f7a99ec192120e80014b2d774b2b66b1dc913186a3fc77f6debaa20d5d5d35cd

Download Submit
C:\Windows\SysWOW64\Jddqgdii.exe

Filesize
1.1MB

MD5
75fb41fad18ee81a5c663bc7b1069e93

SHA1
851e23b66f9a3145b2f80dd408413eac7b8dd5e2

SHA256
2372deffc4a0639dde16506d3d4083aebf797ad3c3feec31eb8a9e0f47450569

SHA512
49627d09f1d88681bb5b14344191bc33ff0d2472985cdf9ff41bbdecb5b2559ccf7670bae484aa7a5bfa320ff192a79f183ef1c3bdb1969e9e22b77a7cbd8dcc

Download Submit
C:\Windows\SysWOW64\Jgppmpjp.exe

Filesize
1.1MB

MD5
f04dc4898930ccaa3fc43f725b48ba78

SHA1
d4ddd37440bf5c763d67d947034e38edf725e0d0

SHA256
b649bbb2cb005398e69e3e94f966c6e2a47a616d2bc60275ab454e8ae6d29b91

SHA512
2341778e9dcf835f15668f31cdda783d193300e3b29744c6585e13a326733f0ee020989aa25f57320555949a4874474232c458819cadb225325594a9448de391

Download Submit
C:\Windows\SysWOW64\Kfjfik32.exe

Filesize
1.1MB

MD5
b07fe746244004a0218e1bf71117e17c

SHA1
8515a2578405d766a0fd00ae23d2a399bc5c8078

SHA256
e8adb8035abc76f8438bd655b06a720e5498cb59e4374ebf9fbf5d16dd08df11

SHA512
188005916465ae6df7a1b7705c1f9226266d2d82c4105bb37a696781ceb508166588d585dcb6710b96ffbf8fedc51489572baada057fab04d8611c741012e6c3

Download Submit
C:\Windows\SysWOW64\Ljjhdm32.exe

Filesize
1.1MB

MD5
85e694aee7c9fe3a9175c913dda3bd1a

SHA1
d9c98e2b5681e7fece5507f690e93be824f17581

SHA256
d7194f87fd461403861b403b6db0c1b951b85d26f2ad5cba3b0242bb8f1dec01

SHA512
254b2a8f5541816c0f0cbc4f503876054333a2482acc9c4b569544ad216b13815593875cf0b6cc3a0ebb09dcdb91d0a8ab3d69a5781a2d3256142b011f6775de

Download Submit
C:\Windows\SysWOW64\Llbnnq32.exe

Filesize
1.1MB

MD5
a1d4b635a00dd9e9a013871c6d2dd580

SHA1
06192c9530f3cb8ece07af54e4a2afdf8539935f

SHA256
37710768cdc436b547ca8d530680500413d380f4e86b7f8d492dc657d53489a5

SHA512
173cae240d6b4e7bd0ff057700ea22fed3e5e0637eeb9cec2527aea9ffb958cc1c2823667d97d36fa2239e5ec11590c4a463aea087630544dd65247af666788b

Download Submit
C:\Windows\SysWOW64\Lmfgkh32.exe

Filesize
1.1MB

MD5
1ca7b7f1158d5a3dfc3a1e1357315eb9

SHA1
a7974fc4453c39b280ed8906d3a6f2a5e5e52bed

SHA256
badf4787bdbe0c6d0cbaf9443e4675c507c39e82023ca539fe61ac2858d0fd42

SHA512
614bf02b2b0699b9b7659b030fe03dda030aa91ce7b8822f6076d6e82ee320ddd2fee86a4548737209d8246bd5389a6d603d2f23ba884190ee924d8f97dd3cbb

Download Submit
C:\Windows\SysWOW64\Mfebdm32.exe

Filesize
1.1MB

MD5
d5c1eea81db3f5f9accc94782f4a3308

SHA1
0fbca3147b881d5e6ec1aedbf7ea890d8180e8cc

SHA256
f0761cd9e27c2a56bdd9d96fc6cecf22cd6e62f193d1330b021992a019793763

SHA512
42f366df6c7757bfc43d46c32da694415d1659f955d0fdae26ff83d987c1f113936e95502c00101020967c63c8b9ed816e2e531892012a9f6e3e8756a2c9c3b3

Download Submit
C:\Windows\SysWOW64\Mhikae32.exe

Filesize
1.1MB

MD5
812752239664c55b2b5817210cdfaba1

SHA1
07bcdaeb352b7da98eefbe0d252982a652db4b11

SHA256
cd6533f42d1904da2a859970984a273544003375c92d9c1a6923f9591f3e9278

SHA512
dbe88a18fde04116da55fb8d46a9f5527f27eae2364092729e478f95aac212085e1e2f1777c2f4f08f1958da3d52256cce0228d526ced7e6b2b115c4b1057d12

Download Submit
C:\Windows\SysWOW64\Mmkafhnb.exe

Filesize
1.1MB

MD5
e9d4de08e3a3762941ccf28691d77ff0

SHA1
f88c8f1a926282836023f08a19efe584da7e54fd

SHA256
4b14e140ce726d825c30cecb7b96bb00f64925290511eb61c10b7953e1275ffb

SHA512
b270b133bfc835a5e29e91b895f778d8a4cbfa1c3fb113a7f85427ed725488765716dfcb1fe2c503c9fce28da42bea4af984aa0e3e617a7f8b9bc4e8b28ec8aa

Download Submit
C:\Windows\SysWOW64\Nahfkigd.exe

Filesize
1.1MB

MD5
4017b076a201fbd2d3b7c4405e4a02d9

SHA1
74e3bb4d309272a322b577f452c71a848fca0c39

SHA256
d60644be58193b1604e3aad9bb7a199792b4b081280c378b1c2b7b69e9cf6714

SHA512
6a39f88621b7de362b2ff6c60aff72ed6416275014b625cc1772a0f72187c901f73ec3e5ba65f9c4d399bd1c13d37053f0e4c4df999acf06d9bda948b73410d2

Download Submit
C:\Windows\SysWOW64\Nkqjdo32.exe

Filesize
1.1MB

MD5
84816267332a4569092db359c8562b4a

SHA1
8a1caa52e453c41551e7ecddcca66aaff938ca4e

SHA256
b9e696aca972a760eeacd8dbcc9caea1558718b5cb18bf06dd641ef7a6ad51b8

SHA512
fc1a8e23e580ad0dfe8f133a2bc0ebf56b75ed7bb3b6904ad2542a1278822b64a6dacff905bec847a5374ffa6ca6f52cfdda2376058e4da78eb202e596a05400

Download Submit
C:\Windows\SysWOW64\Nobpmb32.exe

Filesize
1.1MB

MD5
1cb9a7d7d8fe316aedc148884bbb586b

SHA1
aab795435c8669c2ec114b8afb56b033aeb26b45

SHA256
45c0849c1d27f845503d7564ccccd99ab1f6589a0283b8b3aa3b92ccc128495f

SHA512
c3460ab6a3655d36a80fbd787e51a2046701eaf7985d9782af34b3414f31ef277c1d7fe8518d3f607f688f336284e52b1f4e79632b77dfd75b541d3de6a1da9e

Download Submit
C:\Windows\SysWOW64\Npiiafpa.exe

Filesize
1.1MB

MD5
812a4ce8e4104d867693343a9cbf9f6f

SHA1
47a69b19eab7a5478ddc14937c30f825b932d39a

SHA256
4abf3ed9dc0140fb2925e6dbdbd2db80de2bf5172af9ce7a5b03c65efc26d4a7

SHA512
d07fe9c7935f1505cb078394c1a9372f5bff08a06b8fc41c91cfeec99cdf33dfabc29838e71c54a337e5c424ed9cb0ae42d75bf0038de2e549f84cf92e25994b

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
1.1MB

MD5
0bffdfb112e1a413ce3d514f755e75ec

SHA1
9aba642b1e3b97d2cc0f9761c2219f474849543c

SHA256
e67d54c3be9ffaf995cc9bd8d0ecde5a8e01231805717e6feed4635dae448273

SHA512
82e20be8ceecf89b8c49c46f8776c353700f64ba97b839479cfb2d0f3539872b021a4b924689ece71196c8fa3d3e31e3199c7f2b8712ada66009c0c78a8d89bb

Download Submit
C:\Windows\SysWOW64\Pfmden32.dll

Filesize
7KB

MD5
622d86d55f2f95c95dbfd0cfa60b337e

SHA1
62804e7689a7003f6987f8f5e769fac10d3dd635

SHA256
4b78381d2a9f74da4993d0f7f0cbe782575ff554c70a1e43aea192205b9dffae

SHA512
57c74d6e4745e27258b5eade1ad72661f70d725cd6e0ef1c11721a47f4d7535badbc0994682e484c9b25dabde27f72541f40bf226c5efce939e86a75327f8949

Download Submit
\Windows\SysWOW64\Dckcnj32.exe

Filesize
1.1MB

MD5
df29aa8d00cf245ffed213c67f705e71

SHA1
2c76cbcf115d1d8a0717a600f2b4fc4cb8683c99

SHA256
5ceb6f386251aad68e2c9ed09c89bc6d029126d338a51bd933fee8d5164eceba

SHA512
7c746040f3151408a51dfba622e023d8860fd7981a18118f2cf9af3d17f82becabe476cb4c738c469fbb9ba2c8369a38d7a24f1f218f766d6b2dc6361d60186a

Download Submit
\Windows\SysWOW64\Ehaolpke.exe

Filesize
1.1MB

MD5
6ad0ed864ead49d208578101a9f8a2f6

SHA1
d00d73af47bde93cf9110216259bef00b276d62b

SHA256
b9b31e5bf0389442cb383dc7a15d120b51af6a6fd8fcb6626b410d5da80cd2de

SHA512
14e6c076e3aa487303c204f7759e2317feba8e76b1801d8b37f39510b07aded8501ee008e06871b9e8b5e38ad3172af4d2ea07a07e2feba369ccdae23bf0b0d9

Download Submit
\Windows\SysWOW64\Gmlckehe.exe

Filesize
1.1MB

MD5
a5f19507d6cf3a16f6462e98ae8ae0e0

SHA1
8ee27ebaf0d8c2df001d90f8082ec2db1013506e

SHA256
df01e68674c49507ceded5f197e03ad45c7d63e7c788abec133cafeca82b565b

SHA512
c31fb9b443d8412577b5cbf22b6123513c19f43d6e5b2f7666ec99ac27a96978425fa8708ae8e7cbd543d7ae71bcd9b91c79327ec568118e92b56d5e0ffa72b8

Download Submit
\Windows\SysWOW64\Icgdcm32.exe

Filesize
1.1MB

MD5
650ed3dd0d2c7b6a77cbef88308b652f

SHA1
3362c18f43cedbb2f6b6c6a70f1aa214bf8fce88

SHA256
e2aa781e533c10a5640bfa96bf06b9d87c7d72703cb045c0d379637fb22d4858

SHA512
34c1d539b9d177be10db205e80485cafbc8f2cd21ca15a1c27f31db7cf3c02c9e85c4a35f4ad25c9e74387cf35d0b1ccdccb0334c5ef03b964e2b74938dcdb34

Download Submit
\Windows\SysWOW64\Jneoojeb.exe

Filesize
1.1MB

MD5
35e6dfa0f2b6e6afd740afbefea68df2

SHA1
5cc3f7db1a4755d966507814f4c58fb3a82262b6

SHA256
4c2f47d95378da1a12bb7d7be9d4d715394d58ba26399c8a21005c1903cec880

SHA512
f01b6e46c0199127383492b2db98c1573e13a3a1cbf4042d809f167e0f131b38f0e6b2a56a4568c28de7ff545b32b61e4a80ec12318876bbe0ed097e62251561

Download Submit
memory/236-338-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-302-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-311-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/388-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/388-242-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/848-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/848-197-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/848-241-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/848-248-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1360-266-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1360-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1400-184-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1400-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1400-218-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1400-185-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1408-327-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1520-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1520-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1520-126-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1520-188-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1520-125-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/1584-292-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1584-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1584-256-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1636-280-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1636-270-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1636-312-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-231-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1820-220-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-264-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-232-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1976-169-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1976-91-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1976-106-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1976-105-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1976-182-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1976-177-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2080-53-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2080-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2080-11-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2080-12-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2080-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2140-26-0x00000000002F0000-0x0000000000338000-memory.dmp

Filesize
288KB

Download
memory/2140-82-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2140-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2140-27-0x00000000002F0000-0x0000000000338000-memory.dmp

Filesize
288KB

Download
memory/2188-368-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-255-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-215-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2560-76-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2560-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2560-138-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2560-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2560-73-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2560-158-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2568-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2568-167-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/2568-84-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/2568-74-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2596-384-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2596-394-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2596-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2608-217-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2608-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2684-342-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2684-378-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2688-42-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2688-124-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2688-37-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2688-29-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2688-104-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2700-398-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2736-189-0x0000000000260000-0x00000000002A8000-memory.dmp

Filesize
288KB

Download
memory/2736-134-0x0000000000260000-0x00000000002A8000-memory.dmp

Filesize
288KB

Download
memory/2736-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2764-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2764-380-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2804-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2804-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2808-352-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2808-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2808-359-0x0000000000350000-0x0000000000398000-memory.dmp

Filesize
288KB

Download
memory/2824-49-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-137-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2824-60-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2904-395-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2904-369-0x0000000000260000-0x00000000002A8000-memory.dmp

Filesize
288KB

Download
memory/2980-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2980-287-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/2980-321-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3044-351-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3060-363-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/3060-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3060-329-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/3060-358-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads