c123dc0157920a2fe690df4be25e9af6791505d61ae6747c8da200f386b010b8

Analysis

max time kernel
36s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd323a98c084fe547d2022a2c5db3530N.exe
Size

233KB
MD5

cd323a98c084fe547d2022a2c5db3530
SHA1

a84d0e0f2d11bdbf172b813f90567bbf93777d17
SHA256

c123dc0157920a2fe690df4be25e9af6791505d61ae6747c8da200f386b010b8
SHA512

279698a66f98b4215839475e35fcb27faee367e84685dfe790bad419f91d4c1eb6fab7ced90536252917d77ef537bb73727ce21de6665a8c571fd8342d802822
SSDEEP

6144:ZMDGdK4EjfRKB3A4U2dga1mcyw7I6BjtCYYs2:GDGJy5WHR1mK7fVtXP2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmaqgaae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haleefoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igkjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjebjjck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimlqfeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jneoojeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbcgeilh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqhdfe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gamifcmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ialadj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kimlqfeq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoppefc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipdolbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lggbmbfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmnmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heonpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhfgcgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lflonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cd323a98c084fe547d2022a2c5db3530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoppefc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gamifcmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nobpmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injlkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlaeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jqhdfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfklepl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nianjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfoboml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdolbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjcedj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhfgcgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjcedj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inhoegqc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmoekf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nianjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqamla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlpmmpam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlpmmpam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbcgeilh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmcikd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfklepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffboohnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghbhhnhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmcikd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbhmok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpfeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ialadj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpfoboml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noepdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noepdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkppcmjk.exe

Executes dropped EXE 54 IoCs

pid	Process
2136	Eqamla32.exe
2916	Egkehllh.exe
2748	Emjjfb32.exe
2960	Ffboohnm.exe
2876	Fmaqgaae.exe
1784	Felekcop.exe
1988	Fbpfeh32.exe
2276	Ghmnmo32.exe
2864	Gnicoh32.exe
2384	Ghbhhnhk.exe
2472	Gmoppefc.exe
316	Gamifcmi.exe
2156	Gmcikd32.exe
2160	Heonpf32.exe
2368	Hpfoboml.exe
1764	Hkppcmjk.exe
1512	Hlpmmpam.exe
324	Haleefoe.exe
1736	Igkjcm32.exe
1688	Ipdolbbj.exe
2860	Inhoegqc.exe
2060	Injlkf32.exe
2408	Icgdcm32.exe
2992	Ialadj32.exe
1068	Jlaeab32.exe
2760	Jhhfgcgj.exe
2720	Jneoojeb.exe
1596	Jbcgeilh.exe
2144	Jqhdfe32.exe
1796	Kmoekf32.exe
1816	Kjcedj32.exe
1052	Kopnma32.exe
2908	Kjebjjck.exe
3068	Kflcok32.exe
2480	Kmfklepl.exe
1496	Kimlqfeq.exe
2448	Kecmfg32.exe
2108	Lbhmok32.exe
3020	Llpaha32.exe
2032	Lggbmbfc.exe
952	Lflonn32.exe
532	Lpddgd32.exe
280	Lpgqlc32.exe
1772	Noepdo32.exe
828	Nhnemdbf.exe
2452	Nmjmekan.exe
1192	Nianjl32.exe
1644	Ncjbba32.exe
1956	Nmogpj32.exe
1504	Ncloha32.exe
2816	Nifgekbm.exe
2016	Nobpmb32.exe
2244	Oemhjlha.exe
3036	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
2268	cd323a98c084fe547d2022a2c5db3530N.exe
2268	cd323a98c084fe547d2022a2c5db3530N.exe
2136	Eqamla32.exe
2136	Eqamla32.exe
2916	Egkehllh.exe
2916	Egkehllh.exe
2748	Emjjfb32.exe
2748	Emjjfb32.exe
2960	Ffboohnm.exe
2960	Ffboohnm.exe
2876	Fmaqgaae.exe
2876	Fmaqgaae.exe
1784	Felekcop.exe
1784	Felekcop.exe
1988	Fbpfeh32.exe
1988	Fbpfeh32.exe
2276	Ghmnmo32.exe
2276	Ghmnmo32.exe
2864	Gnicoh32.exe
2864	Gnicoh32.exe
2384	Ghbhhnhk.exe
2384	Ghbhhnhk.exe
2472	Gmoppefc.exe
2472	Gmoppefc.exe
316	Gamifcmi.exe
316	Gamifcmi.exe
2156	Gmcikd32.exe
2156	Gmcikd32.exe
2160	Heonpf32.exe
2160	Heonpf32.exe
2368	Hpfoboml.exe
2368	Hpfoboml.exe
1764	Hkppcmjk.exe
1764	Hkppcmjk.exe
1512	Hlpmmpam.exe
1512	Hlpmmpam.exe
324	Haleefoe.exe
324	Haleefoe.exe
1736	Igkjcm32.exe
1736	Igkjcm32.exe
1688	Ipdolbbj.exe
1688	Ipdolbbj.exe
2860	Inhoegqc.exe
2860	Inhoegqc.exe
2060	Injlkf32.exe
2060	Injlkf32.exe
2408	Icgdcm32.exe
2408	Icgdcm32.exe
2992	Ialadj32.exe
2992	Ialadj32.exe
1068	Jlaeab32.exe
1068	Jlaeab32.exe
2760	Jhhfgcgj.exe
2760	Jhhfgcgj.exe
2720	Jneoojeb.exe
2720	Jneoojeb.exe
1596	Jbcgeilh.exe
1596	Jbcgeilh.exe
2144	Jqhdfe32.exe
2144	Jqhdfe32.exe
1796	Kmoekf32.exe
1796	Kmoekf32.exe
1816	Kjcedj32.exe
1816	Kjcedj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpddgd32.exe	Lflonn32.exe
File created	C:\Windows\SysWOW64\Noepdo32.exe	Lpgqlc32.exe
File created	C:\Windows\SysWOW64\Kanafj32.dll	Noepdo32.exe
File opened for modification	C:\Windows\SysWOW64\Fmaqgaae.exe	Ffboohnm.exe
File created	C:\Windows\SysWOW64\Icijhlgk.dll	Haleefoe.exe
File created	C:\Windows\SysWOW64\Olnnai32.dll	Jqhdfe32.exe
File created	C:\Windows\SysWOW64\Blkebebd.dll	Kimlqfeq.exe
File opened for modification	C:\Windows\SysWOW64\Nmogpj32.exe	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Bghmmo32.dll	Gnicoh32.exe
File created	C:\Windows\SysWOW64\Gmoppefc.exe	Ghbhhnhk.exe
File created	C:\Windows\SysWOW64\Gmcikd32.exe	Gamifcmi.exe
File created	C:\Windows\SysWOW64\Hlpmmpam.exe	Hkppcmjk.exe
File created	C:\Windows\SysWOW64\Hkppcmjk.exe	Hpfoboml.exe
File created	C:\Windows\SysWOW64\Injlkf32.exe	Inhoegqc.exe
File created	C:\Windows\SysWOW64\Kflcok32.exe	Kjebjjck.exe
File created	C:\Windows\SysWOW64\Nhcedjfb.dll	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Lbhmok32.exe	Kecmfg32.exe
File opened for modification	C:\Windows\SysWOW64\Lflonn32.exe	Lggbmbfc.exe
File created	C:\Windows\SysWOW64\Nobpmb32.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Oemhjlha.exe
File opened for modification	C:\Windows\SysWOW64\Gamifcmi.exe	Gmoppefc.exe
File opened for modification	C:\Windows\SysWOW64\Hkppcmjk.exe	Hpfoboml.exe
File opened for modification	C:\Windows\SysWOW64\Ipdolbbj.exe	Igkjcm32.exe
File created	C:\Windows\SysWOW64\Gjlbhe32.dll	Kflcok32.exe
File created	C:\Windows\SysWOW64\Nhnemdbf.exe	Noepdo32.exe
File opened for modification	C:\Windows\SysWOW64\Nmjmekan.exe	Nhnemdbf.exe
File created	C:\Windows\SysWOW64\Pbmebabj.dll	Ghmnmo32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoppefc.exe	Ghbhhnhk.exe
File created	C:\Windows\SysWOW64\Fkecbl32.dll	Icgdcm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmoekf32.exe	Jqhdfe32.exe
File created	C:\Windows\SysWOW64\Gleaik32.dll	Kjebjjck.exe
File created	C:\Windows\SysWOW64\Fbpfeh32.exe	Felekcop.exe
File created	C:\Windows\SysWOW64\Hpfoboml.exe	Heonpf32.exe
File created	C:\Windows\SysWOW64\Jhhfgcgj.exe	Jlaeab32.exe
File opened for modification	C:\Windows\SysWOW64\Jhhfgcgj.exe	Jlaeab32.exe
File created	C:\Windows\SysWOW64\Kakjdp32.dll	Ffboohnm.exe
File opened for modification	C:\Windows\SysWOW64\Haleefoe.exe	Hlpmmpam.exe
File created	C:\Windows\SysWOW64\Cfnmqjah.dll	Kecmfg32.exe
File created	C:\Windows\SysWOW64\Llpaha32.exe	Lbhmok32.exe
File created	C:\Windows\SysWOW64\Keoncpnb.dll	Lpgqlc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjbba32.exe	Nianjl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncloha32.exe	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Mnohgfgb.dll	Nmogpj32.exe
File opened for modification	C:\Windows\SysWOW64\Gmcikd32.exe	Gamifcmi.exe
File created	C:\Windows\SysWOW64\Ohnaohff.dll	Hkppcmjk.exe
File created	C:\Windows\SysWOW64\Igkjcm32.exe	Haleefoe.exe
File created	C:\Windows\SysWOW64\Fcdafj32.dll	Jlaeab32.exe
File created	C:\Windows\SysWOW64\Oemhjlha.exe	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Oemhjlha.exe
File created	C:\Windows\SysWOW64\Emjjfb32.exe	Egkehllh.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Ncloha32.exe
File opened for modification	C:\Windows\SysWOW64\Kecmfg32.exe	Kimlqfeq.exe
File opened for modification	C:\Windows\SysWOW64\Lbhmok32.exe	Kecmfg32.exe
File created	C:\Windows\SysWOW64\Lpddgd32.exe	Lflonn32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Oemhjlha.exe
File created	C:\Windows\SysWOW64\Ngppolhf.dll	cd323a98c084fe547d2022a2c5db3530N.exe
File opened for modification	C:\Windows\SysWOW64\Emjjfb32.exe	Egkehllh.exe
File created	C:\Windows\SysWOW64\Amfabj32.dll	Fmaqgaae.exe
File opened for modification	C:\Windows\SysWOW64\Inhoegqc.exe	Ipdolbbj.exe
File created	C:\Windows\SysWOW64\Fmaqgaae.exe	Ffboohnm.exe
File created	C:\Windows\SysWOW64\Ddpidhgj.dll	Kopnma32.exe
File opened for modification	C:\Windows\SysWOW64\Nhnemdbf.exe	Noepdo32.exe
File created	C:\Windows\SysWOW64\Nianjl32.exe	Nmjmekan.exe
File created	C:\Windows\SysWOW64\Ncjbba32.exe	Nianjl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1948	3036	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emjjfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kflcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lflonn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Felekcop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heonpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmoekf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmcikd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjbba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncloha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjebjjck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqamla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlpmmpam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdolbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jneoojeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbcgeilh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkehllh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmaqgaae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgqlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmogpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd323a98c084fe547d2022a2c5db3530N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmoppefc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhoegqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nianjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haleefoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injlkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ialadj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlaeab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjcedj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhnemdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffboohnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gamifcmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfklepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kecmfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpfoboml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghbhhnhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkppcmjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqhdfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjmekan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpfeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggbmbfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhfgcgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobpmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhmok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpddgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noepdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghmnmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnicoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igkjcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopnma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimlqfeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemhjlha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldniinja.dll"	Gamifcmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpfoboml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icijhlgk.dll"	Haleefoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll"	Kimlqfeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnnai32.dll"	Jqhdfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfklepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kimlqfeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Felekcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbcgeilh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhmjpmg.dll"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmbjn32.dll"	Gmcikd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Heonpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooohcdo.dll"	Hlpmmpam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjebjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qieiiaad.dll"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	Nianjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	cd323a98c084fe547d2022a2c5db3530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfncf32.dll"	Eqamla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmaqgaae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdfje32.dll"	Ghbhhnhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haleefoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cd323a98c084fe547d2022a2c5db3530N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoppefc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haleefoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlaeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkppcmjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkecbl32.dll"	Icgdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kimlqfeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhebenfc.dll"	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpddgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gamifcmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Injlkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdafj32.dll"	Jlaeab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kflcok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lflonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfabj32.dll"	Fmaqgaae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gnicoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnicoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoppefc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ialadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpidhgj.dll"	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noepdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acheia32.dll"	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmaqgaae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghbhhnhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndlek32.dll"	Ipdolbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipdolbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgcql32.dll"	Injlkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kecmfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igkjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpeplh32.dll"	Ialadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egkehllh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2136	2268	cd323a98c084fe547d2022a2c5db3530N.exe	30
PID 2268 wrote to memory of 2136	2268	cd323a98c084fe547d2022a2c5db3530N.exe	30
PID 2268 wrote to memory of 2136	2268	cd323a98c084fe547d2022a2c5db3530N.exe	30
PID 2268 wrote to memory of 2136	2268	cd323a98c084fe547d2022a2c5db3530N.exe	30
PID 2136 wrote to memory of 2916	2136	Eqamla32.exe	31
PID 2136 wrote to memory of 2916	2136	Eqamla32.exe	31
PID 2136 wrote to memory of 2916	2136	Eqamla32.exe	31
PID 2136 wrote to memory of 2916	2136	Eqamla32.exe	31
PID 2916 wrote to memory of 2748	2916	Egkehllh.exe	32
PID 2916 wrote to memory of 2748	2916	Egkehllh.exe	32
PID 2916 wrote to memory of 2748	2916	Egkehllh.exe	32
PID 2916 wrote to memory of 2748	2916	Egkehllh.exe	32
PID 2748 wrote to memory of 2960	2748	Emjjfb32.exe	33
PID 2748 wrote to memory of 2960	2748	Emjjfb32.exe	33
PID 2748 wrote to memory of 2960	2748	Emjjfb32.exe	33
PID 2748 wrote to memory of 2960	2748	Emjjfb32.exe	33
PID 2960 wrote to memory of 2876	2960	Ffboohnm.exe	34
PID 2960 wrote to memory of 2876	2960	Ffboohnm.exe	34
PID 2960 wrote to memory of 2876	2960	Ffboohnm.exe	34
PID 2960 wrote to memory of 2876	2960	Ffboohnm.exe	34
PID 2876 wrote to memory of 1784	2876	Fmaqgaae.exe	35
PID 2876 wrote to memory of 1784	2876	Fmaqgaae.exe	35
PID 2876 wrote to memory of 1784	2876	Fmaqgaae.exe	35
PID 2876 wrote to memory of 1784	2876	Fmaqgaae.exe	35
PID 1784 wrote to memory of 1988	1784	Felekcop.exe	36
PID 1784 wrote to memory of 1988	1784	Felekcop.exe	36
PID 1784 wrote to memory of 1988	1784	Felekcop.exe	36
PID 1784 wrote to memory of 1988	1784	Felekcop.exe	36
PID 1988 wrote to memory of 2276	1988	Fbpfeh32.exe	37
PID 1988 wrote to memory of 2276	1988	Fbpfeh32.exe	37
PID 1988 wrote to memory of 2276	1988	Fbpfeh32.exe	37
PID 1988 wrote to memory of 2276	1988	Fbpfeh32.exe	37
PID 2276 wrote to memory of 2864	2276	Ghmnmo32.exe	38
PID 2276 wrote to memory of 2864	2276	Ghmnmo32.exe	38
PID 2276 wrote to memory of 2864	2276	Ghmnmo32.exe	38
PID 2276 wrote to memory of 2864	2276	Ghmnmo32.exe	38
PID 2864 wrote to memory of 2384	2864	Gnicoh32.exe	39
PID 2864 wrote to memory of 2384	2864	Gnicoh32.exe	39
PID 2864 wrote to memory of 2384	2864	Gnicoh32.exe	39
PID 2864 wrote to memory of 2384	2864	Gnicoh32.exe	39
PID 2384 wrote to memory of 2472	2384	Ghbhhnhk.exe	40
PID 2384 wrote to memory of 2472	2384	Ghbhhnhk.exe	40
PID 2384 wrote to memory of 2472	2384	Ghbhhnhk.exe	40
PID 2384 wrote to memory of 2472	2384	Ghbhhnhk.exe	40
PID 2472 wrote to memory of 316	2472	Gmoppefc.exe	41
PID 2472 wrote to memory of 316	2472	Gmoppefc.exe	41
PID 2472 wrote to memory of 316	2472	Gmoppefc.exe	41
PID 2472 wrote to memory of 316	2472	Gmoppefc.exe	41
PID 316 wrote to memory of 2156	316	Gamifcmi.exe	42
PID 316 wrote to memory of 2156	316	Gamifcmi.exe	42
PID 316 wrote to memory of 2156	316	Gamifcmi.exe	42
PID 316 wrote to memory of 2156	316	Gamifcmi.exe	42
PID 2156 wrote to memory of 2160	2156	Gmcikd32.exe	43
PID 2156 wrote to memory of 2160	2156	Gmcikd32.exe	43
PID 2156 wrote to memory of 2160	2156	Gmcikd32.exe	43
PID 2156 wrote to memory of 2160	2156	Gmcikd32.exe	43
PID 2160 wrote to memory of 2368	2160	Heonpf32.exe	44
PID 2160 wrote to memory of 2368	2160	Heonpf32.exe	44
PID 2160 wrote to memory of 2368	2160	Heonpf32.exe	44
PID 2160 wrote to memory of 2368	2160	Heonpf32.exe	44
PID 2368 wrote to memory of 1764	2368	Hpfoboml.exe	45
PID 2368 wrote to memory of 1764	2368	Hpfoboml.exe	45
PID 2368 wrote to memory of 1764	2368	Hpfoboml.exe	45
PID 2368 wrote to memory of 1764	2368	Hpfoboml.exe	45

C:\Users\Admin\AppData\Local\Temp\cd323a98c084fe547d2022a2c5db3530N.exe
"C:\Users\Admin\AppData\Local\Temp\cd323a98c084fe547d2022a2c5db3530N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\Eqamla32.exe
  C:\Windows\system32\Eqamla32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Egkehllh.exe
    C:\Windows\system32\Egkehllh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Emjjfb32.exe
      C:\Windows\system32\Emjjfb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Ffboohnm.exe
        
        C:\Windows\system32\Ffboohnm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\Fmaqgaae.exe
        
        C:\Windows\system32\Fmaqgaae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Felekcop.exe
        
        C:\Windows\system32\Felekcop.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Fbpfeh32.exe
        
        C:\Windows\system32\Fbpfeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ghmnmo32.exe
        
        C:\Windows\system32\Ghmnmo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Gnicoh32.exe
        
        C:\Windows\system32\Gnicoh32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ghbhhnhk.exe
        
        C:\Windows\system32\Ghbhhnhk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Gmoppefc.exe
        
        C:\Windows\system32\Gmoppefc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Gamifcmi.exe
        
        C:\Windows\system32\Gamifcmi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Gmcikd32.exe
        
        C:\Windows\system32\Gmcikd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Heonpf32.exe
        
        C:\Windows\system32\Heonpf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Hpfoboml.exe
        
        C:\Windows\system32\Hpfoboml.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Hkppcmjk.exe
        
        C:\Windows\system32\Hkppcmjk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Hlpmmpam.exe
        
        C:\Windows\system32\Hlpmmpam.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Haleefoe.exe
        
        C:\Windows\system32\Haleefoe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Igkjcm32.exe
        
        C:\Windows\system32\Igkjcm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ipdolbbj.exe
        
        C:\Windows\system32\Ipdolbbj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Inhoegqc.exe
        
        C:\Windows\system32\Inhoegqc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Injlkf32.exe
        
        C:\Windows\system32\Injlkf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Icgdcm32.exe
        
        C:\Windows\system32\Icgdcm32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Ialadj32.exe
        
        C:\Windows\system32\Ialadj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Jlaeab32.exe
        
        C:\Windows\system32\Jlaeab32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Jhhfgcgj.exe
        
        C:\Windows\system32\Jhhfgcgj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Jneoojeb.exe
        
        C:\Windows\system32\Jneoojeb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Jbcgeilh.exe
        
        C:\Windows\system32\Jbcgeilh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Jqhdfe32.exe
        
        C:\Windows\system32\Jqhdfe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Kmoekf32.exe
        
        C:\Windows\system32\Kmoekf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Kjcedj32.exe
        
        C:\Windows\system32\Kjcedj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Kopnma32.exe
        
        C:\Windows\system32\Kopnma32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Kjebjjck.exe
        
        C:\Windows\system32\Kjebjjck.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Kflcok32.exe
        
        C:\Windows\system32\Kflcok32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Kmfklepl.exe
        
        C:\Windows\system32\Kmfklepl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Kimlqfeq.exe
        
        C:\Windows\system32\Kimlqfeq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Kecmfg32.exe
        
        C:\Windows\system32\Kecmfg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Lbhmok32.exe
        
        C:\Windows\system32\Lbhmok32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Llpaha32.exe
        
        C:\Windows\system32\Llpaha32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Lggbmbfc.exe
        
        C:\Windows\system32\Lggbmbfc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Lflonn32.exe
        
        C:\Windows\system32\Lflonn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Lpddgd32.exe
        
        C:\Windows\system32\Lpddgd32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Lpgqlc32.exe
        
        C:\Windows\system32\Lpgqlc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\Noepdo32.exe
        
        C:\Windows\system32\Noepdo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Nhnemdbf.exe
        
        C:\Windows\system32\Nhnemdbf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\Nmjmekan.exe
        
        C:\Windows\system32\Nmjmekan.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Nianjl32.exe
        
        C:\Windows\system32\Nianjl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Ncjbba32.exe
        
        C:\Windows\system32\Ncjbba32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nmogpj32.exe
        
        C:\Windows\system32\Nmogpj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Ncloha32.exe
        
        C:\Windows\system32\Ncloha32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Nifgekbm.exe
        
        C:\Windows\system32\Nifgekbm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Nobpmb32.exe
        
        C:\Windows\system32\Nobpmb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Oemhjlha.exe
        
        C:\Windows\system32\Oemhjlha.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 140
        56⤵
        Program crash
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Egkehllh.exe

Filesize
233KB

MD5
2a613645346a1d89eaacb04a5ccdb80a

SHA1
0d49ae89f8f1c91fcc9e75cd0dca40986613f0e7

SHA256
66f6ce922b0cbb28efc89f6ff75bd365facd3bec23bfd04880f2fee23657b0b5

SHA512
bb3ec04290ab34af254798b53e5cf31d43f58bd91b37721bb8526019deb1e83e6cdcaca05fbed992533ae7caf2cd4c375b4241b05182af9bb6359f7ea710fcd7

Download Submit
C:\Windows\SysWOW64\Emjjfb32.exe

Filesize
233KB

MD5
b92dbd71bf5d9cd45434f7acb8f42497

SHA1
a77a962a29874f1eb96cdadd62d0ebe45860d431

SHA256
d7abb633e47af68d5e3aa34881f79e6ed62e917100b48a5f339ac64ad6ee9b55

SHA512
b6322ef66299b94220baa0bbfeeebd83e220f4fb19b582d615385ccf8ec9c9e1d34897088984beb1232c9f9026325fa3aa25a2a3c911ec1415bc875c42b0e442

Download Submit
C:\Windows\SysWOW64\Eqamla32.exe

Filesize
233KB

MD5
5746d38da8bf1009634338084c113d90

SHA1
eefefbce4c833b42c6637dc66cef96b0c0330708

SHA256
a43d5904403d6bda28d64967e97b419bc505437760fc368e4b6be06f3b697650

SHA512
58119c4af8e80302453497f8e6cd9a90405b4e1f120a651cf16e913982b73286011c393332076cb8ec9c6c2703fccdef843e9b7783b12093ccd351033bbd9ad1

Download Submit
C:\Windows\SysWOW64\Fmaqgaae.exe

Filesize
233KB

MD5
2f6a448e5451b73b3037972870802638

SHA1
220a0ba0e464aac927030568b92ebd931c576465

SHA256
5ffca7cb78a720e3421a59396ba6963b924ebc4acd55a9a030b608dc0c218668

SHA512
b01c3bc74e1ecc1ac946707ff6289404dab11d673fc0c0f183dea582f21935c1e84dac7fddca9e67e865e8b4e1545413fe516a52af3ec0404b63e80775663ecf

Download Submit
C:\Windows\SysWOW64\Ghbhhnhk.exe

Filesize
233KB

MD5
e9e6eba2f8651ac083eaa93ba4c3ec2d

SHA1
6a03af69096686af2ab5516ae652539e48ea9714

SHA256
ff84428c623913ecb4a5b54948ee442f6d028414238b696bc9176b2f4f26ea75

SHA512
81e758fd6ef7697ebae3349f297455b3718854b3316b456388e956b75932eb77c6f88ddce87b5b011951166d2ad6fd8231ba5a53a7288755604a1054c5cf7181

Download Submit
C:\Windows\SysWOW64\Gmcikd32.exe

Filesize
233KB

MD5
157a3fa1e19f94ec7a221d49f059e9e3

SHA1
09871dd93b4697533d42dc67e30cb69bc1b38dc4

SHA256
091cc2a28ea6af55778c9bc1d123e2c497f06b97e1a4e1cf7eb1f6f748b2f1cd

SHA512
10b34bb49460717964a663b032d290af89eb5958937e9ef337fae9c10f3a6f0fe1bd07e6275fb2da31f063d2728a7aca2bc312ae5b4106c473390ca016ac4576

Download Submit
C:\Windows\SysWOW64\Haleefoe.exe

Filesize
233KB

MD5
77322fb594fdab9f1dd989d4647b4757

SHA1
8341380c9c196bf35f71f5b97ec82ed233151784

SHA256
c6c1adb2930d47f5080fdcc0da802d695825f468a4ce6098e89a0602c19f4236

SHA512
676c0e7b8447366b28d26f0ca965c868f616e5262bf7fa12bad103d3562d5823ed2abe99fccb92a46282b5889ee0090ea1a4ff6dcf615d9c833f60f67eaa1b34

Download Submit
C:\Windows\SysWOW64\Hlpmmpam.exe

Filesize
233KB

MD5
04a94e0d9f5f6f05e9dc6b740b669391

SHA1
0fcb2f6d736c7d71054d0c195f714f01e6d58245

SHA256
894905aa1b1b80c0b701ae6e8d741f7db306cfa298d24a846be04a14c52e034a

SHA512
0a28de9fe72948db7c73b3c445232161896ff99db277f7a143e6f41d3e49f6586cf3f1d0cba3f83aea7383326dfe5dd26167c548b13ad768d5ba5b09660f4cc1

Download Submit
C:\Windows\SysWOW64\Hpfoboml.exe

Filesize
233KB

MD5
cf5a6e1617e4fa1aee99a653380c14e6

SHA1
28ff8964567a863f183583b8a822b16c1fe879cb

SHA256
95dd7239633c89dc2a236c98ac2d68a1d65d0336d406e0093a1886d26142339c

SHA512
af380e4ef44a020adcb0698825d7d76409b329d561ecab01dcf8c32ab98602d070cebcfb93852cfbe043a12a5453822ae762aeaca72604d0e7fec9d456835313

Download Submit
C:\Windows\SysWOW64\Ialadj32.exe

Filesize
233KB

MD5
91d74555764ba85b5c9e808ea2a5169a

SHA1
70c45fd71c4a80e6e888dde9a8254b6064b4cfdb

SHA256
dadef9adb5677b20fb04b7ac51e892cc554e87079f7dc0434fe021a75348d5d2

SHA512
0204bf2a7e64d04cf5f87871c9611212878801ff37df40b03d8ff9207183e9c4ee44d4b24b6b1c22520b9f3fbc41340840bf861718faa975959ac4059631971c

Download Submit
C:\Windows\SysWOW64\Icgdcm32.exe

Filesize
233KB

MD5
ed205eec887106632f7b86f4dc925654

SHA1
b5347165ce60900d42f63137d4c0b1b9eae093f9

SHA256
994662603976cea3f596f2dfa844f103b6d8a44d3a5229ab78db09714efff588

SHA512
cd715c35b45727d87e76b4587a84502e2ab8cf2679ac2027792881836b6087cf92635d2caf4a152641bb5f1f16745e8098f7cd9402d461d66400e5510dff2024

Download Submit
C:\Windows\SysWOW64\Igkjcm32.exe

Filesize
233KB

MD5
4494a56e2df234cd52925a6b2051ed60

SHA1
37723009bd90143d325a90adf75783e9d5c0cc06

SHA256
e70e7f10ac9db10230e7ecc8afebcc9d32b66ef4e6044dd00d689a46a8df5261

SHA512
19199614060f74e70d594a61877a5de32c50adbf31479d2c6b8338322717379e142f5aeab8d4a9a7891e51f4955f7fae3a887582dadf6dd0801f6a96c6ab9bb5

Download Submit
C:\Windows\SysWOW64\Inhoegqc.exe

Filesize
233KB

MD5
cc7f1d63a9ca40c6e39c46f52f755c1e

SHA1
a9e393dd5ae7604c99f53221ce2fb16681a4a057

SHA256
a9241cf0a0ea589a199a3a86796881c4c112537b1fd16fe6efb3ea815c7bdcb7

SHA512
dd2126ceb5a549cb3950c0de6cef24625e049a20b0ca10b7c81daff0b3b0ac94139ce47867d8774f02cd019258df802922ca6be8229c6d9dbe7f4599d0d52acd

Download Submit
C:\Windows\SysWOW64\Injlkf32.exe

Filesize
233KB

MD5
af41c92afaca6e9b7bd256dd1435d833

SHA1
6a9117006c1ea9488335fe5d885624a2bbbf4466

SHA256
923f660f9e1bea26f3dde8b75faa2ed8b7892a1d31ab010517b3481969f160db

SHA512
3a7431885675b4f7cdb9b725a1c2be5766f9c49f13bbbc2a89da403c8f200c3bf97f20ef10efeb0920837036b7def88a06eace41e3fb516f0e68c56656c229fb

Download Submit
C:\Windows\SysWOW64\Ipdolbbj.exe

Filesize
233KB

MD5
f368c331c19169dc1cb40e26be798e12

SHA1
a57cf44c1642634c0e99f0bb9ccb973fc5ba9f0c

SHA256
4740551d821f7c2c39673ce3c60ffa7d772f6f4b0f510bfe5e85b8258ab7d986

SHA512
f5214fb28949aa47a432e4509ce10d65d26de7ecda60c1de61c6fe58179ed001db819e46caa2addee962cfd882217b2a17239600aae03f095bd98d74308ba5b9

Download Submit
C:\Windows\SysWOW64\Jbcgeilh.exe

Filesize
233KB

MD5
1791a93e1ff6f56fae9f527aa0de60b9

SHA1
55eaaa5d0080177efa60ec6659a89134452f507e

SHA256
aa4c0197d5f46d418c31ebe711a34cb2ced577fc84ea05681aa5d1d7fc56de70

SHA512
c2b1c9a5df33d0ec97eac19e4f511c2b51b751871eb1bb949504d24aef5d0815024f99f88d16c6389e80e59bb62818c7d005f98ab5004be41771e3dc890db681

Download Submit
C:\Windows\SysWOW64\Jhhfgcgj.exe

Filesize
233KB

MD5
0ef0a2db3eaa27c8d7957642e148fecb

SHA1
369e2d4623458b7e223e3eee521dca46b4fdc391

SHA256
9a4957d30aba6bcb982592cc39c7ab7b83cb04545a4c061da7611b2448dccc9b

SHA512
3a4728f9cd5978f275f16bc4fc07350a6aad3b6b7b44162820a61935ee39a2cef73fec84e3d6278b37b741e6f2da133c5edda16c424ece11951250f987073fa7

Download Submit
C:\Windows\SysWOW64\Jlaeab32.exe

Filesize
233KB

MD5
ef764b3e3d7b1192bf9f41ad56e8e69c

SHA1
56c1f48093c7c07afaa2efebe91f337b5e78442c

SHA256
3c389950de72b76323cc492959422ab1d342839084bd6f92b38377f0ebca6c68

SHA512
289f4c69d625f06e9e5f151c46bac72cbe82c077478448e9670fff4cc9d814acf5625cb9a5f4723a69083326548cbba3fed5f7e37120ba61ebabada08ad19254

Download Submit
C:\Windows\SysWOW64\Jneoojeb.exe

Filesize
233KB

MD5
23657c6e17528e33bb957039ba0aec8b

SHA1
f18e3d0caa13e1340976ec9764d49d412f2c63c2

SHA256
dedb7b91e53c5cb0dda8597f43c34875c7409b576b67a9840b17b2ce1ff46a7b

SHA512
7e92169e920d311b931cb26223933322a3ed8c6b0a71ed8f3b50a006c309f44f108d7a332c84b81fbb6c3c82a13c348f8b60c228f5748c5762079f28e086c888

Download Submit
C:\Windows\SysWOW64\Jqhdfe32.exe

Filesize
233KB

MD5
b2843ded40fe30a5b478649ef045a0a0

SHA1
a13370043f4d003aa52cd8b78bf8019b4c946809

SHA256
6422af3bf4a6f04a740374cfb82e6334b69182ef1914086bcb01c6974d1cad76

SHA512
12828becd01630b611507b120bdff157b04301b4a1fdd243674f2f44e43366648273b53f60787f74f34bd4102eaa99903331bdb0ae74845df7fcbf07bd30c949

Download Submit
C:\Windows\SysWOW64\Kakjdp32.dll

Filesize
7KB

MD5
6bffb7356f470eb2a8e8bb79122a14e5

SHA1
dc71faf982b723735c0bd59e76b32eadc6d7b110

SHA256
ae1ab0fb4d44c7ec4b62e3c7f1e2fedd86076d8b64fa1a73f0ff2dd531154134

SHA512
7755793da6efe26cec6af64756053a0079de64d226fb728dd972837610f7bb98d2847bc2e51e382a8c91bfe5bea6e2445f21c331cacf57aad2338c7d2251594c

Download Submit
C:\Windows\SysWOW64\Kecmfg32.exe

Filesize
233KB

MD5
fe1ecea1ab5f4675f8c65106b935e7a4

SHA1
ce9cbff7067ef27f2f1a477ddd8db35918d72eb0

SHA256
002c4c6df7fa8c7ffa09c67c3e8d8d7507da58703f4cda812668ca4517ab7889

SHA512
172025eeeef6a65500984c958c98b670a837f9ad6bcdaca8d90a8eb2aae4f59380bc48c69eeec6fb25b49ecb41264bf6fefa6affe9807dae7d469012cde57a2e

Download Submit
C:\Windows\SysWOW64\Kflcok32.exe

Filesize
233KB

MD5
ae2bdf4b4671aa823105406d72dc4874

SHA1
be24c48041431c921afa8005e45fe07458bf98f9

SHA256
ac9465a417b137906fc6017179e00d460a3b9346bcd08a2db684ce3893fe2c66

SHA512
56b60b617198a04ae73e2935f365abf28705e355aa6c2b5b6ee0c755fb3f2c8fd0e957872aa4cd14f4771b9fd7d4dbfc5a05a4f6fe0c67c5acd4a276a6f27417

Download Submit
C:\Windows\SysWOW64\Kimlqfeq.exe

Filesize
233KB

MD5
c752950b6d1a961838064a5ffa7b3fff

SHA1
cb120bffb1fe3b2b9bf8c04b21bcd76489f748d3

SHA256
f36804992f1d39437f9b3666189112e9979848addf721b3ea615d6f08b5222a9

SHA512
6c1e058fe7b175b15fc47ee6b8d31c663afe39eddd9dfbccd5add5d3f18b75881610da40db5965de3fd98bab97e59a2e9a5abe68065a32f5c31b356d4c6b1e3f

Download Submit
C:\Windows\SysWOW64\Kjcedj32.exe

Filesize
233KB

MD5
2e26a4140e7f920cd03784604ceba8fe

SHA1
c743f3455994c7182e8768d75bd8d738c80e2454

SHA256
8590a36122322aa54b91529ed90bf62524f5fac431d1db341ab897c03400186f

SHA512
da72e5fb518e8835ae73c3ee07e68ada764917bf1746f054245f4ca15055bb0f6fbfe3915cc43e76325af602e0c156614616b83b2df4d45b557e133dc6e68cdc

Download Submit
C:\Windows\SysWOW64\Kjebjjck.exe

Filesize
233KB

MD5
0167abcacba61fbd786661b670592112

SHA1
dfd56c0a5b79763b9c4dea2f951c5e23c9ece85b

SHA256
acabfd7344cc38d6b2e319f570f0b141f67fae9ffaa398034b8b14819dd8266b

SHA512
b243e9c94f2c4f2914fa78127e5ca11942f957d5cc13c7e63a825d568338b5b5f47db282873a7f96426930c95327e49f8b3f3fa4d5b7a9da84d5b3d8249e3777

Download Submit
C:\Windows\SysWOW64\Kmfklepl.exe

Filesize
233KB

MD5
1eded694ca82fad184f8bdca259f00da

SHA1
4054897c1e501af8809db24480f3a3e59ed926ac

SHA256
82c5c7054b8bcc0a228fd2488b4b44b5359f23aef09fd5d76f03af6d6de5010d

SHA512
e0bb9a757154b25fccc30dcad1af6135592ef5751d65ef5e1868bb93febf6c7ef4d3afd456b6f1acb5981e783a1d81fff5ae7053ba29adb1776b19cd6bb2b9af

Download Submit
C:\Windows\SysWOW64\Kmoekf32.exe

Filesize
233KB

MD5
1515de82eacc90dde0a64df8bb154a61

SHA1
ecc67d5881bec0d4385b83ba1b2a6e0ae0eb15fa

SHA256
2ea4489f802d69bf38c85738a8c49bb1248284d7d551961af0a471f2b48adda8

SHA512
11062899e0e283871a7639b3b074b03aa4c81288a2e0ab593f4bf0a266fc66bbf7d95ae597d65da6b4628cea6d8d3e8490b249159a72aaed15456992d84f5bed

Download Submit
C:\Windows\SysWOW64\Kopnma32.exe

Filesize
233KB

MD5
9850fa71f782e24008d3410c64dd08fb

SHA1
6868fce1bd59c28ae5663ef7207d814ce3c26cc1

SHA256
8ec1854c35c34cf0e91db66de5fa967c2c09472d90502fe3b91af9172c02983b

SHA512
122fb56bb11d70edd1210769398945526ee2a13a5d6a91f164b26a2cda0e30864c3c77012808a8271aae2acd91b24d62cfbdbb132cd5430b5a692ca52c6b4b7e

Download Submit
C:\Windows\SysWOW64\Lbhmok32.exe

Filesize
233KB

MD5
9c9c6fedbbcd15beb35416a382174bf4

SHA1
d9947d6f636b2c061816de83a146a86e6e7f1f6b

SHA256
18409f0134765d0d4188aad3eb92cf2bf11ff8ac9f93533892bd15ed97aa3147

SHA512
22011b79dde99e0b8f9d07fd60b2e7916fad5aa7335c238882551fccb71b9d169d17e78b8f5033d99ffed5971f125c15a13a3968caddeb6c91be2e8679d3d445

Download Submit
C:\Windows\SysWOW64\Lflonn32.exe

Filesize
233KB

MD5
094d572f92834267dac160672b8412b8

SHA1
41be476be2c5e1fd13f5df00bcdf2d309261a2ce

SHA256
771d045b9c1c99722ac6cc82a35b3eea3cd2df0fdbd5211a4b550fac44c5b0de

SHA512
6baf9964daf7558bcfc2393959465e0e66ac8f14b94ea03e103b4a30634f6a119961d026265404badb447b6ab11cd3831ede91cc052e7d32731b9a975f8036ad

Download Submit
C:\Windows\SysWOW64\Lggbmbfc.exe

Filesize
233KB

MD5
833e46c723f5a697232d301d69cfa587

SHA1
9d31ceb7541705ed8cb37ea6c37711fb4d148cd8

SHA256
e8d030d1eb3c1c75d3842546539322c3d5a4c94326951092f9f064600811d1da

SHA512
624b53ae0161e143697700f2ab32920d222e367972e26e2578cee0bf4dd49461610f406713bf92beb58bdd8d9da9cfcf3c1b69572de776402ae9aebe58722d96

Download Submit
C:\Windows\SysWOW64\Llpaha32.exe

Filesize
233KB

MD5
464863131b01a53b86687a657799230a

SHA1
d3b6559bc9cdd05e63ed7602ba4296e27c4d849b

SHA256
060fbfbd2abaa97d9b5c80eb04977861fa51aaf9977ca69774b35509c7f595c9

SHA512
d41dc2e29792f4b6098611dda6a6791abb6e2dd43540d3428d1d818cb6a74c97f154e8330be46a0a63bb57ff5734605c7bec315e4fe8f96ed0f903d19e3bce76

Download Submit
C:\Windows\SysWOW64\Lpddgd32.exe

Filesize
233KB

MD5
76fa7ee248c38e3638bf07d0c0d30b27

SHA1
7bc7cdc4a2e631dc14ac7d40a9956a8f6278f538

SHA256
b7531060a59d5047a8c450ea8d418ba8768990c0889b4f99ac788aa9f14ea1a0

SHA512
053d1b84f62d593092acb43f40a709945b174da5f7021ac09488519d7e71bc92e6b604033dea8c8de3214a00052a5d7f37720464289441a40b6bddea306d30ee

Download Submit
C:\Windows\SysWOW64\Lpgqlc32.exe

Filesize
233KB

MD5
77929dc9193362d9d43024edb45e15a6

SHA1
2977b57b159bc22771722b8b0d03cfc793fe3e66

SHA256
ad45d595286297686727c18140bc4d3c9847d520025d301606351bd764fbf99a

SHA512
0ad21b0fd8b34f42ac6acbba31bd5fff521dc6b3437be3af91e19fbb9ed8bffdc3b24f7142faa74e438d35983a1a05ded574a58b3cc59ee31016d8003fac357c

Download Submit
C:\Windows\SysWOW64\Ncjbba32.exe

Filesize
233KB

MD5
61d04bec9c48690ee77dac93a65f90fa

SHA1
6c8472ebf68504e46867317b98fe2f5b505dd113

SHA256
13c344fabcb9032f1460ad77503d435ac88629dc523542564910656c147273f4

SHA512
669ba778a227372f887927d515e8148572fe5dcdb49f4b4446dccb73fe82915fef1efb87cd52544c2d4b73d31fa21836377d4e4c57c70c7bfe656f5d52a00822

Download Submit
C:\Windows\SysWOW64\Ncloha32.exe

Filesize
233KB

MD5
8f7a766e79905cae0172931dda6c4478

SHA1
b861e8ac95fc1e51231a833a84f3c265ec4d7ecb

SHA256
f6a85a9463c0cb3e588ec64826bd61d04c00c1d6ec5f71088f201a6fd3150f66

SHA512
0d5a1944e977b2c7394339cbadf104c502063f845b74ac915a2c3a015c14ff5aefec40d258d4a235580cdf17aa764674adaca4fda137ca5582b44bab802b98fa

Download Submit
C:\Windows\SysWOW64\Nhnemdbf.exe

Filesize
233KB

MD5
196a8834cbd7c4e22b3e865e7b926e3c

SHA1
1350271725c9842f6c3d8c006038526ca0cd961f

SHA256
501579500f55718ead6cc636ab091d3d7e7542930a378e6abc8b8683bd7ce16e

SHA512
40b43286b86f6df4860662156730a132bc51644b64b66aeeceed7bc6f83f588b50d19b6e2e4343d3d9174c9058d9cdb2b9bd4299a8a63fff3d01c1a8fd2e6234

Download Submit
C:\Windows\SysWOW64\Nianjl32.exe

Filesize
233KB

MD5
43f0bf16e5d04643aa233aa5d32953db

SHA1
0457eb435c36c0cd84d0f3f33360660ceff77bd0

SHA256
a84b5609dcad2a94e0238afee0b2ea2a17135e923d42c5bacf8c671fc39d9409

SHA512
1069cb195d44114a643e23e88675ed60d3d16e4ad5e773ab42b6fad5def9b9831657150a79cfd954f41ef3c09807259dd2b576d55778f811958d9c752b998c9a

Download Submit
C:\Windows\SysWOW64\Nifgekbm.exe

Filesize
233KB

MD5
8eb19044b08b4b376ff8439924b10654

SHA1
3ca64d3b29410c13b868435270f9daa8b42f6213

SHA256
703790c1cfa069c513729ac572acb1b535a51de4ca93441ba22ba1b215cda501

SHA512
e08e5a8416c941edae670b0bfda131c0f275af551c7b768915e315f374732a444b47361cabb71b607e363c33e8a638532004be998452f71486e97259ca23f54c

Download Submit
C:\Windows\SysWOW64\Nmjmekan.exe

Filesize
233KB

MD5
89b8a6b0c191eb4b7469f2973eff2943

SHA1
cffc5d0b951ceb810035cae12df0a5bfcf3a4750

SHA256
a5783cf17369a29f69970959e06c4cf521d76c083ad505982e04a1b3308ad834

SHA512
2a74b9bd7bb2dab982c5264902b5a5a239824b5e4033b6e507b03cbfec6621eed466edc319b066e99e545792a698ca5a8c098ea63413b02937e764be9d12d0f5

Download Submit
C:\Windows\SysWOW64\Nmogpj32.exe

Filesize
233KB

MD5
0a9c65647b7698fbc9c3f04fb5739acf

SHA1
5162184f338ea8c0f57de47fa44fb24a2e9398c9

SHA256
1cef919980a17660f13db561156e3eea8d4789d696207feb7c51ebdbfc8b12a8

SHA512
15285fc0c1e2f3d41f8bb4a43a599ad3ab369d2b169f4c56740f1698ffc57904aa8e42b1e576fa1b47f394fc2aaa67c49080089880858fd3810b1f82df62f4d9

Download Submit
C:\Windows\SysWOW64\Nobpmb32.exe

Filesize
233KB

MD5
21287fabd09f2345848ceecb79b18331

SHA1
fc5335dc0df99adf55d1de6651aabda50b42f637

SHA256
1772fe89516fdcc775a9aa444454fe7f6b5dc4699fa07aba5970ac7d4961a56f

SHA512
50cb09b666fe1e9a636f34d4d1eabd297f7425d824f51da926d1419eb3f148211bf9046c6ceb263cc6d37846f82b12df12452034f0d98151b2782c5528421a0a

Download Submit
C:\Windows\SysWOW64\Noepdo32.exe

Filesize
233KB

MD5
c5a722a61855e13c6b8f2e12cbddec30

SHA1
0d9e8af5602bb56db6b24c507be0c629daefd6fe

SHA256
485d35cbe3318206b232042c47fa7697ea984ac7b8c359ccd6fa6ebbe20cde1b

SHA512
ec7380ac1ab3cac5bdc3a18d56b8c3f09eb28c5d47ea11ae0fb4deb899b01a5117881e7839c25892a42e9e9f6fd8e39b68da4640a1a1a6ceec110244d7f1c517

Download Submit
C:\Windows\SysWOW64\Oemhjlha.exe

Filesize
233KB

MD5
3c2cfcd94b76fe235644a3a85837881e

SHA1
10e9faec471c8be1b76e077dcd49b6d97187e5b3

SHA256
61d2bc2bdb4a73a6c5f0185f032c044de27550a1425c32b34df89cde665d924b

SHA512
59032323fcec232a7491b4267ce26389d2a8919ca7a1bffe01748f1d9cd1c09033abe61b711ecf89f1a1a6d21d6afbc7fb7ef3b15d2a9ba3b35df914f0665f3d

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
233KB

MD5
75698c39cad016a28dbf942a3b6c84c9

SHA1
1e599239ebcacb1442e67ecb6794293d56e5d378

SHA256
62a1fa4527bdb5d8c593d01352c76fc219a7465b1b8967ef776e8f11f41c5268

SHA512
ca269e03e19a708d54d49aa505c8f8c66ba60c2e8dba05e9ff4d8e004dc5bdf8094baeea6db3a969e0bfe85025619d4b3c39d87950ca6c2d56ef72f57770610a

Download Submit
\Windows\SysWOW64\Fbpfeh32.exe

Filesize
233KB

MD5
34d51a19a734d6066b47610fa4b47613

SHA1
bad282189ce0b6a74276f889f7f9c6cd78dcb8de

SHA256
50f34fed0770c903418dec5abe28541806b66f673f6658b9d59f5a6b6174f12c

SHA512
e879d696c304e9675aa2585f95953522aac4bef4c18054882d9f67878ae0c4a72785b30425fe82e7c8bbdc12ec79a34e447316216d6396d89a900d0e9493ebba

Download Submit
\Windows\SysWOW64\Felekcop.exe

Filesize
233KB

MD5
54f0a982f08514d7201229ec8298b5b6

SHA1
95cd3393750e8ba916974c96d399683e8b5175a9

SHA256
f7e841d84813f1c4171dea337e0c1e8d49911af58294bb05ca8935d9272cd697

SHA512
31ab577a1dea83669e3495fb25a13c873ceab5ca8294014ed074bc347043cc3af9ddad3abdd1d785e78bfbe4b9e5eb5f9adf41183ca223fb35c0d5e571e27d51

Download Submit
\Windows\SysWOW64\Ffboohnm.exe

Filesize
233KB

MD5
8ae4bc3bab39ecac9b03e61b7c9da995

SHA1
4f7035d8f276b3d301afdfd7138a52810ae17ccd

SHA256
ff76d72ec5dd25a79ea27042ec468efcd14db5382e3b863d2a963a863eb1c52a

SHA512
6a1887c451fcb977eb7ec146c3a0927e4147255054e2445cf94c76bf76a8d4aeae7b1fcf11467b62326f0d20a74ec6ab76a1a082383b1bf5112a6f44062e87ff

Download Submit
\Windows\SysWOW64\Gamifcmi.exe

Filesize
233KB

MD5
848c8a9c624f5dfc21cb3c974517108e

SHA1
5288a411c783d38b10ec5aa10fb39b5f4be5e70b

SHA256
f7eacf5711848fe91677b9d54da97919723ecb5deef075f485c251a7a4eb1b3c

SHA512
5e40d710d16a03819332b1743dbff0ce53305c0f0d3761a8b392aab2e2fdea37e106fec7aab921feb49c71d85d15af60c89d0f2420230db7efe9d8330beccb32

Download Submit
\Windows\SysWOW64\Ghmnmo32.exe

Filesize
233KB

MD5
37e0a4703cc8b3dddffa5a6a2164a3c7

SHA1
4d3747a5bc3b2caa17880050d026ab14e73cda81

SHA256
991ed247d3a4fe01aa2db752a42bd24cbb5dc8cf619850f56bfa817adb85500c

SHA512
0eecaae7714a26753d2f01d0f9165cdb367c613c636b340069b0e50dfd2b5bf6c001fece4f8e1a7f0a3779020b14658d7cb0ace2331b930b7c4abf9325eb5148

Download Submit
\Windows\SysWOW64\Gmoppefc.exe

Filesize
233KB

MD5
9ebe8f41bdb97cfb0d1aea8a88500497

SHA1
51a3cd9974c4b6798f0b8c57c7b4d9531f3bdaa4

SHA256
85e74086cca8bc8fb077af68c5a5ea5f25eb6e04ddcb36bcbfcd0e236f2c4d72

SHA512
81a9bf6c6398db7872a2e8470a7b200f2342ba33dc57d8d914bc6290fd998029fcaa7ad644527200cbb3e819f95172bb9ac07fac6c5bc6d745d602cdc28be012

Download Submit
\Windows\SysWOW64\Gnicoh32.exe

Filesize
233KB

MD5
7ae9678bc4033f20f6478b4fa0336f31

SHA1
094453fd4cd1795610b85c4125d084c7eac3a3ca

SHA256
81c24803b155858dcb2b50d068b39b9009cf5c849ccd85409749bf4314ea78a4

SHA512
f3302056c359b071d50934dd8cd0c53c476873d4c3d0b2e9ecaedd003776ffb948eecfce596d18d229582044a5622fa420bb34e12acc4d8ba6659042e39e7a6f

Download Submit
\Windows\SysWOW64\Heonpf32.exe

Filesize
233KB

MD5
f4d4d2cd3d9a4f73bad091ee53b3217f

SHA1
c013882966d5f5e7d35470c993977a822680c097

SHA256
0ebcbfd989e43d25ebf6e68ec2a557ba56690bd39f5114bf6b53e909897438b1

SHA512
11d39169f99d661b7d2b2f5ea4239d2a83e4bcb0ae867daee7229a428c1187eb4fd11d2b4583598155e7d85798f24ae7e8d872b97b319d1eba919fd881c14cbe

Download Submit
\Windows\SysWOW64\Hkppcmjk.exe

Filesize
233KB

MD5
3df4b8500d638db58212555dc8baae4c

SHA1
d33a188efcdb8b863c5173f605e0b0274646f14c

SHA256
05380def2101f1acfc7302e6157b97ec33fee8c78d7d05a51850b95f5f543451

SHA512
916899bb79fe39a7cd51d43dc481cb7f75c8762d524ca85815dd955b14b094c4b1ae6b39edba1ead53f063ea84517bb8bc3bf932c9e1ee20c6e64b8c243ae9b3

Download Submit
memory/316-175-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/316-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/324-248-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/324-249-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/1052-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-400-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1052-401-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1068-323-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1068-325-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1068-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-441-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1496-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-446-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1512-239-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1512-238-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1512-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-358-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1688-270-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1688-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-266-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1736-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-259-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1764-228-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1764-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-224-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1784-92-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1784-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-378-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1796-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-389-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1816-391-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1816-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-102-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2060-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-288-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2108-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2144-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-185-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2160-203-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2268-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-12-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2268-357-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2268-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-11-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2276-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2276-116-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2276-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-216-0x0000000000350000-0x0000000000391000-memory.dmp

Filesize
260KB

Download
memory/2384-468-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2384-147-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/2384-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2384-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-298-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2408-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-302-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2448-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-453-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2472-161-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2472-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2472-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-346-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2720-345-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2748-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-335-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2760-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-334-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2860-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-277-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2860-281-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2864-129-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/2864-457-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-75-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/2908-413-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2908-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-45-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2916-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-61-0x00000000007C0000-0x0000000000801000-memory.dmp

Filesize
260KB

Download
memory/2960-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-402-0x00000000007C0000-0x0000000000801000-memory.dmp

Filesize
260KB

Download
memory/2960-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-313-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2992-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-309-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3020-479-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/3020-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3068-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3068-424-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads