01b7adb948de4150681df85d7c5f7587a1d6300cc6995fc4ab1931a5520d3a67

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 23:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
Size

112KB
MD5

ba51fb13ea2cf11c5a26367b1cd5e7f0
SHA1

4c8495d77c994e79ca84e8a0e593d48664127098
SHA256

01b7adb948de4150681df85d7c5f7587a1d6300cc6995fc4ab1931a5520d3a67
SHA512

c97b81a3018d9664b80ffbec8cb4cfdd534de89a61d31854e0f05c488eecd5bd164b9a350c47a2c4563415d6fd92964b9ed0314c7277e126d333e6d9d1faddf7
SSDEEP

1536:W+SobGNH8N6cHrZCRI2Nak6+fUOAOPcL5CIL4jikRynlypv8LIuCseNIQ:C78NH90Ih4UOAOPgsK4j+lc802eSQ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnnkec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keappgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcmpcjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffboohnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfgdij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkllnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhfoleio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffeldglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iokhcodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdfmoha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jddqgdii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmamfddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Honiikpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehaolpke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idokma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdfmoha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeqjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljgkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndgbgefh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekcffem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhopjqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpddgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbeqjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mejoei32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcmpcjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Honiikpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdkaabnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljgkom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iokhcodo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbjfcnkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edhpaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egihcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejiadgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdflgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdofebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npnclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqhkcdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbedkhie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdofebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keappgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkblohek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehaolpke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpfeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpaha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkggnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fldabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmefad32.exe

Executes dropped EXE 58 IoCs

pid	Process
1964	Dnnkec32.exe
3068	Dkblohek.exe
2756	Dnqhkcdo.exe
2572	Dcmpcjcf.exe
2652	Dkmncl32.exe
2300	Ehaolpke.exe
1928	Edhpaa32.exe
624	Egihcl32.exe
2884	Ejiadgkl.exe
2916	Ffboohnm.exe
2052	Ffeldglk.exe
932	Fmodaadg.exe
2952	Fldabn32.exe
2172	Fbpfeh32.exe
584	Gjljij32.exe
1152	Gdflgo32.exe
1960	Gfgdij32.exe
704	Gmamfddp.exe
2320	Hflndjin.exe
1636	Hmefad32.exe
2980	Hhadgakg.exe
1408	Honiikpa.exe
236	Hdkaabnh.exe
2016	Iijfoh32.exe
2012	Idokma32.exe
1572	Iilceh32.exe
2348	Iokhcodo.exe
2668	Jkdfmoha.exe
2700	Jkgbcofn.exe
2592	Jhkclc32.exe
2540	Jkllnn32.exe
2896	Jbedkhie.exe
1560	Jddqgdii.exe
2132	Kmdofebo.exe
2092	Kjhopjqi.exe
2636	Keappgmg.exe
2852	Kbeqjl32.exe
1968	Llpaha32.exe
2380	Lekcffem.exe
268	Ljgkom32.exe
1272	Lpddgd32.exe
1988	Mjlejl32.exe
2512	Mfceom32.exe
1588	Mmmnkglp.exe
2360	Mbjfcnkg.exe
1352	Mhfoleio.exe
2856	Mejoei32.exe
1840	Mkggnp32.exe
2232	Mhkhgd32.exe
876	Nmhqokcq.exe
2780	Ndbile32.exe
2644	Npiiafpa.exe
2696	Nahfkigd.exe
2676	Ndgbgefh.exe
2548	Npnclf32.exe
2832	Nejkdm32.exe
1452	Ncnlnaim.exe
2576	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
2072	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
1964	Dnnkec32.exe
1964	Dnnkec32.exe
3068	Dkblohek.exe
3068	Dkblohek.exe
2756	Dnqhkcdo.exe
2756	Dnqhkcdo.exe
2572	Dcmpcjcf.exe
2572	Dcmpcjcf.exe
2652	Dkmncl32.exe
2652	Dkmncl32.exe
2300	Ehaolpke.exe
2300	Ehaolpke.exe
1928	Edhpaa32.exe
1928	Edhpaa32.exe
624	Egihcl32.exe
624	Egihcl32.exe
2884	Ejiadgkl.exe
2884	Ejiadgkl.exe
2916	Ffboohnm.exe
2916	Ffboohnm.exe
2052	Ffeldglk.exe
2052	Ffeldglk.exe
932	Fmodaadg.exe
932	Fmodaadg.exe
2952	Fldabn32.exe
2952	Fldabn32.exe
2172	Fbpfeh32.exe
2172	Fbpfeh32.exe
584	Gjljij32.exe
584	Gjljij32.exe
1152	Gdflgo32.exe
1152	Gdflgo32.exe
1960	Gfgdij32.exe
1960	Gfgdij32.exe
704	Gmamfddp.exe
704	Gmamfddp.exe
2320	Hflndjin.exe
2320	Hflndjin.exe
1636	Hmefad32.exe
1636	Hmefad32.exe
2980	Hhadgakg.exe
2980	Hhadgakg.exe
1408	Honiikpa.exe
1408	Honiikpa.exe
236	Hdkaabnh.exe
236	Hdkaabnh.exe
2016	Iijfoh32.exe
2016	Iijfoh32.exe
2012	Idokma32.exe
2012	Idokma32.exe
1572	Iilceh32.exe
1572	Iilceh32.exe
2348	Iokhcodo.exe
2348	Iokhcodo.exe
2668	Jkdfmoha.exe
2668	Jkdfmoha.exe
2700	Jkgbcofn.exe
2700	Jkgbcofn.exe
2592	Jhkclc32.exe
2592	Jhkclc32.exe
2540	Jkllnn32.exe
2540	Jkllnn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hflndjin.exe	Gmamfddp.exe
File created	C:\Windows\SysWOW64\Jbedkhie.exe	Jkllnn32.exe
File created	C:\Windows\SysWOW64\Geiabo32.dll	Jbedkhie.exe
File created	C:\Windows\SysWOW64\Kmdofebo.exe	Jddqgdii.exe
File created	C:\Windows\SysWOW64\Nahfkigd.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Qcehpcal.dll	Jddqgdii.exe
File created	C:\Windows\SysWOW64\Pfknaf32.dll	Npiiafpa.exe
File opened for modification	C:\Windows\SysWOW64\Dnnkec32.exe	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
File opened for modification	C:\Windows\SysWOW64\Dcmpcjcf.exe	Dnqhkcdo.exe
File opened for modification	C:\Windows\SysWOW64\Hdkaabnh.exe	Honiikpa.exe
File created	C:\Windows\SysWOW64\Iijfoh32.exe	Hdkaabnh.exe
File opened for modification	C:\Windows\SysWOW64\Iokhcodo.exe	Iilceh32.exe
File created	C:\Windows\SysWOW64\Egihcl32.exe	Edhpaa32.exe
File created	C:\Windows\SysWOW64\Npnclf32.exe	Ndgbgefh.exe
File created	C:\Windows\SysWOW64\Okdamdah.dll	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
File opened for modification	C:\Windows\SysWOW64\Fldabn32.exe	Fmodaadg.exe
File opened for modification	C:\Windows\SysWOW64\Hhadgakg.exe	Hmefad32.exe
File created	C:\Windows\SysWOW64\Ogepbg32.dll	Jkdfmoha.exe
File opened for modification	C:\Windows\SysWOW64\Mjlejl32.exe	Lpddgd32.exe
File created	C:\Windows\SysWOW64\Ieaikf32.dll	Mjlejl32.exe
File created	C:\Windows\SysWOW64\Mmmnkglp.exe	Mfceom32.exe
File created	C:\Windows\SysWOW64\Dhompmdf.dll	Dkmncl32.exe
File created	C:\Windows\SysWOW64\Ffeldglk.exe	Ffboohnm.exe
File opened for modification	C:\Windows\SysWOW64\Iijfoh32.exe	Hdkaabnh.exe
File created	C:\Windows\SysWOW64\Iokhcodo.exe	Iilceh32.exe
File opened for modification	C:\Windows\SysWOW64\Jddqgdii.exe	Jbedkhie.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Dnqhkcdo.exe	Dkblohek.exe
File created	C:\Windows\SysWOW64\Fammqaeq.dll	Iilceh32.exe
File created	C:\Windows\SysWOW64\Jkgbcofn.exe	Jkdfmoha.exe
File opened for modification	C:\Windows\SysWOW64\Jkllnn32.exe	Jhkclc32.exe
File created	C:\Windows\SysWOW64\Nejkdm32.exe	Npnclf32.exe
File opened for modification	C:\Windows\SysWOW64\Mmmnkglp.exe	Mfceom32.exe
File created	C:\Windows\SysWOW64\Fbpfeh32.exe	Fldabn32.exe
File created	C:\Windows\SysWOW64\Gdflgo32.exe	Gjljij32.exe
File created	C:\Windows\SysWOW64\Gfgdij32.exe	Gdflgo32.exe
File created	C:\Windows\SysWOW64\Glbdla32.dll	Iijfoh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbeqjl32.exe	Keappgmg.exe
File created	C:\Windows\SysWOW64\Jhkclc32.exe	Jkgbcofn.exe
File opened for modification	C:\Windows\SysWOW64\Lekcffem.exe	Llpaha32.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Ndbile32.exe
File created	C:\Windows\SysWOW64\Fhhofe32.dll	Dnnkec32.exe
File created	C:\Windows\SysWOW64\Llpaha32.exe	Kbeqjl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndgbgefh.exe	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Nahfkigd.exe	Npiiafpa.exe
File opened for modification	C:\Windows\SysWOW64\Dkblohek.exe	Dnnkec32.exe
File opened for modification	C:\Windows\SysWOW64\Egihcl32.exe	Edhpaa32.exe
File created	C:\Windows\SysWOW64\Fldabn32.exe	Fmodaadg.exe
File opened for modification	C:\Windows\SysWOW64\Ljgkom32.exe	Lekcffem.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Ndbile32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Fmodaadg.exe	Ffeldglk.exe
File created	C:\Windows\SysWOW64\Gjljij32.exe	Fbpfeh32.exe
File created	C:\Windows\SysWOW64\Hhadgakg.exe	Hmefad32.exe
File created	C:\Windows\SysWOW64\Kjhopjqi.exe	Kmdofebo.exe
File created	C:\Windows\SysWOW64\Iceojc32.dll	Mejoei32.exe
File created	C:\Windows\SysWOW64\Edhpaa32.exe	Ehaolpke.exe
File created	C:\Windows\SysWOW64\Honiikpa.exe	Hhadgakg.exe
File opened for modification	C:\Windows\SysWOW64\Keappgmg.exe	Kjhopjqi.exe
File created	C:\Windows\SysWOW64\Lekcffem.exe	Llpaha32.exe
File created	C:\Windows\SysWOW64\Depfiffk.dll	Kmdofebo.exe
File created	C:\Windows\SysWOW64\Jdfipdll.dll	Kjhopjqi.exe
File created	C:\Windows\SysWOW64\Ogoicfml.dll	Keappgmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	2576	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhadgakg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iilceh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdofebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npnclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmodaadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfceom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflndjin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keappgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljgkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpddgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nahfkigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbjfcnkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkblohek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffboohnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjljij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhopjqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mejoei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egihcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fldabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdkaabnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnnkec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfgdij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkllnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbedkhie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeqjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffeldglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmamfddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgbcofn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekcffem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhfoleio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndgbgefh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nejkdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdflgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Honiikpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iokhcodo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkmncl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edhpaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idokma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcmpcjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejiadgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpfeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddqgdii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhkhgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkdfmoha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkclc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqhkcdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehaolpke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmefad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfoh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Keappgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhclfogi.dll"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcmpcjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmeoach.dll"	Ffboohnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhadgakg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agiidifg.dll"	Hdkaabnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmdofebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdfmoha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfceom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fldabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hflndjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfebmdnh.dll"	Hflndjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fammqaeq.dll"	Iilceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkimdk.dll"	Lekcffem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfapl32.dll"	Dkblohek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcmpcjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffeldglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhadgakg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oneqchee.dll"	Honiikpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbjfcnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejiadgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejiadgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmamfddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmefad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiabo32.dll"	Jbedkhie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehaolpke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbpfeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfgdij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mejoei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbafe32.dll"	Mkggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhompmdf.dll"	Dkmncl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idokma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbedkhie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknpkfec.dll"	Hhadgakg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppppfck.dll"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmglegi.dll"	Mhfoleio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Mhkhgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkllnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbeqjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgqoiec.dll"	Fmodaadg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdekl32.dll"	Gjljij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfgdij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkgbcofn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokbo32.dll"	Jkllnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Nejkdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdflgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iilceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iilceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfipdll.dll"	Kjhopjqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kepgjk32.dll"	Mbjfcnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjljij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iialocke.dll"	Gmamfddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idokma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcoed32.dll"	Jhkclc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbbnidk.dll"	Ljgkom32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1964	2072	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe	30
PID 2072 wrote to memory of 1964	2072	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe	30
PID 2072 wrote to memory of 1964	2072	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe	30
PID 2072 wrote to memory of 1964	2072	ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe	30
PID 1964 wrote to memory of 3068	1964	Dnnkec32.exe	31
PID 1964 wrote to memory of 3068	1964	Dnnkec32.exe	31
PID 1964 wrote to memory of 3068	1964	Dnnkec32.exe	31
PID 1964 wrote to memory of 3068	1964	Dnnkec32.exe	31
PID 3068 wrote to memory of 2756	3068	Dkblohek.exe	32
PID 3068 wrote to memory of 2756	3068	Dkblohek.exe	32
PID 3068 wrote to memory of 2756	3068	Dkblohek.exe	32
PID 3068 wrote to memory of 2756	3068	Dkblohek.exe	32
PID 2756 wrote to memory of 2572	2756	Dnqhkcdo.exe	33
PID 2756 wrote to memory of 2572	2756	Dnqhkcdo.exe	33
PID 2756 wrote to memory of 2572	2756	Dnqhkcdo.exe	33
PID 2756 wrote to memory of 2572	2756	Dnqhkcdo.exe	33
PID 2572 wrote to memory of 2652	2572	Dcmpcjcf.exe	34
PID 2572 wrote to memory of 2652	2572	Dcmpcjcf.exe	34
PID 2572 wrote to memory of 2652	2572	Dcmpcjcf.exe	34
PID 2572 wrote to memory of 2652	2572	Dcmpcjcf.exe	34
PID 2652 wrote to memory of 2300	2652	Dkmncl32.exe	35
PID 2652 wrote to memory of 2300	2652	Dkmncl32.exe	35
PID 2652 wrote to memory of 2300	2652	Dkmncl32.exe	35
PID 2652 wrote to memory of 2300	2652	Dkmncl32.exe	35
PID 2300 wrote to memory of 1928	2300	Ehaolpke.exe	36
PID 2300 wrote to memory of 1928	2300	Ehaolpke.exe	36
PID 2300 wrote to memory of 1928	2300	Ehaolpke.exe	36
PID 2300 wrote to memory of 1928	2300	Ehaolpke.exe	36
PID 1928 wrote to memory of 624	1928	Edhpaa32.exe	37
PID 1928 wrote to memory of 624	1928	Edhpaa32.exe	37
PID 1928 wrote to memory of 624	1928	Edhpaa32.exe	37
PID 1928 wrote to memory of 624	1928	Edhpaa32.exe	37
PID 624 wrote to memory of 2884	624	Egihcl32.exe	38
PID 624 wrote to memory of 2884	624	Egihcl32.exe	38
PID 624 wrote to memory of 2884	624	Egihcl32.exe	38
PID 624 wrote to memory of 2884	624	Egihcl32.exe	38
PID 2884 wrote to memory of 2916	2884	Ejiadgkl.exe	39
PID 2884 wrote to memory of 2916	2884	Ejiadgkl.exe	39
PID 2884 wrote to memory of 2916	2884	Ejiadgkl.exe	39
PID 2884 wrote to memory of 2916	2884	Ejiadgkl.exe	39
PID 2916 wrote to memory of 2052	2916	Ffboohnm.exe	40
PID 2916 wrote to memory of 2052	2916	Ffboohnm.exe	40
PID 2916 wrote to memory of 2052	2916	Ffboohnm.exe	40
PID 2916 wrote to memory of 2052	2916	Ffboohnm.exe	40
PID 2052 wrote to memory of 932	2052	Ffeldglk.exe	41
PID 2052 wrote to memory of 932	2052	Ffeldglk.exe	41
PID 2052 wrote to memory of 932	2052	Ffeldglk.exe	41
PID 2052 wrote to memory of 932	2052	Ffeldglk.exe	41
PID 932 wrote to memory of 2952	932	Fmodaadg.exe	42
PID 932 wrote to memory of 2952	932	Fmodaadg.exe	42
PID 932 wrote to memory of 2952	932	Fmodaadg.exe	42
PID 932 wrote to memory of 2952	932	Fmodaadg.exe	42
PID 2952 wrote to memory of 2172	2952	Fldabn32.exe	43
PID 2952 wrote to memory of 2172	2952	Fldabn32.exe	43
PID 2952 wrote to memory of 2172	2952	Fldabn32.exe	43
PID 2952 wrote to memory of 2172	2952	Fldabn32.exe	43
PID 2172 wrote to memory of 584	2172	Fbpfeh32.exe	44
PID 2172 wrote to memory of 584	2172	Fbpfeh32.exe	44
PID 2172 wrote to memory of 584	2172	Fbpfeh32.exe	44
PID 2172 wrote to memory of 584	2172	Fbpfeh32.exe	44
PID 584 wrote to memory of 1152	584	Gjljij32.exe	45
PID 584 wrote to memory of 1152	584	Gjljij32.exe	45
PID 584 wrote to memory of 1152	584	Gjljij32.exe	45
PID 584 wrote to memory of 1152	584	Gjljij32.exe	45

C:\Users\Admin\AppData\Local\Temp\ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba51fb13ea2cf11c5a26367b1cd5e7f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Dnnkec32.exe
  C:\Windows\system32\Dnnkec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\Dkblohek.exe
    C:\Windows\system32\Dkblohek.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Dnqhkcdo.exe
      C:\Windows\system32\Dnqhkcdo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\Dcmpcjcf.exe
        
        C:\Windows\system32\Dcmpcjcf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\Dkmncl32.exe
        
        C:\Windows\system32\Dkmncl32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ehaolpke.exe
        
        C:\Windows\system32\Ehaolpke.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Edhpaa32.exe
        
        C:\Windows\system32\Edhpaa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Egihcl32.exe
        
        C:\Windows\system32\Egihcl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Ejiadgkl.exe
        
        C:\Windows\system32\Ejiadgkl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ffboohnm.exe
        
        C:\Windows\system32\Ffboohnm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ffeldglk.exe
        
        C:\Windows\system32\Ffeldglk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Fmodaadg.exe
        
        C:\Windows\system32\Fmodaadg.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Fldabn32.exe
        
        C:\Windows\system32\Fldabn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Fbpfeh32.exe
        
        C:\Windows\system32\Fbpfeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Gjljij32.exe
        
        C:\Windows\system32\Gjljij32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Gdflgo32.exe
        
        C:\Windows\system32\Gdflgo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Gfgdij32.exe
        
        C:\Windows\system32\Gfgdij32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Gmamfddp.exe
        
        C:\Windows\system32\Gmamfddp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Hflndjin.exe
        
        C:\Windows\system32\Hflndjin.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Hmefad32.exe
        
        C:\Windows\system32\Hmefad32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Hhadgakg.exe
        
        C:\Windows\system32\Hhadgakg.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Honiikpa.exe
        
        C:\Windows\system32\Honiikpa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Hdkaabnh.exe
        
        C:\Windows\system32\Hdkaabnh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\Iijfoh32.exe
        
        C:\Windows\system32\Iijfoh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Idokma32.exe
        
        C:\Windows\system32\Idokma32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Iilceh32.exe
        
        C:\Windows\system32\Iilceh32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Iokhcodo.exe
        
        C:\Windows\system32\Iokhcodo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Jkdfmoha.exe
        
        C:\Windows\system32\Jkdfmoha.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Jkgbcofn.exe
        
        C:\Windows\system32\Jkgbcofn.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Jhkclc32.exe
        
        C:\Windows\system32\Jhkclc32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Jkllnn32.exe
        
        C:\Windows\system32\Jkllnn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Jbedkhie.exe
        
        C:\Windows\system32\Jbedkhie.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Jddqgdii.exe
        
        C:\Windows\system32\Jddqgdii.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Kmdofebo.exe
        
        C:\Windows\system32\Kmdofebo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Kjhopjqi.exe
        
        C:\Windows\system32\Kjhopjqi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Keappgmg.exe
        
        C:\Windows\system32\Keappgmg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Kbeqjl32.exe
        
        C:\Windows\system32\Kbeqjl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Llpaha32.exe
        
        C:\Windows\system32\Llpaha32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Lekcffem.exe
        
        C:\Windows\system32\Lekcffem.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ljgkom32.exe
        
        C:\Windows\system32\Ljgkom32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\Lpddgd32.exe
        
        C:\Windows\system32\Lpddgd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Mjlejl32.exe
        
        C:\Windows\system32\Mjlejl32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Mfceom32.exe
        
        C:\Windows\system32\Mfceom32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Mbjfcnkg.exe
        
        C:\Windows\system32\Mbjfcnkg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Mhfoleio.exe
        
        C:\Windows\system32\Mhfoleio.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Mejoei32.exe
        
        C:\Windows\system32\Mejoei32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mkggnp32.exe
        
        C:\Windows\system32\Mkggnp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Mhkhgd32.exe
        
        C:\Windows\system32\Mhkhgd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Nmhqokcq.exe
        
        C:\Windows\system32\Nmhqokcq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ndbile32.exe
        
        C:\Windows\system32\Ndbile32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Nahfkigd.exe
        
        C:\Windows\system32\Nahfkigd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Ndgbgefh.exe
        
        C:\Windows\system32\Ndgbgefh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Npnclf32.exe
        
        C:\Windows\system32\Npnclf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Nejkdm32.exe
        
        C:\Windows\system32\Nejkdm32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 140
        60⤵
        Program crash
        
        PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dkblohek.exe

Filesize
112KB

MD5
c87af7c3a9de3e7681d49a7d8530ae7e

SHA1
2d04451fe525d417904af91305febf23c34e1abf

SHA256
e072186240c6c8d5cafc0795c9ccf66b2b31544dcc786a893197161ca48e337f

SHA512
a0a7403808911479a9441da2fef96e0410b36d946c2289d65e182fb4edef80e78e92c49de1709cfab18ac7feae8d3376d7963cb9de76d4fe02c0ac6b6db27cd5

Download Submit
C:\Windows\SysWOW64\Gfgdij32.exe

Filesize
112KB

MD5
08e140a07e32f8edde92d8e4558eef67

SHA1
bcec7a1615cfaf14662e593af4f3deb1b15ecc34

SHA256
36523b9c8a22deaa611cf369ca6202d64943459d8d1d2c7304cbb92f7c3ddf63

SHA512
a14c821de76ba83d37ceac20adb8e527f34dec78106db86976b472880998244fc1cd2bb3a6433f1a38a56817874e493220d6cfb29e5b202318c5c4a5a29c7ad0

Download Submit
C:\Windows\SysWOW64\Gmamfddp.exe

Filesize
112KB

MD5
9f28497ff93d2bbd841d422db5016c53

SHA1
e828590d10878cb9d4c4cf2ccd6d11f4c256b51e

SHA256
d0d7223dc333aa918633f7fa9105b4fe7c062b560349b0d764ca6e4659dbe27b

SHA512
411021b4612f3e39a8ab23c79e765e2f0ba54264971c00c11b3f276196fcf81f72cbfd75e4d5eb0b0591aaa1d4bbd4f18dd276a7215e1122c469f6a45fd042fa

Download Submit
C:\Windows\SysWOW64\Hdkaabnh.exe

Filesize
112KB

MD5
0558cccd0f340262e1e1b417d1385262

SHA1
b405c807a1d9f4985c3b181b254eb3c8a5124ea1

SHA256
8798baa15b58d924cae55f957052fce98ec798bbb462f6b5e27195981f218e9e

SHA512
a83c83bb6d3371dc4a4bbea154e934e90901c538c68b9d94348091d8ec744a26f252b714769d365917801120f14ccc0a8da9667df850da40c89403b02abc6c63

Download Submit
C:\Windows\SysWOW64\Hflndjin.exe

Filesize
112KB

MD5
221e3392d872fd4723e323a7eae857d1

SHA1
ae135d01e3933ece3a9d97013d1ea73b99813c32

SHA256
e217182f332d1d2c36ca92f3a3f9b522e056d4c26b1c070f56d23e09da910c36

SHA512
3363133c7ff2f3cbd6c0c50f135f178eea5982db7fd8bac0bd9e13ebcba0e30834c3f49ab525c1481c8c8d295dcb4978e2822275efd0efeb9b008401e3e8c24d

Download Submit
C:\Windows\SysWOW64\Hhadgakg.exe

Filesize
112KB

MD5
33aac8652369cab8cd9d2d03d6b2b8bc

SHA1
d5dfca69a738a66752ee2c8c110cf832382e4e46

SHA256
b3e6018030e935ed388e1d6e65b319715e8254edc4c66fa639e750dfd105a4ec

SHA512
fd5446420f14b88e7b67a86437cf4cf39b4225c121ecb563c66282c8f64e70892c321f4461b5a8beb1b7da981d83f3a84496addb9f04670706eb8f3cb7dfd08e

Download Submit
C:\Windows\SysWOW64\Hhbkog32.dll

Filesize
7KB

MD5
edfc68da25c7e02c8b13e22e1d9344e7

SHA1
6e3f06ee574fe9558d0c207d51a742da1e98abf6

SHA256
397d332a7b9058908229c95f74e8d6fc047d9362227192c3838cff1e519f11d8

SHA512
5fb4afbda1cf4c91b62e7ecb47ef5748682f175bbfe5f1dc8049777299ea4e88866bd95c936de061d5d2963cce7fb44a475a8737e2be02e4a523ee0179578ceb

Download Submit
C:\Windows\SysWOW64\Hmefad32.exe

Filesize
112KB

MD5
6981920913195c5eb995ab424c98af1c

SHA1
e3c6effb446a92ae5e45dffb1ba747a544d97e7d

SHA256
be805bc557db3234f82c63949684d35ba74fdea0fc2753be2c1278204de95c7c

SHA512
bd368f31b1db9aeb1754719bf24446907c8c6029f61419436e7a5ccaf8b7cbe56bafcbcca4bbf548f391e9bde8f1ddd08cba6e412c2107216097f4f15bc46f0b

Download Submit
C:\Windows\SysWOW64\Honiikpa.exe

Filesize
112KB

MD5
cfb939ff6726ebd735cc28666b527592

SHA1
916c70efc6a7df7050aae3b6fa7b15e8cc21d8a7

SHA256
244e9b14cc0445d36424e6722acb090e55d4b27b61f3690b5e33f5fabadee464

SHA512
0427bcf0191666dc3016fcc56822225a7a800aec6353bdaeddcb4eff9f6fe1bcea1ca6af56e87d44bca778412f3bd4ec7e9fa7ce9dfd99d2f11004cee31144c0

Download Submit
C:\Windows\SysWOW64\Idokma32.exe

Filesize
112KB

MD5
73ded0c53fb3564565806c478965aff5

SHA1
cd4a8e821aa25e587f16a707a4181710d6cdc637

SHA256
de481a5b54ff1e47ee3aa255e82790ae45d956a2fe3e4f9971cb35666e4192c2

SHA512
09994cd6d1473fab31c2e6eb7160f9c87607ed541652c752743c2df2b0b155feea92336893f014e7f6dd7ac0b15d88af780403679f26af0a741ffdd7df90fa25

Download Submit
C:\Windows\SysWOW64\Iijfoh32.exe

Filesize
112KB

MD5
b583b6ca77a272cb6d3df0a2f59246f1

SHA1
a883962fa028c5899360d2dba49b1e01c336b3bf

SHA256
991900a460b05ce6405628f4ebac3b1ad18668bdd72f0d0e02e3d656e7c00fe2

SHA512
018d93ce2a004666563b6b1e883e20ec8df8539dd4c87f648586179f0b10dc7c2aacbd058f8928d1ecd09c1dfc1cad2a6624915c6fb68dcd5d269f7b63fe3de5

Download Submit
C:\Windows\SysWOW64\Iilceh32.exe

Filesize
112KB

MD5
f6142d186f66034cc4121a5ce45bac38

SHA1
bb5b8edf5d673331e0f6b1c7c74e7afa567b5be8

SHA256
2d58e841ea81a5f33dc6203d7f72e3d8898c0abfe28a19cdaade1555c022b560

SHA512
36c3ba20702bc28740f665e0c927898642b586eee2e497f90eedcd78d194c705bcfa960b1a1053e3c88122101cfa4b13069e2264b012fbb7c105cab7fa30874a

Download Submit
C:\Windows\SysWOW64\Iokhcodo.exe

Filesize
112KB

MD5
dce4894e7ccb65dc68ae06c732908800

SHA1
b4965eb37fefdf88c2f74d549cd05a6ae0dfcc24

SHA256
ea4757f5c2e6c48ad72e3ad2e986fdbe72077cd54d2dedfc00cd00f82858c288

SHA512
7e62548c830057a392813d59f861b808ee9266322fc649fe7edbe7c12d1984ef1961bb778f121d9f8f423e5c35e401664015a825e45a0c5ebb2e4cae02faefd9

Download Submit
C:\Windows\SysWOW64\Jbedkhie.exe

Filesize
112KB

MD5
e7d1745c82822f2de012b7a28e6d2bde

SHA1
7556283e0b4edfb303592184f6f7a358f7c7a67c

SHA256
53a9c71107fe5e98644a2a4aa3f8c39f189d8c9146cef800d64c993eb7ebf9a6

SHA512
aa4b3710ca627c2d36195d10057419abb693824cc156e392f5aa8588333f9043b3fe38d8d36e45a7b4b90c8c0fd65774fe5166b2df8f58a5d0470f7a1df7b28e

Download Submit
C:\Windows\SysWOW64\Jddqgdii.exe

Filesize
112KB

MD5
46764148c02639efdfb6c86072874f8d

SHA1
313b0f7c28863cd73702436fe461caf08ad12da6

SHA256
6fd3a06b8e252365f20ce4c7b685a03e51478ccfd5ecbdbcb24ffa07dbd5f654

SHA512
d0648a901ee9106888cb83dff2ad18cc1f1ecbb5fa749500a2e2887b11427b19b49418fb73e80392535e0dfc4f97851358ad6ff9d463b990aac7aa7eca7f7197

Download Submit
C:\Windows\SysWOW64\Jhkclc32.exe

Filesize
112KB

MD5
4232a3c63050065edf3b2e68fd0a9517

SHA1
f075ed12da4806cb2f646799cda9a77b63532266

SHA256
62931c29140493aafeddde84b7edb66a21d1353aa6b1e6cc66bdf82bde96efb5

SHA512
167738307b8b8007ff62c9283059e2d61e022bd194db37cb93631aca1f58977e3f09735f933bf69986d761efcb6096fdc209ea0a257114f10ea5fb705e03d16f

Download Submit
C:\Windows\SysWOW64\Jkdfmoha.exe

Filesize
112KB

MD5
1cd0b52b23214a25067f1e3f7fbf3fc3

SHA1
02f6bc3468b0403fef7ac5fe0cacb4399002dbe7

SHA256
17c503b6c22a39177699c05852c7756b3f0e4dbe234f4d842c5ee601254afcd4

SHA512
c37859766a4e6abfdfb9f4f189c11eab1abcb00e44dddc5b843832658645ee239bdf92ecb75be1e1490776cba8a353f6e80f9950998c1029d6339c731ff4c671

Download Submit
C:\Windows\SysWOW64\Jkgbcofn.exe

Filesize
112KB

MD5
94b7e1bc0fdbf5d363d09617db8e3b8d

SHA1
157ebf13913d9175e9ba60d3ccb519af939139d2

SHA256
0fcb11bd2175068080147bf4fc9cb62bb518088e256c2bc0a920c82aa28fbc19

SHA512
41b486b710481cdebfbf0e6abe880461fe50802215ccb21ae05b6f117146ae2d8da8b8a327723e305001b416e2be52960227482768b70094cfc05f0b8c6b8065

Download Submit
C:\Windows\SysWOW64\Jkllnn32.exe

Filesize
112KB

MD5
218c1ad55738f738c8ef7d7b2b7c692d

SHA1
9794102ba628c4f961ba4e3d4ad598751d8c59f5

SHA256
49eb74e470c8bb787b952103cddf9230365009b453f1768f0f475eb4dedfc156

SHA512
269bae38c4c273894681cc35c205e96540afc2b6f9c8e8e52ef4cddbc3a6d8129a1989e0399230ebcc00e4b18c411204eb30d2579f5cd109ca845792de72c897

Download Submit
C:\Windows\SysWOW64\Kbeqjl32.exe

Filesize
112KB

MD5
ce975689e678cb68eee369e9ff9a5804

SHA1
7f5cad0fb81450712ee29acfafd08de1d71c4991

SHA256
20c77e7f1466f6ee325cefb72403860cbc393818fc2915096d5a8c752d014d9d

SHA512
811c52f6640bfe780d8338ee1dc13b48787a2589199d70dd1fdeea1197e3762a548d8d92e3be463d915ddf8f0024af234af92bc57dc8130ab4ebbd96f77d9aec

Download Submit
C:\Windows\SysWOW64\Keappgmg.exe

Filesize
112KB

MD5
18da0495229910353f29b976c2dd9e50

SHA1
8026e869f09c111e76ee2e966a9500aa9ee7e76a

SHA256
d5caf57ce07ebfe5ba0d9a29d4f493c3932f1f9d46621b2987126280bc753b7b

SHA512
86693b768cc6fe965137019f9392cec3ae9f3ba0a18b2e62b58892aaa6e8ba671e8f4a7513c726ee2143af0c7c19cbc5e9a32c7e73bdbecc7cb62ff54c8a2b4d

Download Submit
C:\Windows\SysWOW64\Kjhopjqi.exe

Filesize
112KB

MD5
ae8d885bb2de12e49aaeeaba1c85a27b

SHA1
b8cac0d29b29bf60692274e68c1c5e8debe91cd8

SHA256
35f79ad21093d541d22c2cd466227526a3defbca76158af2cf84a33b6d341ce8

SHA512
c5a8ff5042bfcb5487adac7ed59324e4de5f5ba5b0144dde2c9b19809ad2b80a5a340dfaaf1dd00c339d6e85fa7d8e39248265188b41c0a916b9db8f4bd44091

Download Submit
C:\Windows\SysWOW64\Kmdofebo.exe

Filesize
112KB

MD5
1ef05d661fa918e39e8941776d1fc089

SHA1
34fbe613b2e5aeeec95a25c55271866a1e1e05cb

SHA256
0859a71dca895e2eda7c0418cbf1dbfe29e47ccb1bb51bb0a7a919fcff194810

SHA512
8efd88facad7caaea82651b5ef9776e686c73ffa534d8f887afc6da1f36f31b574aeefcebee806b0494ed16196cef561b3e0a455a63c8c16a70d23ca9de8f03a

Download Submit
C:\Windows\SysWOW64\Lekcffem.exe

Filesize
112KB

MD5
3dd6692e061928465e4a2176fd7f477c

SHA1
7eb9b193416ae968c08f67d7ed5f3e3fa13ca277

SHA256
489af877ee28f0795b9d9bfae41d552d8f4dd7f397f8159e4634bd28d07ce9b6

SHA512
fe42b621ffc4e6ee4f03521c966de0a7735a1c699797e7523953ef5d575c1a07dfd2ed68c249a48e3a9e9bc210354d977fdace35fbfa517e15d3c38dcf0c2b3a

Download Submit
C:\Windows\SysWOW64\Ljgkom32.exe

Filesize
112KB

MD5
52a175008f5f0e14dc791ac8dfb9321d

SHA1
7634d27432781f6357eb0aa3ba0d8d90a4483478

SHA256
82f459d9e8c6d59318e55190f6da22d3478ad1a67790576b04cefa8a526505dd

SHA512
306c44999389acfb87970995f02c97536f1bbcb256ed98934bf67df1b0205412b984499687aae0f51e6c22000f2fbceb708afdd23c0a7937b0e1cd7fa1166786

Download Submit
C:\Windows\SysWOW64\Llpaha32.exe

Filesize
112KB

MD5
0aa87fba698c240cf05f9accec1d563f

SHA1
496cb2008c5507c6f1396327ee8a6b6c74d19aed

SHA256
eac29daaf1bdeac3ff253b52a4a1fc640645e0f3c5c693f35b99441dd02c229a

SHA512
439e28d4d6f7e0820e61c60d99d973dda39e0c1dfe6f9073f7ffea2cc6c968d18608834e9bb73d1b2c463b40cde9846a1847edbe096bc6e17a355a1658cae212

Download Submit
C:\Windows\SysWOW64\Lpddgd32.exe

Filesize
112KB

MD5
1d3fa8730ba38ba112e5d8eab5f70e48

SHA1
79bfaa3e600f7ed8743374eba9d91ab864527d45

SHA256
06e975423625d789fd4f45c0748ad97a18d93c4a021dc50bf5f105a23aacfd57

SHA512
4ae2e7c4b255c85b948e56e79aaef6aff3f72267bd678f94998a9960eb0730983dee61b93bca7e2eda9c08cd9973f183cb96e6663848f3dc80698bd779bb21dd

Download Submit
C:\Windows\SysWOW64\Mbjfcnkg.exe

Filesize
112KB

MD5
4b55f427be2205ec27590ec1af68fb3e

SHA1
6c7aa898d63fb0f622743dde0b4f813c12fdde3b

SHA256
191ca1f2e13ef6a2d5e960cd3748ec25d90d9b20452237114602c927c7a22b69

SHA512
9b59007aeed6636a1e188f45ce38681d7278dc36505ccc64b945b59e5d3e552d46168016c4057e93f99116064f867d0cedd4d87e785ccfc82c602a6866924aab

Download Submit
C:\Windows\SysWOW64\Mejoei32.exe

Filesize
112KB

MD5
8bead035cf62a4e180373c9e6629abc6

SHA1
2fa416fe6c6b28effb9fe9f8e3c12a8af17f1cf6

SHA256
223caef151c7b2d2c247f1d0ba81ed4fa85dfeaea02e27219c6cb64cc74b0c84

SHA512
ae7c6b159827820d3bb8b77b14a81c907304785e57592f88d0f9a4751eef275c4e66976be57a620be740043aa975116fe07bddcd8591be4c89b17644989fd67c

Download Submit
C:\Windows\SysWOW64\Mfceom32.exe

Filesize
112KB

MD5
11ec345963f6651ff1171fa46944b985

SHA1
002464977ff6b0213f6edc199954398b2708d9a4

SHA256
8d7cb53e51e82af391c45a17d24a715973522c4e65b72eb658d32e8a6e02bc25

SHA512
fb94adef4ceda9524e1d5a391259d54eab58f0612207b7d16d3a2db07231f8967196943d1373f03ef413d0b02e65c85943c221e5fe737bef82f0d5acbffa852e

Download Submit
C:\Windows\SysWOW64\Mhfoleio.exe

Filesize
112KB

MD5
bbc9e9861bd5bd28665998f3922ee9e2

SHA1
1ad36d38643f8bac68e4110df3739c8e8b83d386

SHA256
46337192bd7828bd6c6e91ee3dd68edffaa2806d5ec519a274e89852c142787f

SHA512
7c553e27ae50613ec49102fb390f1986e56d16c7ef9e0d9c1c4f500a86df349c656ecc659a1fd8263fa95914d2ad92d5c5bbfc76bf5f40b6220d112a96e3fe26

Download Submit
C:\Windows\SysWOW64\Mhkhgd32.exe

Filesize
112KB

MD5
53f6fa75d7b0241ffe194e22ddb5463e

SHA1
7a3809b334c4051ef7db308a0e7f8b30bca9334c

SHA256
7494875b19cc10640e0ce728fc988806fcb3c0628eaa785c9e18ead87457aa53

SHA512
fe782db1dbf38c50e0ce652529035695acc527c5f5099300a1e5eef4d8f9a1953d15471e3c6be840616ca1dd02395945527f600f7f5c57febb2f1e4c085eacfa

Download Submit
C:\Windows\SysWOW64\Mjlejl32.exe

Filesize
112KB

MD5
cd7bd878058ad62caab0a0b2f949f59b

SHA1
d4204fb06cc021952faf5c3120822e55b5f71794

SHA256
3ce8ab04e515d9a875f8cadc9bb070586243fc91206cf96f973a9a34c1dd81be

SHA512
f09e6ea17646fd830545ebc797618c8bba5f78a525e3c92266b2fe8c7d2d60e80bf1f7a5f60f69a7936c21f6a57c79fbcd085ed14b285ed92ff93d08728b4daf

Download Submit
C:\Windows\SysWOW64\Mkggnp32.exe

Filesize
112KB

MD5
f0139b9db86b8b540216fca454ce0f24

SHA1
d227b19c5f040d18e21857c8185954c9c25ae2ca

SHA256
78c278422d053495698b45046d9b8866c534b166295a5973bca69a9d772852fe

SHA512
1a5a427f6dbfe210063afc34b4204bb508c00484b0e34daed3ce36a8803fadcf9ca4c39f902f4702a83fa380da712feb9e96655761cd6940467792a1ec230a70

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
112KB

MD5
72fc2f709fc068fc4f23e02f8af22886

SHA1
ccc0c529fcb488034923bc314520edd085898b96

SHA256
b2ffce26abc11c341f8730278af352bc353a0fd0ba171cb72fb8739589f8a14c

SHA512
71fbbbab5ca2a1cf1ae829aba35279f6ca11aa42c3cca2d872f9210b11d1613d04cf57152b5de2d9112e1442bab65a55f06e114f3a609f2dabb2f2a0ba96e60a

Download Submit
C:\Windows\SysWOW64\Nahfkigd.exe

Filesize
112KB

MD5
bad0163b60bf1c787de1d96649c64ca7

SHA1
19a8ebf388c9b3193b8583ab085d8125c647dd7a

SHA256
92bcbe21e62d7703b685a36ce2ce91a2157aae72bda55b6b6f63746044b9ed86

SHA512
5127531c10888593174e2b4171c7a81637e1be800b2335e083a57195cc6f64a3e01fab422df4c1f8b5cf865508877c232e7d34b23c398ed771a7aed833136690

Download Submit
C:\Windows\SysWOW64\Ncnlnaim.exe

Filesize
112KB

MD5
89695adb3b83809c7ec28c779d6bf2d3

SHA1
ff79abc367b8ad831a869c08f58026659ee4786e

SHA256
48bc9ba8b5628487c7e399909ee80aa29285a95616b5a175a60474a1a8d0c53c

SHA512
bc97b1813d70f78793f270531c3696c030ae0b20cdfd66855b60f35c7979f38b9286bade8a6245c6225db7061d8a4ce8fb8abcd3f4fde751ef05efbd3c928d81

Download Submit
C:\Windows\SysWOW64\Ndbile32.exe

Filesize
112KB

MD5
fb36ffe6015ca41bef7595fb03a2a73f

SHA1
9bbedfdb8cce7ce0cef7bdbe816ea9ae11d743bc

SHA256
8540fc473438a6d34b9a8a108c50900be1e6c2b87cd53e1fa2d296a90cdd6a50

SHA512
4ce2237371adc3122f7cda1c6f4b99e0ed9480b82e40bac06c604f7c35d1aadd565605eef857b937b4e26cb597f67008e0aabf589501a3e586e6dd3e154f08be

Download Submit
C:\Windows\SysWOW64\Ndgbgefh.exe

Filesize
112KB

MD5
bffc8804db5f5e30389fcef6047e83ac

SHA1
040f9d3b5e1a2fccf65ce31bee81ce3d02d34116

SHA256
8e26c837c7f54cb3ae0fb3844feafd1f24996d015092ffe32f774cb6e07dd5d9

SHA512
32a0ce9293c93eb6c91f68073e7fc2ca22966f26480355aab50823e74d6af6c1bd9e386861380a3cd8d0aeaa600cbe19f27e2526a7b8a0857de176c3be8d971e

Download Submit
C:\Windows\SysWOW64\Nejkdm32.exe

Filesize
112KB

MD5
1e154d5e675acd2c9d6eebbe1391ce09

SHA1
01f8dc4ab5793911f74f00d8eda4a22ecfed26c6

SHA256
6e8c691f04133265170f771e1551f125381e27b6ba8cb81cee6a43cf010efcb8

SHA512
db9386221abc5b3b474fca67f3613a094d1ee60261491791e2cfa7959905d7ed0506652b7349f8353ad9afe36743413dbdec1f128e0be84cdd69ca7621d81cd4

Download Submit
C:\Windows\SysWOW64\Nmhqokcq.exe

Filesize
112KB

MD5
4010e032dff691f76d0170c92a7646c7

SHA1
75bc2e0f5e5c8699035b6248124eb723686158d9

SHA256
09275098678e7da2b334393da3f3be3c44c040e44a364d168c010b2d6453a354

SHA512
b17b97c3244e8124bba32a3bdd18df9217a4ebed3b75a81c95a30c21e424a7e5306a567e7622f97456c61090f4a78a867278613d222f65fa17f29ee1fc4d9b1a

Download Submit
C:\Windows\SysWOW64\Npiiafpa.exe

Filesize
112KB

MD5
2c27cfef871a81c976e8c2a12d00357d

SHA1
21b63c5ac8cc215685afb5bfdf566d6ea22f37f6

SHA256
ef9a9c998eb29c96869b6652e6ae299e813c8d46959baa923692d61308a90545

SHA512
d0307dd29576b530796fa85a6c23a7c75fe7f92495d066a9f2d997bd7eed04ee26e940473deceffac2a84a7a49333d1b457fd0ee804a36d602bdbb3fabf49167

Download Submit
C:\Windows\SysWOW64\Npnclf32.exe

Filesize
112KB

MD5
7512a49710ab13440c894943d418dac6

SHA1
47cabf500728595e4474aa3d2d00b93fe35a3484

SHA256
9e103347938a2779923e965fd6ce47d404a22f87503ef35cceb107932fd630e9

SHA512
2ffb8a892be5010dcbfcba788613942b5a436b6a89c70263a509013831558e7cc7b94a15c947d4c00aa2c815fc74b4a6c5e359f87afb219fcfd49dca1c069794

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
112KB

MD5
1f404785ef95e0620979e65b6ad0d141

SHA1
ac51db725aecacc28fa418f6f99ccc7f1fdc6054

SHA256
f5d907d4ad3c0c3ba36e206f0e5d95f2707cf0045d2d7f7ed31fe32656444f45

SHA512
b530c3c347dea698f7fc836bd3692347e45817c6f58e9dd958a2621161b583950f565b2c72b91238ce91ed3ad5a02f3b862b43a8ce4ed0fe8cbcaf300f5a5779

Download Submit
\Windows\SysWOW64\Dcmpcjcf.exe

Filesize
112KB

MD5
77a1fef839416a5b1464b1055665e661

SHA1
43184e28c3ddc38a670269e0167004665e4a68e8

SHA256
a9025c244fbe1bba09e37b0d98fd7820ff654043e21c677547ac4b79a183fe81

SHA512
1cd7a2dafe0ed2c42759fd75512dea29e5c01e59d494fedae97792ed82132847f2071a667eb45c57af514660536108dcffe94babc95d9226dba12f462406cf39

Download Submit
\Windows\SysWOW64\Dkmncl32.exe

Filesize
112KB

MD5
37faa54867bef6a1d9168fd85e072843

SHA1
7ada7b1d9b23d9c64451d684bb64a98d49a55072

SHA256
1d709a1189064d478fa87b46fd500ea6274dbc377203df47bf391f9e8b1b7806

SHA512
1bcf32cc9f40a69e2664069f0a41a090317ecfb918e3967c5b646a757f94dca69f5652307f96cfed0351a944e99660dc5293a3dadbcc1536e43ff7025bc26666

Download Submit
\Windows\SysWOW64\Dnnkec32.exe

Filesize
112KB

MD5
a1279224c292c571d0a96c7160d5ce7c

SHA1
5ccfce04de04ef2dfb11d9e41bce264afb5ed507

SHA256
86a3337718e4e587b21eb4ad5efdb6236687cc541878b51ecedd2838fdc35908

SHA512
295752940933f7aac2721d9fdff52cc649f0eda1dd616144a8acf71bfc0f4fab336bc4634d418cb39cd0b715ffd8cb4465ba93eb7aee02d74821c6b80f8873d8

Download Submit
\Windows\SysWOW64\Dnqhkcdo.exe

Filesize
112KB

MD5
dde5655a33e233508a0dd294f2a5be37

SHA1
63ad0670efd4ad78c266657b78873344363434bc

SHA256
4539b8e3a5ef96a0171175110665073a590d872042afb4769cf81786e4eccdb7

SHA512
d673d278ade0ea1c563765931e471bc9d07766b42ddace61193e857420dc537125eff3b0721dc51c81eaac96e471b96ec75a64745b387c6ed36df2ba35a6f9e5

Download Submit
\Windows\SysWOW64\Edhpaa32.exe

Filesize
112KB

MD5
12db74b3ef386a5888231db3a783d161

SHA1
b1795e614dc7b782088ac3482ec479e0c9424d5f

SHA256
73477bfbab8500f75f1f44668634e30dfadaf070ff5ddb71c6886ffd4022e7de

SHA512
4c654cf09c9f4df6435a0d24f520983acb49887a8de0ef92995d21305011ddcc5024a5c8faa7ea031a410e1880449538382091e0d986653d7ea22c919b3487a2

Download Submit
\Windows\SysWOW64\Egihcl32.exe

Filesize
112KB

MD5
b7232398254dda5e6f0ea0cdf8386eea

SHA1
15df077fe99da6e6d2a9fb94659cae0f235ea0c8

SHA256
5d4bfa28fb24a42ec7e997f2ce1e04d7a36b0285c1dfaa77a950d7ed1c2d8b85

SHA512
34d32987c414718ad2eccc179c9d582c7bf861cabbad73e87117fa605348de3913692132f3e6f84aad7548a96645350b4cbb9c933b831c71888489aeebc0f5a7

Download Submit
\Windows\SysWOW64\Ehaolpke.exe

Filesize
112KB

MD5
17e1355eef0a148e4ccd087d5e8c84bf

SHA1
8957327b7a5cc0ca9a3bfbcd07bcd77f921cdb53

SHA256
daf910f5ee6446641ef6f32826fa2116014030c598dc16f385bc39418753f0f3

SHA512
794610c04980f0d66ae11bda1fd4f4b9f6781ce03c77c9cfc129d6a3225916badc19e9946603799a1d9e87a2f1f852d4ee78573c2c8115062cd5a3c0639b6df2

Download Submit
\Windows\SysWOW64\Ejiadgkl.exe

Filesize
112KB

MD5
8af11a48407636d33b2f2f759029a0e9

SHA1
121085840c34ecc5f2534504ba81cc0659b7054e

SHA256
81d33edf2dd6d1c05379a708b5e754cf050f83a305d3db73d9a4ac85b98e4203

SHA512
55fc8f1bfa75ab9993cd00d264bc5cdb90cde4019f8833faa4e7a1f1dcab856bc71e3b765ae14ae0b1f2e4390065ec187705854977bb9800396114977b129156

Download Submit
\Windows\SysWOW64\Fbpfeh32.exe

Filesize
112KB

MD5
f8e32a3666d688d903e806eba468cfa8

SHA1
0cb95fcd1c619324e24cb3ed5f982274ce40a064

SHA256
11bed28ef25ba19910a1bc7f7cf011302ce975cea0a705c2fe8213457ada6f37

SHA512
58b4b034e9599df1e40c6592cf780b96d282b7428105c41e2085a69749499462912a19be8b22c3828cf7d32fb352432e7fae025796c76c6e482c37bfe34a0cac

Download Submit
\Windows\SysWOW64\Ffboohnm.exe

Filesize
112KB

MD5
73e381b644b92ee47f3b9d3fd426202b

SHA1
a1c6041cb732962e7cfb8925e65c4f35f45bdbfe

SHA256
fc156b3646374f32277222a38a844c4da47056de76a0e5a78b0303a5ee61c13a

SHA512
256b066f77f9421c88804fff7957b9ddaa78d53f7b18f09d60d5e4fb1c021b0b39c71ceaf0eeb51031de4d04fd282784df63bf553002981214272cc201d43203

Download Submit
\Windows\SysWOW64\Ffeldglk.exe

Filesize
112KB

MD5
dd6059c96b8988516c7bea99c0f6b374

SHA1
d8a872aa884af898b06ca480fb519fe1366d7b17

SHA256
c1400009e429a97f21bca6dfe086db2d409035c23f5aeedfee628e7985dbf6d6

SHA512
9b8df3532eb2b3dac3ac004a21715dacb94d8805308fec7f69cd2cd93386236c062ac539308009788947e02992a2501cbd27bd8420fc356aa5227eb112b7634f

Download Submit
\Windows\SysWOW64\Fldabn32.exe

Filesize
112KB

MD5
438f342a47af7541eb79e55afb281753

SHA1
9feee03897cb5b03354465d4a01c03c8602533a1

SHA256
5c6d78dd38824b77d0012805108dbe6a5344fa494e4d34eb5d1d67956968f283

SHA512
5288b09e6a23f942c047b6f29e32898f9b79538ca6d4e6e54f11b9299bfe4ee9a471f3da8f17c68ed822dc2b55c43f796d75f4b528929a9ed8d7296c0916b1ec

Download Submit
\Windows\SysWOW64\Fmodaadg.exe

Filesize
112KB

MD5
4c921f279271e972fb80bc1ae536110f

SHA1
7ee91ef44f4c36cfc606597144263c99145390b9

SHA256
06eb4024e8abf8c2d8fea646af387e13e769a93946344c8f0f301b5337186982

SHA512
6873473dc054c6fc60c3c55048456874417035b9e88778a9ea11c9a7473fe584689f37e4e11dcf29a73cf0ecb66e76d455b5f950931df23f89adbb16a8ca6e0b

Download Submit
\Windows\SysWOW64\Gdflgo32.exe

Filesize
112KB

MD5
e72f42cdca897b272f21009ef16e19ba

SHA1
6d716781622f2ac2f9a6e10b4f6afb8aa93e809a

SHA256
c338b7c437ad52ecf7cbe44701e625155df26a9af1f700c8cf44047cf7d8f810

SHA512
e2a86007005a22a71dc54f71281c0efb13a18206f49568eb05f2a5f15903336239dc50b030ace72ec3b0b2455c99513e43355408826d5ca7c5cd5865503598ac

Download Submit
\Windows\SysWOW64\Gjljij32.exe

Filesize
112KB

MD5
841ce51525fa25c28a8d8e62edf6a34f

SHA1
a8f5f2e707aa01c57aaf21ac67c9edbe9f227d8f

SHA256
c308ab155f5bf29fbfa77fafb750b78d354fc470d591eb55e124a405718be5ad

SHA512
acce7801036d6f01f2be4c0026b448596d02959f6ef2586297fc25280c628f165943c7a2109c6b456a372ac7318071d54315b883a6eb9b7bfd8c1abf2f7bd8a4

Download Submit
memory/236-302-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/236-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/236-306-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/268-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/584-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-251-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/704-250-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/932-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-295-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1408-294-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1560-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-338-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1572-339-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1636-273-0x00000000004D0000-0x0000000000513000-memory.dmp

Filesize
268KB

Download
memory/1636-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-272-0x00000000004D0000-0x0000000000513000-memory.dmp

Filesize
268KB

Download
memory/1928-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-105-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/1928-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-240-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1960-239-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1960-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-27-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1964-26-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1968-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-327-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2012-328-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2016-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-316-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2016-317-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2052-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-164-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2072-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-18-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2072-406-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2072-20-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2092-434-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2092-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2132-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-194-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-261-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2320-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-262-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2348-349-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2348-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-350-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2380-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-392-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2540-393-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2572-453-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2572-70-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2572-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-381-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2592-382-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2636-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-79-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2652-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-458-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2652-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-361-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2700-371-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2700-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-370-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2756-445-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2756-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-50-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2756-56-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2852-457-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2852-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-133-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2884-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-404-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2896-400-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2916-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-192-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2952-191-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2980-283-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2980-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-284-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3068-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads