58266cb3d66096ba7e559b4f7e501a0f3f7193a19eb785c162db50e797308df8

Analysis

max time kernel
85s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf70208d6e0f7640faf43ec07734140N.exe
Size

93KB
MD5

bdf70208d6e0f7640faf43ec07734140
SHA1

32b1d654dbe35f1e65e31249028f3acbd67faa9b
SHA256

58266cb3d66096ba7e559b4f7e501a0f3f7193a19eb785c162db50e797308df8
SHA512

a793941de2a8ab61c5cc9dc01166c0405d8d6a91501acff63b17b56f507410719cb8d96f51da5bffb071c620b65a64218007cd53601810820e39b0a70379a9c4
SSDEEP

1536:iT6Cp7sW2VzInjR9nHZG7a3fcBWIElJBhvg5UusaMiwihtIbbpkp:k6CpTjR9HA7a3fcBpE85bdMiwaIbbpkp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijopjhfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdfmlc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfceom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nogmin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idbgbahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbopon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijopjhfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjcedj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjcedj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikokf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpiacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmfgkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikicikap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikicikap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lamjph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgnchplb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgdnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laogfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbopon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnlikic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamjph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mioeeifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	bdf70208d6e0f7640faf43ec07734140N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jopbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kikokf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laogfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmfgkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdfmlc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfceom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idbgbahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jopbnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgnchplb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mioeeifi.exe

Executes dropped EXE 27 IoCs

pid	Process
2976	Ikicikap.exe
2704	Idbgbahq.exe
2680	Ijopjhfh.exe
2760	Jopbnn32.exe
2724	Jgnchplb.exe
2348	Jjnlikic.exe
2540	Kdfmlc32.exe
2380	Kjcedj32.exe
1536	Kqokgd32.exe
2872	Kikokf32.exe
2304	Kpgdnp32.exe
924	Lpiacp32.exe
1488	Lamjph32.exe
2176	Laogfg32.exe
1780	Lmfgkh32.exe
540	Ladpagin.exe
2392	Mioeeifi.exe
1776	Mfceom32.exe
1856	Mfebdm32.exe
912	Moqgiopk.exe
1004	Mbopon32.exe
1672	Mlgdhcmb.exe
2512	Nogmin32.exe
740	Nknnnoph.exe
2292	Ncjbba32.exe
2776	Nldcagaq.exe
1664	Opblgehg.exe

Loads dropped DLL 58 IoCs

pid	Process
1292	bdf70208d6e0f7640faf43ec07734140N.exe
1292	bdf70208d6e0f7640faf43ec07734140N.exe
2976	Ikicikap.exe
2976	Ikicikap.exe
2704	Idbgbahq.exe
2704	Idbgbahq.exe
2680	Ijopjhfh.exe
2680	Ijopjhfh.exe
2760	Jopbnn32.exe
2760	Jopbnn32.exe
2724	Jgnchplb.exe
2724	Jgnchplb.exe
2348	Jjnlikic.exe
2348	Jjnlikic.exe
2540	Kdfmlc32.exe
2540	Kdfmlc32.exe
2380	Kjcedj32.exe
2380	Kjcedj32.exe
1536	Kqokgd32.exe
1536	Kqokgd32.exe
2872	Kikokf32.exe
2872	Kikokf32.exe
2304	Kpgdnp32.exe
2304	Kpgdnp32.exe
924	Lpiacp32.exe
924	Lpiacp32.exe
1488	Lamjph32.exe
1488	Lamjph32.exe
2176	Laogfg32.exe
2176	Laogfg32.exe
1780	Lmfgkh32.exe
1780	Lmfgkh32.exe
540	Ladpagin.exe
540	Ladpagin.exe
2392	Mioeeifi.exe
2392	Mioeeifi.exe
1776	Mfceom32.exe
1776	Mfceom32.exe
1856	Mfebdm32.exe
1856	Mfebdm32.exe
912	Moqgiopk.exe
912	Moqgiopk.exe
1004	Mbopon32.exe
1004	Mbopon32.exe
1672	Mlgdhcmb.exe
1672	Mlgdhcmb.exe
2512	Nogmin32.exe
2512	Nogmin32.exe
740	Nknnnoph.exe
740	Nknnnoph.exe
2292	Ncjbba32.exe
2292	Ncjbba32.exe
2776	Nldcagaq.exe
2776	Nldcagaq.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmfgkh32.exe	Laogfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjbba32.exe	Nknnnoph.exe
File opened for modification	C:\Windows\SysWOW64\Ikicikap.exe	bdf70208d6e0f7640faf43ec07734140N.exe
File opened for modification	C:\Windows\SysWOW64\Ijopjhfh.exe	Idbgbahq.exe
File created	C:\Windows\SysWOW64\Jjnlikic.exe	Jgnchplb.exe
File created	C:\Windows\SysWOW64\Phplbpbl.dll	Kdfmlc32.exe
File created	C:\Windows\SysWOW64\Laogfg32.exe	Lamjph32.exe
File opened for modification	C:\Windows\SysWOW64\Kikokf32.exe	Kqokgd32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgdnp32.exe	Kikokf32.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mfceom32.exe
File created	C:\Windows\SysWOW64\Ojqeofnd.dll	Mlgdhcmb.exe
File opened for modification	C:\Windows\SysWOW64\Laogfg32.exe	Lamjph32.exe
File opened for modification	C:\Windows\SysWOW64\Ladpagin.exe	Lmfgkh32.exe
File created	C:\Windows\SysWOW64\Ikicikap.exe	bdf70208d6e0f7640faf43ec07734140N.exe
File created	C:\Windows\SysWOW64\Kealkg32.dll	Ijopjhfh.exe
File opened for modification	C:\Windows\SysWOW64\Kqokgd32.exe	Kjcedj32.exe
File created	C:\Windows\SysWOW64\Jcmodmbk.dll	Kpgdnp32.exe
File created	C:\Windows\SysWOW64\Lamjph32.exe	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Cobcakeo.dll	Laogfg32.exe
File opened for modification	C:\Windows\SysWOW64\Mioeeifi.exe	Ladpagin.exe
File created	C:\Windows\SysWOW64\Kpqfpd32.dll	Ladpagin.exe
File created	C:\Windows\SysWOW64\Jopbnn32.exe	Ijopjhfh.exe
File created	C:\Windows\SysWOW64\Gadgpb32.dll	Jjnlikic.exe
File created	C:\Windows\SysWOW64\Picadgfk.dll	Kjcedj32.exe
File created	C:\Windows\SysWOW64\Lpiacp32.exe	Kpgdnp32.exe
File created	C:\Windows\SysWOW64\Kjaglbok.dll	Lamjph32.exe
File created	C:\Windows\SysWOW64\Ieaikf32.dll	Mioeeifi.exe
File created	C:\Windows\SysWOW64\Faqkji32.dll	Mbopon32.exe
File opened for modification	C:\Windows\SysWOW64\Nogmin32.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Nknnnoph.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Cmnhge32.dll	Nogmin32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Nldcagaq.exe
File opened for modification	C:\Windows\SysWOW64\Jopbnn32.exe	Ijopjhfh.exe
File created	C:\Windows\SysWOW64\Fgqofhkp.dll	Jopbnn32.exe
File created	C:\Windows\SysWOW64\Kdfmlc32.exe	Jjnlikic.exe
File opened for modification	C:\Windows\SysWOW64\Lmfgkh32.exe	Laogfg32.exe
File created	C:\Windows\SysWOW64\Nldcagaq.exe	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Kpgdnp32.exe	Kikokf32.exe
File created	C:\Windows\SysWOW64\Moqgiopk.exe	Mfebdm32.exe
File opened for modification	C:\Windows\SysWOW64\Nldcagaq.exe	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Nldcagaq.exe
File opened for modification	C:\Windows\SysWOW64\Kdfmlc32.exe	Jjnlikic.exe
File opened for modification	C:\Windows\SysWOW64\Lamjph32.exe	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Mlgdhcmb.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Ncjbba32.exe	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Nogmin32.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Ihggkhle.dll	Nknnnoph.exe
File opened for modification	C:\Windows\SysWOW64\Jjnlikic.exe	Jgnchplb.exe
File created	C:\Windows\SysWOW64\Kjcedj32.exe	Kdfmlc32.exe
File opened for modification	C:\Windows\SysWOW64\Mfceom32.exe	Mioeeifi.exe
File opened for modification	C:\Windows\SysWOW64\Mfebdm32.exe	Mfceom32.exe
File created	C:\Windows\SysWOW64\Bgbjkg32.dll	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Jgnchplb.exe	Jopbnn32.exe
File created	C:\Windows\SysWOW64\Hjchkfnl.dll	Jgnchplb.exe
File created	C:\Windows\SysWOW64\Kqokgd32.exe	Kjcedj32.exe
File opened for modification	C:\Windows\SysWOW64\Mlgdhcmb.exe	Mbopon32.exe
File opened for modification	C:\Windows\SysWOW64\Lpiacp32.exe	Kpgdnp32.exe
File created	C:\Windows\SysWOW64\Mbopon32.exe	Moqgiopk.exe
File created	C:\Windows\SysWOW64\Ljecbkfm.dll	Idbgbahq.exe
File created	C:\Windows\SysWOW64\Ladpagin.exe	Lmfgkh32.exe
File created	C:\Windows\SysWOW64\Mmfmkf32.dll	Ncjbba32.exe
File opened for modification	C:\Windows\SysWOW64\Kjcedj32.exe	Kdfmlc32.exe
File created	C:\Windows\SysWOW64\Jfennqnl.dll	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Chnjdl32.dll	Lmfgkh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2804	1664	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mioeeifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdfmlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbopon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nldcagaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikokf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moqgiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikicikap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijopjhfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jopbnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laogfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfceom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknnnoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idbgbahq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgnchplb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnlikic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjcedj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmfgkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjbba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpiacp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdf70208d6e0f7640faf43ec07734140N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamjph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladpagin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgdhcmb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idbgbahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljecbkfm.dll"	Idbgbahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idbgbahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijopjhfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jopbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpiacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lamjph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgqofhkp.dll"	Jopbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgnchplb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjnlikic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjcedj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaamhjgm.dll"	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjnlikic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdfmlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phplbpbl.dll"	Kdfmlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laogfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdfmlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpnaccc.dll"	Kikokf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnjdl32.dll"	Lmfgkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmodmbk.dll"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kealkg32.dll"	Ijopjhfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmfgkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadgpb32.dll"	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ladpagin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kikokf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmfgkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfpd32.dll"	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlekk32.dll"	Ikicikap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jopbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picadgfk.dll"	Kjcedj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjcedj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mioeeifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbjkg32.dll"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfmkf32.dll"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihpflaf.dll"	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfennqnl.dll"	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaglbok.dll"	Lamjph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll"	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll"	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikicikap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjchkfnl.dll"	Jgnchplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	bdf70208d6e0f7640faf43ec07734140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kikokf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2976	1292	bdf70208d6e0f7640faf43ec07734140N.exe	30
PID 1292 wrote to memory of 2976	1292	bdf70208d6e0f7640faf43ec07734140N.exe	30
PID 1292 wrote to memory of 2976	1292	bdf70208d6e0f7640faf43ec07734140N.exe	30
PID 1292 wrote to memory of 2976	1292	bdf70208d6e0f7640faf43ec07734140N.exe	30
PID 2976 wrote to memory of 2704	2976	Ikicikap.exe	31
PID 2976 wrote to memory of 2704	2976	Ikicikap.exe	31
PID 2976 wrote to memory of 2704	2976	Ikicikap.exe	31
PID 2976 wrote to memory of 2704	2976	Ikicikap.exe	31
PID 2704 wrote to memory of 2680	2704	Idbgbahq.exe	32
PID 2704 wrote to memory of 2680	2704	Idbgbahq.exe	32
PID 2704 wrote to memory of 2680	2704	Idbgbahq.exe	32
PID 2704 wrote to memory of 2680	2704	Idbgbahq.exe	32
PID 2680 wrote to memory of 2760	2680	Ijopjhfh.exe	33
PID 2680 wrote to memory of 2760	2680	Ijopjhfh.exe	33
PID 2680 wrote to memory of 2760	2680	Ijopjhfh.exe	33
PID 2680 wrote to memory of 2760	2680	Ijopjhfh.exe	33
PID 2760 wrote to memory of 2724	2760	Jopbnn32.exe	34
PID 2760 wrote to memory of 2724	2760	Jopbnn32.exe	34
PID 2760 wrote to memory of 2724	2760	Jopbnn32.exe	34
PID 2760 wrote to memory of 2724	2760	Jopbnn32.exe	34
PID 2724 wrote to memory of 2348	2724	Jgnchplb.exe	35
PID 2724 wrote to memory of 2348	2724	Jgnchplb.exe	35
PID 2724 wrote to memory of 2348	2724	Jgnchplb.exe	35
PID 2724 wrote to memory of 2348	2724	Jgnchplb.exe	35
PID 2348 wrote to memory of 2540	2348	Jjnlikic.exe	36
PID 2348 wrote to memory of 2540	2348	Jjnlikic.exe	36
PID 2348 wrote to memory of 2540	2348	Jjnlikic.exe	36
PID 2348 wrote to memory of 2540	2348	Jjnlikic.exe	36
PID 2540 wrote to memory of 2380	2540	Kdfmlc32.exe	37
PID 2540 wrote to memory of 2380	2540	Kdfmlc32.exe	37
PID 2540 wrote to memory of 2380	2540	Kdfmlc32.exe	37
PID 2540 wrote to memory of 2380	2540	Kdfmlc32.exe	37
PID 2380 wrote to memory of 1536	2380	Kjcedj32.exe	38
PID 2380 wrote to memory of 1536	2380	Kjcedj32.exe	38
PID 2380 wrote to memory of 1536	2380	Kjcedj32.exe	38
PID 2380 wrote to memory of 1536	2380	Kjcedj32.exe	38
PID 1536 wrote to memory of 2872	1536	Kqokgd32.exe	39
PID 1536 wrote to memory of 2872	1536	Kqokgd32.exe	39
PID 1536 wrote to memory of 2872	1536	Kqokgd32.exe	39
PID 1536 wrote to memory of 2872	1536	Kqokgd32.exe	39
PID 2872 wrote to memory of 2304	2872	Kikokf32.exe	40
PID 2872 wrote to memory of 2304	2872	Kikokf32.exe	40
PID 2872 wrote to memory of 2304	2872	Kikokf32.exe	40
PID 2872 wrote to memory of 2304	2872	Kikokf32.exe	40
PID 2304 wrote to memory of 924	2304	Kpgdnp32.exe	41
PID 2304 wrote to memory of 924	2304	Kpgdnp32.exe	41
PID 2304 wrote to memory of 924	2304	Kpgdnp32.exe	41
PID 2304 wrote to memory of 924	2304	Kpgdnp32.exe	41
PID 924 wrote to memory of 1488	924	Lpiacp32.exe	42
PID 924 wrote to memory of 1488	924	Lpiacp32.exe	42
PID 924 wrote to memory of 1488	924	Lpiacp32.exe	42
PID 924 wrote to memory of 1488	924	Lpiacp32.exe	42
PID 1488 wrote to memory of 2176	1488	Lamjph32.exe	43
PID 1488 wrote to memory of 2176	1488	Lamjph32.exe	43
PID 1488 wrote to memory of 2176	1488	Lamjph32.exe	43
PID 1488 wrote to memory of 2176	1488	Lamjph32.exe	43
PID 2176 wrote to memory of 1780	2176	Laogfg32.exe	44
PID 2176 wrote to memory of 1780	2176	Laogfg32.exe	44
PID 2176 wrote to memory of 1780	2176	Laogfg32.exe	44
PID 2176 wrote to memory of 1780	2176	Laogfg32.exe	44
PID 1780 wrote to memory of 540	1780	Lmfgkh32.exe	45
PID 1780 wrote to memory of 540	1780	Lmfgkh32.exe	45
PID 1780 wrote to memory of 540	1780	Lmfgkh32.exe	45
PID 1780 wrote to memory of 540	1780	Lmfgkh32.exe	45

C:\Users\Admin\AppData\Local\Temp\bdf70208d6e0f7640faf43ec07734140N.exe
"C:\Users\Admin\AppData\Local\Temp\bdf70208d6e0f7640faf43ec07734140N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\Ikicikap.exe
  C:\Windows\system32\Ikicikap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\Idbgbahq.exe
    C:\Windows\system32\Idbgbahq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Ijopjhfh.exe
      C:\Windows\system32\Ijopjhfh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Jopbnn32.exe
        
        C:\Windows\system32\Jopbnn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\Jgnchplb.exe
        
        C:\Windows\system32\Jgnchplb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Jjnlikic.exe
        
        C:\Windows\system32\Jjnlikic.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Kdfmlc32.exe
        
        C:\Windows\system32\Kdfmlc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Kjcedj32.exe
        
        C:\Windows\system32\Kjcedj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kqokgd32.exe
        
        C:\Windows\system32\Kqokgd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Kikokf32.exe
        
        C:\Windows\system32\Kikokf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Kpgdnp32.exe
        
        C:\Windows\system32\Kpgdnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Lpiacp32.exe
        
        C:\Windows\system32\Lpiacp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Lamjph32.exe
        
        C:\Windows\system32\Lamjph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Laogfg32.exe
        
        C:\Windows\system32\Laogfg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Lmfgkh32.exe
        
        C:\Windows\system32\Lmfgkh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ladpagin.exe
        
        C:\Windows\system32\Ladpagin.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mioeeifi.exe
        
        C:\Windows\system32\Mioeeifi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Mfceom32.exe
        
        C:\Windows\system32\Mfceom32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Mfebdm32.exe
        
        C:\Windows\system32\Mfebdm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Moqgiopk.exe
        
        C:\Windows\system32\Moqgiopk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Mbopon32.exe
        
        C:\Windows\system32\Mbopon32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Mlgdhcmb.exe
        
        C:\Windows\system32\Mlgdhcmb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Nogmin32.exe
        
        C:\Windows\system32\Nogmin32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Nknnnoph.exe
        
        C:\Windows\system32\Nknnnoph.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Ncjbba32.exe
        
        C:\Windows\system32\Ncjbba32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Nldcagaq.exe
        
        C:\Windows\system32\Nldcagaq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fgqofhkp.dll

Filesize
7KB

MD5
d9c93090f9046505aa88ee8f5e4a971e

SHA1
69e3db0c304e49a619a8bc575210eeaa7dbd824c

SHA256
308821c74a44a96b720eace3fc8bde4950022b7a3644fc9d687120381cf0d7b3

SHA512
1c414045d55e93d73290cd3d13840ffe356a19cd8e77103ed6e6368ab37917197c315b6e6763a421c35d0f54267277b07e136582c5c15d3771f64c6698ef8aea

Download Submit
C:\Windows\SysWOW64\Ikicikap.exe

Filesize
93KB

MD5
3e51f84aada61d1d8cc2fa98b24bbb7d

SHA1
cbd477b992f4d7be6006c373e27a7a4ea3b722f1

SHA256
227fc4284d0c7e40f9948692f1aa5126b2e1d9dffac38b76384242ef4e755e6d

SHA512
7d8b3fdcdb1468390d7f7c54766b4d864bead871b0dc0a87e1e3861245af53284462128acabaf0e2532e8960ba59891a7d72a30f3d9651b3fb43cdd4655f2882

Download Submit
C:\Windows\SysWOW64\Ladpagin.exe

Filesize
93KB

MD5
2366efa9e7478ea8bbb8ea368fc4e4d5

SHA1
b2e6163b9a975cdd8a11364deec92e90c6d9c41e

SHA256
c5b578c9984512cdb6a89ee42f4f6515eaf13d055bf375ed4dc98bff5791c872

SHA512
121d75c9dbc95eb1d1fa7918eac94b78f7e029a786af6eb7cee0a935a08a4d01e7bdca92feeed45ff2e5100857548c7eb499fce3ed756846492d44043fe6f651

Download Submit
C:\Windows\SysWOW64\Lmfgkh32.exe

Filesize
93KB

MD5
d578efaf2a856cc5ee0fa7ae84c53e82

SHA1
cddbe420f0d96261a956e2d7cd78c13576e5cc5f

SHA256
3d667aabb23e6e62dabaed763315cca4843cb5caf4f0c876e05b9130a892c229

SHA512
cad37962d3f4da521b835b1498b9499d0bc63850ce08636cb709119278abef937a675f7c5d8dfa24c2b1fa2a38e31ecbc6b1c45cafb76827c34252abbe46a1de

Download Submit
C:\Windows\SysWOW64\Mbopon32.exe

Filesize
93KB

MD5
364fc3492df275d97d0accb065c4b73f

SHA1
71a51232758bebc34693a56a4dd6dcf68e2f5e8b

SHA256
a522292187c41d4a42a5cdfc734cc12815e7deca92761c76a8c71f0a7c908829

SHA512
24652f4c5a15758384d07b3118d7e6105bd2bd7729ecb8e00d559164b45ac8e16b93d062414bb71172ffca8143a7950b944a6d3f8120863c809aee077dfe5cab

Download Submit
C:\Windows\SysWOW64\Mfceom32.exe

Filesize
93KB

MD5
7fa24dfb84594b5dc9c6189001c52944

SHA1
f8b33ea7aeedd19f8f6d094ab139a4be42a93fb7

SHA256
4761de475e5d212dfc36374551ab7fbfdd63a54104a43675a1a4b27f4da6a366

SHA512
9a1cf04e3b0f763dbd5af53e33535a49404a12515b2551a290ba41fb5c58f7851a0eede2d59cbfa787677a4283d804cac3919c4b53d2e28838efea95594dab47

Download Submit
C:\Windows\SysWOW64\Mfebdm32.exe

Filesize
93KB

MD5
9fa7e63278e5b4db130542cf635f05cf

SHA1
f9ccf3dbb5859628899403d1cf41e5662de55e66

SHA256
906f537b5c9e9dedc6a464d06cb7942cd686aea4ebf49f17b41aa4887b84e22f

SHA512
82941eb53c6ef09e912ea061610bc3f0b49549f58530b821b226c9456d41261ca922297be0af9264129bd182fb7c043b9535da03c29e048d62ba0f4f77c40bf3

Download Submit
C:\Windows\SysWOW64\Mioeeifi.exe

Filesize
93KB

MD5
27aaf09c3c1a9649aecd86323d719d83

SHA1
a5362e5bdef6aaebc133f2b20d282422e349eccf

SHA256
df61469c0ad29351892fe99152e07e0e0cc7a7fafb69c79d9d62cd69d2434cb7

SHA512
b85d56b1689c01f8e03a486c90afb8cecec964a12d52e7196fd95b386dd7752f705734510d5f7753641ff42fa80af976708f7420679533eef21278b56146a84c

Download Submit
C:\Windows\SysWOW64\Mlgdhcmb.exe

Filesize
93KB

MD5
0d12dec33ffedfbdaf4e0c84c9231bdf

SHA1
ea5013a051bbbe504008bfdfeec8fe06e4ad687f

SHA256
c46430b38d0776aed0ec6409a4a701e84a5bf7949210badeb536d802b6b844bc

SHA512
868a693aeb5238dc5126d5184446b378ab696afb066f53af123a3691a9cfd7ecff366a4022e4d9cfd72eff49653dd328b8c66810a562da0ba552f728ae9d3b32

Download Submit
C:\Windows\SysWOW64\Moqgiopk.exe

Filesize
93KB

MD5
8efdb6840e64b4671b799b49e92ce5bb

SHA1
2364adb924fe9daa5f02b857420307598db6d33a

SHA256
3a77c9a7cd3ca9a33aaeed626f6ba83b2830f37874a9913f9d18cfa14bf5941b

SHA512
fbdeef601f4d75438643d98a1c510c4c96b8bd3c9b04f627e22d1b136f900d485cee4186361c0167bf1406ed82a1d34ce0b45ade299d43ab3ecb05c628d725d4

Download Submit
C:\Windows\SysWOW64\Ncjbba32.exe

Filesize
93KB

MD5
3c134c6c52553e2dc6e85a0d414163e1

SHA1
56cd088cd11c10813bc3f20ffd7906302f83a4e3

SHA256
dd4dea5662974d09be6017abe9f8a821c6e7baa0ff9a8a4348a578e06b7461f3

SHA512
d405a032fd008a5ad412a82625211f2ef7413056ec677ac424eb27e68733fbb178f4c6fa5e4d97acc891f216ea83baa29bfcb01cbf277e78ce47b1b01efd110a

Download Submit
C:\Windows\SysWOW64\Nknnnoph.exe

Filesize
93KB

MD5
c07fab99ed1cd014cc9ca14d7ef1fb76

SHA1
0e4d4cb6d5f65924c3a62220337474bd83154a2d

SHA256
06c4c78fcb9ca5a7e9ceaa48996ee725a78c1ce4b92f568a29373e27f5360342

SHA512
0cb45f7b13aa993b3bd3f96be5ceb613ec34121a9bc6237d82977c6a557061d8242a272e64e82ba849ae9b18811d4240cf3659f85f79f700ebe3259f2a7a3c44

Download Submit
C:\Windows\SysWOW64\Nldcagaq.exe

Filesize
93KB

MD5
c765efb2795d33e06013bf386a8ada38

SHA1
368da10eb5f23fbb41652efbf9fb404b97b8e69b

SHA256
8fa51f2889dc1950b589a71400497c090319fd5d44da0d4cc6f723d5a5349b3a

SHA512
eef73036e906902bbbf74f61723ebfd82b1b1f3b630a378c3d053eccc1b901ec264dbf7c02ea488c5415adc05d2bcd486daaa4e9b29b978b7b4c820255d9c81d

Download Submit
C:\Windows\SysWOW64\Nogmin32.exe

Filesize
93KB

MD5
245f13215925ac80e30c9c35e0214030

SHA1
e57b5502f2b38d7794b3c64c73b99d0892616106

SHA256
b12952c09fa1744de60d744c810724f81ab3c5b2ae41635e6df48b131a12a279

SHA512
248db4b5443ae83294b0f6c7dc82307b5e6405c8ffe8709456184e81dc3ec57a1472996ad8e06aec385ca24a0dad765e5eaa4b927e4c97f11513341ba9996b5c

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
93KB

MD5
c11a60aa8ce9592661eb408ec6658c11

SHA1
5a789fdeabdbe8f715a0e4a44869ea19149d0e72

SHA256
3365b42a9da8c69c44ac9d727caa4c26d011823a25e3fb0bceaeb0266fa82e67

SHA512
2c525928f207b8a8423f5b5c16cb5486ee605eaaa430b87a1d46070f40338785f27ee55df8fc276a5721a453fd76a948cb29f29a1422f3a3e6a5cf953fe8f19d

Download Submit
\Windows\SysWOW64\Idbgbahq.exe

Filesize
93KB

MD5
d1d59448ca0c6fae6c2db3a80394a46c

SHA1
687371a0ccec6a90778675edc3af82381ae3b99d

SHA256
88c8e0b8be8aa008585b75ceaa78a01185b4eb0307932351bf0ff19ba3415e22

SHA512
ce44d53597b49fe6297d541f06358fe660d1eb6654ad32c26c875a187c2a3c7f86a39de8791e797a3a36660e22743ee3419582a6115736d99fda79112c88a5e4

Download Submit
\Windows\SysWOW64\Ijopjhfh.exe

Filesize
93KB

MD5
860e6fe7bf63b43d233b32a3fea82841

SHA1
8ee17ae877a71400f5a0e5176ec90418b5d1afee

SHA256
97b7cf50a7fba323bb7de83f387e36394f9856e9e1b12caedb419bf00faebea0

SHA512
6445b30e52038ce2513e6fae1f07c9e10b417daebe0ef7486ec8077cd36b48d54912925e5b613f48b303f0be6161271a9bd32c13a79714ecbe2824f37e985fb9

Download Submit
\Windows\SysWOW64\Jgnchplb.exe

Filesize
93KB

MD5
0d43c008604477a731ffd8d0d05231ee

SHA1
4060daba187394cf59937928b31675d7d2ad05e6

SHA256
dcedfab40b332bdd987b3b9c1ff994224b1fc89d94ae3f59c7589cb712c8efd8

SHA512
3884b42452794dde681797be1db99ab2ef318c4d8f375bb3676c55a9d17078ac576af0b3f42ba1ad5ae5b6b41769beec6558725ac4a10c88f579610fbf67a250

Download Submit
\Windows\SysWOW64\Jjnlikic.exe

Filesize
93KB

MD5
0bec23fd59d2b69046e6bea0b8455004

SHA1
9155f3355f9eefd57157d96097818c8ac832fd7b

SHA256
a136874cee45fdf806e6c38d8c4d09e2a988dcf1ac65e72eaf92a81da9e536a7

SHA512
4b349c020ecd7d23afb191308ebed8ba4978a2011cf9b3b6c08a0dd077d887551ce96a1c668445647b4039742a69cddfeab2e3b17c8a60405812ab661bca6996

Download Submit
\Windows\SysWOW64\Jopbnn32.exe

Filesize
93KB

MD5
22a51120812dae59dc03f33d8254efda

SHA1
8ae03c01713e5f8298e768f79cfa1f4ac565d216

SHA256
f0eab2d283ce19f25f7b361cd73f243d54202a2bf2d6f514675af5760ab2ab31

SHA512
38dde30e822705deb3ae5192bf0a418372844daae1dadbfb1daed5f9d7bcfc0773f534061cd36db1b3394385491d1a07f587d45930df0b0afffd47b5c97b7b79

Download Submit
\Windows\SysWOW64\Kdfmlc32.exe

Filesize
93KB

MD5
4d9f64071c5bfc5edf5ff365e5d5c3d2

SHA1
72f71ea472153aeb6589df72441be2b32de729cb

SHA256
5acff4b90127c8f82dc424ad74ec25f27c3445d1c69b18fe76a400e7ef04b8be

SHA512
ab6ffa23eb3ce0b8da6ee050ae61979970553ce3cd27fc0b3f2a3164a023ea5374d4dcc4a0ad7b46ea424b890136e8e707087464d19090f62ca10452bb473952

Download Submit
\Windows\SysWOW64\Kikokf32.exe

Filesize
93KB

MD5
30e2b1f9915ae1f29fd88490d8455619

SHA1
76201a4dabf2052051862e5dc9a18cbf28415324

SHA256
60177b7892ea773212e388e5d2612a97d91d5eca02ac9d78212089d2b3abfa19

SHA512
0bcb01a1b06b70f64857c409a43d2461f5d98634ee997266261b6ad46190017d9a8f2802bdf7008c37f93249b8853978098edf8577a50311be24afa81d7f27b1

Download Submit
\Windows\SysWOW64\Kjcedj32.exe

Filesize
93KB

MD5
9515f953d6dfa45764e5a35857b4d293

SHA1
45f29bd0545e66ec9f246f5a859c110bf496f6f4

SHA256
9999b2f108320486a19abffaf1ff3b79ad93f0e98c1070f021731a3be917287f

SHA512
bf681d594f224b98bb2e9f4ef42191e24614f1f450dff4eea59580d86efeb5d60cfe3de46a7b05d338dfce453dc4cee09c794329deb6aca11bc138cd9b09c59a

Download Submit
\Windows\SysWOW64\Kpgdnp32.exe

Filesize
93KB

MD5
ce1a24df067b59c9a1b49e2f7b8501e0

SHA1
7638835b617ecf6e5f2d0542789e236bb8234625

SHA256
e6eccc7fc9e0b171eb1906fb8a17fb4d85ffcd911353d48bd3e098c43eb15ffc

SHA512
40180bfb958e41d5ad90002450ea94773b23f5a2308e4115b485df7ad5d638cbcde7c40dffd72c1f6f70cecec17c834079255963ee644267012e53c04036cd26

Download Submit
\Windows\SysWOW64\Kqokgd32.exe

Filesize
93KB

MD5
30eec8b24c3b3272d4324d291fa298ba

SHA1
545a9125c9cf57f7e5249784d6d7e4de65180841

SHA256
3cbce402417cab634d64818d71d51376575bb900c561d43e866787b7ac6cc3d5

SHA512
ae254816395dadb04e3834584680d32dfd3f822efaec74a3bf602610caa7203dd5fcb569337f096327e67a734346803e92e4aad19a1469d9ea246f5b09efaa29

Download Submit
\Windows\SysWOW64\Lamjph32.exe

Filesize
93KB

MD5
07808583a1e7d187085e62e69fa1c8bc

SHA1
777450a2ea2d803dfd50ef92d9f0ba518c0d5880

SHA256
80c0b173fbc82ce018511dfca9362ccd8235864ed362692d1a3a84caf15228cb

SHA512
f9efbef3525d618dae5a7867fe5596e1a994d605c04357b959cff7ec1f77ef538ac7a1f95da215752510522c70a373a1f534e78db96644dc3194d5bcf426dcc3

Download Submit
\Windows\SysWOW64\Laogfg32.exe

Filesize
93KB

MD5
085085951f218866273fea95f28b4a91

SHA1
64f7fffc66b8f0f039033bd80e4f8660ec35006c

SHA256
ce3db2fce5e262dd2fc003e42180ff57d70a1bb5427fb347704d1c6c540693d8

SHA512
5ac8ef803658555a8f74b53182c80b0714d5e9b9ff4b4e776c0359a1a13ebe45d23be0a79eb1bdc53f055d3425c72768285ce1a2947c45fff4b6e9bb72ebe8d9

Download Submit
\Windows\SysWOW64\Lpiacp32.exe

Filesize
93KB

MD5
ec672f43f0fefcd224b2c932003ff14a

SHA1
55c28067e5d8e1e87b8363c923971a9c85845149

SHA256
106bc366167a07f42addb8af6dfe68e360c044e0b3821a4ef90cd1ed4d709e69

SHA512
e0db27e7dd67e6287de94b94a11e5136ede378f976ee29f1e72f84174a3f194a3b4012374a79cf6df51cadbf7457e8b4e048a496fe7ee9a5f0c3ba99d4588665

Download Submit
memory/540-219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-313-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/740-312-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/912-265-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/912-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-269-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/912-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-172-0x0000000000350000-0x000000000038E000-memory.dmp

Filesize
248KB

Download
memory/924-164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-280-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1004-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-276-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1292-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-17-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1292-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-338-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1488-190-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1488-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-131-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1664-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-287-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1672-291-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1672-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-244-0x0000000000480000-0x00000000004BE000-memory.dmp

Filesize
248KB

Download
memory/1776-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-257-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/1856-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-258-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/2176-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-204-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2176-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-320-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2292-324-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2304-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-95-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2348-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-348-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/2380-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-123-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/2380-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-302-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2512-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-301-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2540-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-53-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2680-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-41-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2704-35-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2704-340-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2704-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-78-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2724-344-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2724-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-68-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2760-69-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2760-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-334-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2776-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-335-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2776-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-145-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2976-26-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2976-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads