d1940dc3f0683f4b8d263b3e522b78afeddebfd74a0bd7af8cee4f51d71aaae6

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad96c66b78ba504302fa793e832b2400N.exe
Size

144KB
MD5

ad96c66b78ba504302fa793e832b2400
SHA1

3a99c319cf2613783265c469a9a24de1e73a8faf
SHA256

d1940dc3f0683f4b8d263b3e522b78afeddebfd74a0bd7af8cee4f51d71aaae6
SHA512

d68cbbb348bd20e202875a65273ece13be0b03863c47625a8da53a2a714b5d65ae77dd2628e7fb9ebc40c87c5c71aab0f39e219d3d963dfdcf2bf0dbfba13beb
SSDEEP

3072:2EYDrLyoQ2w71yVeBnihLnLkWxczdH13+EE+RaZ6r+GDZnBcV8:2EYLmAVikLLDczd5IF6rfBBcV8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljolodf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcehkeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kffpcilf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linoeccp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebpchmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekaeb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdbkbpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgoohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjjfbikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Likbpceb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkcehkeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagkebpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kigidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Linoeccp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpdoffo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlikkbga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigmeagl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmigdend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjalch32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjfbikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kigidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllkaobc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqnpacp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhoig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnaihhgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kleeqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lafgdfbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mebpchmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgnflmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohkhjcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkfbmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmgkoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnaihhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlikkbga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagkebpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiikq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbonmjph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemjieol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldgpea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigmeagl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdbkbpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcafbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcngnob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbajci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkfbmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpcjfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jekaeb32.exe

Executes dropped EXE 57 IoCs

pid	Process
788	Jnaihhgf.exe
2408	Jekaeb32.exe
2740	Jigmeagl.exe
2088	Jiiikq32.exe
2800	Jjjfbikh.exe
2640	Jnfbcg32.exe
3064	Jepjpajn.exe
2096	Jgnflmia.exe
1028	Knhoig32.exe
1112	Kagkebpb.exe
2940	Kebgea32.exe
2920	Kgqcam32.exe
2100	Kmnljc32.exe
1136	Kplhfo32.exe
2976	Kffpcilf.exe
2164	Kjalch32.exe
2160	Kakdpb32.exe
2484	Kpndlobg.exe
2184	Kbmahjbk.exe
824	Kjdiigbm.exe
1896	Kigidd32.exe
2380	Kleeqp32.exe
916	Kpqaanqd.exe
2324	Kbonmjph.exe
1104	Kemjieol.exe
2732	Kmdbkbpn.exe
2816	Kpcngnob.exe
2960	Kbajci32.exe
2608	Likbpceb.exe
2052	Lljolodf.exe
2000	Lohkhjcj.exe
1316	Lafgdfbm.exe
776	Linoeccp.exe
1088	Lllkaobc.exe
3016	Lojhmjag.exe
1592	Laidie32.exe
2576	Ldgpea32.exe
2152	Llnhgn32.exe
2172	Lkahbkgk.exe
1440	Lmpdoffo.exe
2292	Lakqoe32.exe
2376	Lkcehkeh.exe
1732	Lpqnpacp.exe
1884	Lhgeao32.exe
376	Lkfbmj32.exe
2140	Liibigjq.exe
2188	Mpcjfa32.exe
264	Mcafbm32.exe
772	Mgmbbkij.exe
900	Mikooghn.exe
2592	Mmgkoe32.exe
2856	Mlikkbga.exe
2904	Mdqclpgd.exe
1588	Mgoohk32.exe
2720	Mebpchmb.exe
2628	Mmigdend.exe
2736	Mllhpb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2532	ad96c66b78ba504302fa793e832b2400N.exe
2532	ad96c66b78ba504302fa793e832b2400N.exe
788	Jnaihhgf.exe
788	Jnaihhgf.exe
2408	Jekaeb32.exe
2408	Jekaeb32.exe
2740	Jigmeagl.exe
2740	Jigmeagl.exe
2088	Jiiikq32.exe
2088	Jiiikq32.exe
2800	Jjjfbikh.exe
2800	Jjjfbikh.exe
2640	Jnfbcg32.exe
2640	Jnfbcg32.exe
3064	Jepjpajn.exe
3064	Jepjpajn.exe
2096	Jgnflmia.exe
2096	Jgnflmia.exe
1028	Knhoig32.exe
1028	Knhoig32.exe
1112	Kagkebpb.exe
1112	Kagkebpb.exe
2940	Kebgea32.exe
2940	Kebgea32.exe
2920	Kgqcam32.exe
2920	Kgqcam32.exe
2100	Kmnljc32.exe
2100	Kmnljc32.exe
1136	Kplhfo32.exe
1136	Kplhfo32.exe
2976	Kffpcilf.exe
2976	Kffpcilf.exe
2164	Kjalch32.exe
2164	Kjalch32.exe
2160	Kakdpb32.exe
2160	Kakdpb32.exe
2484	Kpndlobg.exe
2484	Kpndlobg.exe
2184	Kbmahjbk.exe
2184	Kbmahjbk.exe
824	Kjdiigbm.exe
824	Kjdiigbm.exe
1896	Kigidd32.exe
1896	Kigidd32.exe
2380	Kleeqp32.exe
2380	Kleeqp32.exe
916	Kpqaanqd.exe
916	Kpqaanqd.exe
2324	Kbonmjph.exe
2324	Kbonmjph.exe
1104	Kemjieol.exe
1104	Kemjieol.exe
2732	Kmdbkbpn.exe
2732	Kmdbkbpn.exe
2816	Kpcngnob.exe
2816	Kpcngnob.exe
2960	Kbajci32.exe
2960	Kbajci32.exe
2608	Likbpceb.exe
2608	Likbpceb.exe
2052	Lljolodf.exe
2052	Lljolodf.exe
2000	Lohkhjcj.exe
2000	Lohkhjcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jepjpajn.exe	Jnfbcg32.exe
File created	C:\Windows\SysWOW64\Goiihmom.dll	Kmnljc32.exe
File created	C:\Windows\SysWOW64\Kakdpb32.exe	Kjalch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgoohk32.exe	Mdqclpgd.exe
File created	C:\Windows\SysWOW64\Lohkhjcj.exe	Lljolodf.exe
File created	C:\Windows\SysWOW64\Lijgiokj.dll	Lojhmjag.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Mmigdend.exe
File created	C:\Windows\SysWOW64\Nhfpbaoe.dll	Kpndlobg.exe
File opened for modification	C:\Windows\SysWOW64\Llnhgn32.exe	Ldgpea32.exe
File created	C:\Windows\SysWOW64\Bafeoijd.dll	Mgoohk32.exe
File created	C:\Windows\SysWOW64\Mccfioml.dll	Liibigjq.exe
File created	C:\Windows\SysWOW64\Lihkjgpf.dll	Jiiikq32.exe
File created	C:\Windows\SysWOW64\Kigidd32.exe	Kjdiigbm.exe
File created	C:\Windows\SysWOW64\Lmpdoffo.exe	Lkahbkgk.exe
File opened for modification	C:\Windows\SysWOW64\Lkfbmj32.exe	Lhgeao32.exe
File created	C:\Windows\SysWOW64\Mebpchmb.exe	Mgoohk32.exe
File created	C:\Windows\SysWOW64\Kagkebpb.exe	Knhoig32.exe
File opened for modification	C:\Windows\SysWOW64\Kmdbkbpn.exe	Kemjieol.exe
File created	C:\Windows\SysWOW64\Ldgpea32.exe	Laidie32.exe
File created	C:\Windows\SysWOW64\Lkahbkgk.exe	Llnhgn32.exe
File created	C:\Windows\SysWOW64\Qogcek32.dll	Lakqoe32.exe
File created	C:\Windows\SysWOW64\Jnfbcg32.exe	Jjjfbikh.exe
File created	C:\Windows\SysWOW64\Bmigep32.dll	Kffpcilf.exe
File created	C:\Windows\SysWOW64\Ldfediek.dll	Kjdiigbm.exe
File opened for modification	C:\Windows\SysWOW64\Laidie32.exe	Lojhmjag.exe
File created	C:\Windows\SysWOW64\Kbonmjph.exe	Kpqaanqd.exe
File opened for modification	C:\Windows\SysWOW64\Mcafbm32.exe	Mpcjfa32.exe
File opened for modification	C:\Windows\SysWOW64\Mikooghn.exe	Mgmbbkij.exe
File opened for modification	C:\Windows\SysWOW64\Mmigdend.exe	Mebpchmb.exe
File opened for modification	C:\Windows\SysWOW64\Jekaeb32.exe	Jnaihhgf.exe
File opened for modification	C:\Windows\SysWOW64\Jjjfbikh.exe	Jiiikq32.exe
File created	C:\Windows\SysWOW64\Ihmjnmbc.dll	Jnfbcg32.exe
File opened for modification	C:\Windows\SysWOW64\Kpndlobg.exe	Kakdpb32.exe
File created	C:\Windows\SysWOW64\Aceapdem.dll	Kmdbkbpn.exe
File created	C:\Windows\SysWOW64\Lafgdfbm.exe	Lohkhjcj.exe
File opened for modification	C:\Windows\SysWOW64\Linoeccp.exe	Lafgdfbm.exe
File created	C:\Windows\SysWOW64\Lkfbmj32.exe	Lhgeao32.exe
File created	C:\Windows\SysWOW64\Kpfenk32.dll	Jjjfbikh.exe
File created	C:\Windows\SysWOW64\Kebgea32.exe	Kagkebpb.exe
File created	C:\Windows\SysWOW64\Kffpcilf.exe	Kplhfo32.exe
File created	C:\Windows\SysWOW64\Kpqaanqd.exe	Kleeqp32.exe
File created	C:\Windows\SysWOW64\Lceodl32.dll	Kplhfo32.exe
File created	C:\Windows\SysWOW64\Kbmahjbk.exe	Kpndlobg.exe
File created	C:\Windows\SysWOW64\Fgeikbfd.dll	Lafgdfbm.exe
File created	C:\Windows\SysWOW64\Ijgkkd32.dll	Lkfbmj32.exe
File created	C:\Windows\SysWOW64\Jnaihhgf.exe	ad96c66b78ba504302fa793e832b2400N.exe
File opened for modification	C:\Windows\SysWOW64\Jnaihhgf.exe	ad96c66b78ba504302fa793e832b2400N.exe
File opened for modification	C:\Windows\SysWOW64\Kgqcam32.exe	Kebgea32.exe
File opened for modification	C:\Windows\SysWOW64\Kplhfo32.exe	Kmnljc32.exe
File created	C:\Windows\SysWOW64\Mgmbbkij.exe	Mcafbm32.exe
File created	C:\Windows\SysWOW64\Komhoebi.dll	Mgmbbkij.exe
File created	C:\Windows\SysWOW64\Mgoohk32.exe	Mdqclpgd.exe
File opened for modification	C:\Windows\SysWOW64\Jnfbcg32.exe	Jjjfbikh.exe
File created	C:\Windows\SysWOW64\Ffccjk32.dll	Kpcngnob.exe
File created	C:\Windows\SysWOW64\Cmgpnn32.dll	Likbpceb.exe
File created	C:\Windows\SysWOW64\Lojhmjag.exe	Lllkaobc.exe
File created	C:\Windows\SysWOW64\Kleeqp32.exe	Kigidd32.exe
File created	C:\Windows\SysWOW64\Mdqclpgd.exe	Mlikkbga.exe
File created	C:\Windows\SysWOW64\Nofcinac.dll	Laidie32.exe
File opened for modification	C:\Windows\SysWOW64\Kjalch32.exe	Kffpcilf.exe
File created	C:\Windows\SysWOW64\Mpfogm32.dll	Kemjieol.exe
File opened for modification	C:\Windows\SysWOW64\Kpcngnob.exe	Kmdbkbpn.exe
File opened for modification	C:\Windows\SysWOW64\Kbajci32.exe	Kpcngnob.exe
File opened for modification	C:\Windows\SysWOW64\Kemjieol.exe	Kbonmjph.exe

Program crash 1 IoCs

pid	pid_target	Process
2272	2736	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiiikq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdbkbpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekaeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmnljc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjalch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kleeqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcehkeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqaanqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcngnob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnhgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgeao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmigdend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnfbcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Linoeccp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laidie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkahbkgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdqclpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplhfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpndlobg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljolodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafgdfbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcafbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikooghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlikkbga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkfbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibigjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjfbikh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmahjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likbpceb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebpchmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjdiigbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqnpacp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad96c66b78ba504302fa793e832b2400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgnflmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojhmjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knhoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpdoffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kagkebpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgqcam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffpcilf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemjieol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgpea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgmbbkij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jigmeagl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kigidd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakqoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmgkoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgoohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnaihhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjpajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbajci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllkaobc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpcjfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbonmjph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohkhjcj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facfgahm.dll"	Jekaeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnfbcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgnflmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpbaoe.dll"	Kpndlobg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbajci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijgiokj.dll"	Lojhmjag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmigdend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfogm32.dll"	Kemjieol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkckdi32.dll"	Linoeccp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkahbkgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfljg32.dll"	Mdqclpgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Mmigdend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmigdend.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagkebpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mikooghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jekaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbii32.dll"	Kbmahjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfediek.dll"	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kigidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ad96c66b78ba504302fa793e832b2400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkegf32.dll"	Jgnflmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaengmn.dll"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkqopoi.dll"	Lkcehkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnmploa.dll"	ad96c66b78ba504302fa793e832b2400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kplhfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjalch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbmahjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qogcek32.dll"	Lakqoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihkjgpf.dll"	Jiiikq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kplhfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffccjk32.dll"	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpcngnob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebgea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kigidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmdbkbpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhgeao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcafbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hialpf32.dll"	Mcafbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmjnmbc.dll"	Jnfbcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdcc32.dll"	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbcpo32.dll"	Lljolodf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpcjfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgmbbkij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmgkoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafeoijd.dll"	Mgoohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjalch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjdiigbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kemjieol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofcinac.dll"	Laidie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lakqoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhgeao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mikooghn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmifml32.dll"	Jepjpajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbachjd.dll"	Kigidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cicbml32.dll"	Lohkhjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liibigjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgqcam32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 788	2532	ad96c66b78ba504302fa793e832b2400N.exe	29
PID 2532 wrote to memory of 788	2532	ad96c66b78ba504302fa793e832b2400N.exe	29
PID 2532 wrote to memory of 788	2532	ad96c66b78ba504302fa793e832b2400N.exe	29
PID 2532 wrote to memory of 788	2532	ad96c66b78ba504302fa793e832b2400N.exe	29
PID 788 wrote to memory of 2408	788	Jnaihhgf.exe	30
PID 788 wrote to memory of 2408	788	Jnaihhgf.exe	30
PID 788 wrote to memory of 2408	788	Jnaihhgf.exe	30
PID 788 wrote to memory of 2408	788	Jnaihhgf.exe	30
PID 2408 wrote to memory of 2740	2408	Jekaeb32.exe	31
PID 2408 wrote to memory of 2740	2408	Jekaeb32.exe	31
PID 2408 wrote to memory of 2740	2408	Jekaeb32.exe	31
PID 2408 wrote to memory of 2740	2408	Jekaeb32.exe	31
PID 2740 wrote to memory of 2088	2740	Jigmeagl.exe	32
PID 2740 wrote to memory of 2088	2740	Jigmeagl.exe	32
PID 2740 wrote to memory of 2088	2740	Jigmeagl.exe	32
PID 2740 wrote to memory of 2088	2740	Jigmeagl.exe	32
PID 2088 wrote to memory of 2800	2088	Jiiikq32.exe	33
PID 2088 wrote to memory of 2800	2088	Jiiikq32.exe	33
PID 2088 wrote to memory of 2800	2088	Jiiikq32.exe	33
PID 2088 wrote to memory of 2800	2088	Jiiikq32.exe	33
PID 2800 wrote to memory of 2640	2800	Jjjfbikh.exe	34
PID 2800 wrote to memory of 2640	2800	Jjjfbikh.exe	34
PID 2800 wrote to memory of 2640	2800	Jjjfbikh.exe	34
PID 2800 wrote to memory of 2640	2800	Jjjfbikh.exe	34
PID 2640 wrote to memory of 3064	2640	Jnfbcg32.exe	35
PID 2640 wrote to memory of 3064	2640	Jnfbcg32.exe	35
PID 2640 wrote to memory of 3064	2640	Jnfbcg32.exe	35
PID 2640 wrote to memory of 3064	2640	Jnfbcg32.exe	35
PID 3064 wrote to memory of 2096	3064	Jepjpajn.exe	36
PID 3064 wrote to memory of 2096	3064	Jepjpajn.exe	36
PID 3064 wrote to memory of 2096	3064	Jepjpajn.exe	36
PID 3064 wrote to memory of 2096	3064	Jepjpajn.exe	36
PID 2096 wrote to memory of 1028	2096	Jgnflmia.exe	37
PID 2096 wrote to memory of 1028	2096	Jgnflmia.exe	37
PID 2096 wrote to memory of 1028	2096	Jgnflmia.exe	37
PID 2096 wrote to memory of 1028	2096	Jgnflmia.exe	37
PID 1028 wrote to memory of 1112	1028	Knhoig32.exe	38
PID 1028 wrote to memory of 1112	1028	Knhoig32.exe	38
PID 1028 wrote to memory of 1112	1028	Knhoig32.exe	38
PID 1028 wrote to memory of 1112	1028	Knhoig32.exe	38
PID 1112 wrote to memory of 2940	1112	Kagkebpb.exe	39
PID 1112 wrote to memory of 2940	1112	Kagkebpb.exe	39
PID 1112 wrote to memory of 2940	1112	Kagkebpb.exe	39
PID 1112 wrote to memory of 2940	1112	Kagkebpb.exe	39
PID 2940 wrote to memory of 2920	2940	Kebgea32.exe	40
PID 2940 wrote to memory of 2920	2940	Kebgea32.exe	40
PID 2940 wrote to memory of 2920	2940	Kebgea32.exe	40
PID 2940 wrote to memory of 2920	2940	Kebgea32.exe	40
PID 2920 wrote to memory of 2100	2920	Kgqcam32.exe	41
PID 2920 wrote to memory of 2100	2920	Kgqcam32.exe	41
PID 2920 wrote to memory of 2100	2920	Kgqcam32.exe	41
PID 2920 wrote to memory of 2100	2920	Kgqcam32.exe	41
PID 2100 wrote to memory of 1136	2100	Kmnljc32.exe	42
PID 2100 wrote to memory of 1136	2100	Kmnljc32.exe	42
PID 2100 wrote to memory of 1136	2100	Kmnljc32.exe	42
PID 2100 wrote to memory of 1136	2100	Kmnljc32.exe	42
PID 1136 wrote to memory of 2976	1136	Kplhfo32.exe	43
PID 1136 wrote to memory of 2976	1136	Kplhfo32.exe	43
PID 1136 wrote to memory of 2976	1136	Kplhfo32.exe	43
PID 1136 wrote to memory of 2976	1136	Kplhfo32.exe	43
PID 2976 wrote to memory of 2164	2976	Kffpcilf.exe	44
PID 2976 wrote to memory of 2164	2976	Kffpcilf.exe	44
PID 2976 wrote to memory of 2164	2976	Kffpcilf.exe	44
PID 2976 wrote to memory of 2164	2976	Kffpcilf.exe	44

C:\Users\Admin\AppData\Local\Temp\ad96c66b78ba504302fa793e832b2400N.exe
"C:\Users\Admin\AppData\Local\Temp\ad96c66b78ba504302fa793e832b2400N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\Jnaihhgf.exe
  C:\Windows\system32\Jnaihhgf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\Jekaeb32.exe
    C:\Windows\system32\Jekaeb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\Jigmeagl.exe
      C:\Windows\system32\Jigmeagl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Jiiikq32.exe
        
        C:\Windows\system32\Jiiikq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\SysWOW64\Jjjfbikh.exe
        
        C:\Windows\system32\Jjjfbikh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Jnfbcg32.exe
        
        C:\Windows\system32\Jnfbcg32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Jepjpajn.exe
        
        C:\Windows\system32\Jepjpajn.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Jgnflmia.exe
        
        C:\Windows\system32\Jgnflmia.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Knhoig32.exe
        
        C:\Windows\system32\Knhoig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Kagkebpb.exe
        
        C:\Windows\system32\Kagkebpb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Kebgea32.exe
        
        C:\Windows\system32\Kebgea32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kgqcam32.exe
        
        C:\Windows\system32\Kgqcam32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Kmnljc32.exe
        
        C:\Windows\system32\Kmnljc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Kplhfo32.exe
        
        C:\Windows\system32\Kplhfo32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Kffpcilf.exe
        
        C:\Windows\system32\Kffpcilf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Kjalch32.exe
        
        C:\Windows\system32\Kjalch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Kakdpb32.exe
        
        C:\Windows\system32\Kakdpb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Kpndlobg.exe
        
        C:\Windows\system32\Kpndlobg.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Kbmahjbk.exe
        
        C:\Windows\system32\Kbmahjbk.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Kjdiigbm.exe
        
        C:\Windows\system32\Kjdiigbm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Kigidd32.exe
        
        C:\Windows\system32\Kigidd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Kleeqp32.exe
        
        C:\Windows\system32\Kleeqp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Kpqaanqd.exe
        
        C:\Windows\system32\Kpqaanqd.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Kbonmjph.exe
        
        C:\Windows\system32\Kbonmjph.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Kemjieol.exe
        
        C:\Windows\system32\Kemjieol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Kmdbkbpn.exe
        
        C:\Windows\system32\Kmdbkbpn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Kpcngnob.exe
        
        C:\Windows\system32\Kpcngnob.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Kbajci32.exe
        
        C:\Windows\system32\Kbajci32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Likbpceb.exe
        
        C:\Windows\system32\Likbpceb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Lljolodf.exe
        
        C:\Windows\system32\Lljolodf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Lohkhjcj.exe
        
        C:\Windows\system32\Lohkhjcj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Lafgdfbm.exe
        
        C:\Windows\system32\Lafgdfbm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Linoeccp.exe
        
        C:\Windows\system32\Linoeccp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Lllkaobc.exe
        
        C:\Windows\system32\Lllkaobc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Lojhmjag.exe
        
        C:\Windows\system32\Lojhmjag.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Laidie32.exe
        
        C:\Windows\system32\Laidie32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Ldgpea32.exe
        
        C:\Windows\system32\Ldgpea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Llnhgn32.exe
        
        C:\Windows\system32\Llnhgn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Lkahbkgk.exe
        
        C:\Windows\system32\Lkahbkgk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Lmpdoffo.exe
        
        C:\Windows\system32\Lmpdoffo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Lakqoe32.exe
        
        C:\Windows\system32\Lakqoe32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Lkcehkeh.exe
        
        C:\Windows\system32\Lkcehkeh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Lpqnpacp.exe
        
        C:\Windows\system32\Lpqnpacp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Lhgeao32.exe
        
        C:\Windows\system32\Lhgeao32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Lkfbmj32.exe
        
        C:\Windows\system32\Lkfbmj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Liibigjq.exe
        
        C:\Windows\system32\Liibigjq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Mpcjfa32.exe
        
        C:\Windows\system32\Mpcjfa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Mcafbm32.exe
        
        C:\Windows\system32\Mcafbm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Mgmbbkij.exe
        
        C:\Windows\system32\Mgmbbkij.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Mikooghn.exe
        
        C:\Windows\system32\Mikooghn.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Mmgkoe32.exe
        
        C:\Windows\system32\Mmgkoe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Mlikkbga.exe
        
        C:\Windows\system32\Mlikkbga.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mdqclpgd.exe
        
        C:\Windows\system32\Mdqclpgd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Mgoohk32.exe
        
        C:\Windows\system32\Mgoohk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Mebpchmb.exe
        
        C:\Windows\system32\Mebpchmb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Mmigdend.exe
        
        C:\Windows\system32\Mmigdend.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 140
        59⤵
        Program crash
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jepjpajn.exe

Filesize
144KB

MD5
4e96e63e756fc4d87b7e3745b9701350

SHA1
021ae630d834e3930f59b333ec2687a07bc23981

SHA256
470cedad02e7d2551b3ac93fe584e8661ce4f64d1d3a36a0fb1e4c14ed8d621b

SHA512
97ecec9fa659101742ed0a37a76d093be291e55a1899f91e4796638ae86c65f1d8437add29c47dc654a5ca6cf662acdf2532bad422b559acc214835e8482b216

Download Submit
C:\Windows\SysWOW64\Jgnflmia.exe

Filesize
144KB

MD5
6a9eaaec00fc2655981034bb83ff0515

SHA1
f8e7a21fa29fdfef30d8de1f6915990aa54b2ff4

SHA256
2298db829de10dd2dfcd6f0ab9da2f902a61876bc7fd52574c8af1d7f968140c

SHA512
3ffff20f78d448ae54b61a31039b730214fe049a235c151f030a827f13593fad927516d609df13ba258c683655f19a7e5241e6e2e363b2241aff0d3aa0a5bc2b

Download Submit
C:\Windows\SysWOW64\Jiiikq32.exe

Filesize
144KB

MD5
4079013b862e67bc7f7967eaf00d4fee

SHA1
b52e04bbd0a97bff2f813dd9f9501ea7b20413ae

SHA256
44c31c578af0767e779da65a7a9c6e520a09d92ff7e3c089924374b2e41e8c7d

SHA512
f9829ca1c8f72792e8f85182419e5d2037cb9c833116c574b17ce9b78278ce713d16c1c40b98a5aa789fb92acba454721584cc4c6f45c4132db105e6370edc6c

Download Submit
C:\Windows\SysWOW64\Jjjfbikh.exe

Filesize
144KB

MD5
ff369f6c8c2895e294e581ff0b51e0f5

SHA1
536a5507ba33f5bfae260ee92dbefa5d6b21df24

SHA256
2fa835171196eda1f66375bf6dac948836eb6b473b212654a480a2a5965f0f92

SHA512
1c436ed4052f08740d4158670f22c30181823c9f2358b6ff66445d3e505285e92006c9a6c99802d0f9b185892a4edf1e4907b8d892ae6ed28d591d489fb1ebba

Download Submit
C:\Windows\SysWOW64\Jnaihhgf.exe

Filesize
144KB

MD5
f8781a01eb1f1239d631a5bed20e43a7

SHA1
1045d25081e731cc36d1ba1bdf8dcdb7861e6787

SHA256
8ddb8cdee02b9d22b59f698b144e4731f03a29a836d13357f22be9a5757953e8

SHA512
2bbb82a97915a189e7b0e7d655fa076d75bbafff3989c078e7507602922836e5e1a38eece86c1ad85ea9811a37b06bef361ab620aa9bb31046fcb74097242957

Download Submit
C:\Windows\SysWOW64\Jnfbcg32.exe

Filesize
144KB

MD5
ffc7eb664745ae011881fe4b226956b0

SHA1
93623e7e5ad6ffa424d5d394e4a9b0cf015cbf48

SHA256
80c4200eea62996a3e4fa0025599eaad4d34d8cbe027e9846e8e585ed3f61ffa

SHA512
2c66b70767c92eb5be0efa180dd2dd900ca4c144fc5756c5bb47966193dee02f71715fe0e1cdcbc6692ad21d513bb28e0ea783448eae70c3c2920d2ce6b6f4e2

Download Submit
C:\Windows\SysWOW64\Kagkebpb.exe

Filesize
144KB

MD5
a795b2a0da686d60fc6954158afa4242

SHA1
ee8ae850a66413838fce45a6fbbc13d7ddc5c08b

SHA256
60c79422c157278a500076120a7ef284d35732a794ed2b1fab52233767cd673e

SHA512
02cd92448ad9e7aeba1d07faf527a6423c3aba52a9c0fa71e4d31745175af40fabc0cbb59a2fea8c510ae1e54a8d97217d6be89ad9373dade734f86adbca7359

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
144KB

MD5
a765deafe3fdec40bfd7496fce81798b

SHA1
5fde68581838b6f4b9a3e284f0e19a8315c510fb

SHA256
d07ddb0272cd48fa47cad1429e15fcdb8ad8d6ac7d014880e3df600e5e944f5b

SHA512
52104d8cc7606535615f2f738cc011d982571027d697de5f1343bf3e705aa6ec43b3289d0497611b0adfbd3d1d2e191eaad90a83449f60e6d1d9d2a905eee4a6

Download Submit
C:\Windows\SysWOW64\Kbajci32.exe

Filesize
144KB

MD5
4c458a367e49ea3e8e5301eea77a3acf

SHA1
d4deb9b2b85eb9bc776af50bc7809cce778adb11

SHA256
16c17395d72167f47ac8614d82b4de8cec2d420296742e080078fe9e7e7eaec9

SHA512
9ab35ab9f0a9ed5c7124d9cba75d8372828d5593774ce2778d1284423daabe4bdc0d96313c70eff02372b7dc0a7ec786537857819016d7e96a2839db6fabde4d

Download Submit
C:\Windows\SysWOW64\Kbmahjbk.exe

Filesize
144KB

MD5
3f2723f870351d91795fa4098a0d0724

SHA1
a57b6f82867afcdc71e31754a4c1fc4d082a784c

SHA256
a2492bc626cdec3ddda0f0d7da7f7bf6f74c85d3d7f633c1808eb4f692edd415

SHA512
31339dab7db15e5a6c0fd71d2d29d568652b088f08ea47df353487092c8b5222ba73b5f81d0869e0f7be592e7ebe14c3d76027160585e5ef08a4e599b91f78f8

Download Submit
C:\Windows\SysWOW64\Kbonmjph.exe

Filesize
144KB

MD5
36e0fcc98b59f78b04d24524e7512c5a

SHA1
4312597277655155f0f85b4cb2f0f1c4a2c6439e

SHA256
1d25c02eedcc56a68200562b13ab6397f1bdee76c4fe661756fadd6f8eb96f8b

SHA512
0bc193515886698496cff2793ff1e37c4a13a8ccb34f5dad49827494f9896e06f864934172056cd7c7945f63eefedc394333ccb4bd855f9cc1f43910e56aad34

Download Submit
C:\Windows\SysWOW64\Kebgea32.exe

Filesize
144KB

MD5
69da05646ca9045c29ccbba99a2aa0df

SHA1
4ea307976e01c86740e988088facc6a65e79bcd8

SHA256
8f8c82d266116f48cc76775c42c244ef2af1aca919d53ab44297f7bdd8067fe2

SHA512
73477e55ecc372f9f80b81d5a3bb4a8e5b15a44a8f5047046ee127b279c7a90c76cdf3d33056aaf6624a5b6b977b11d760b717cba3da2f7b177769fe18733829

Download Submit
C:\Windows\SysWOW64\Kemjieol.exe

Filesize
144KB

MD5
bf47619760af434dc1f88dae49fd5f11

SHA1
b2cd8f7d8709832f86918becd434a9e314640d3d

SHA256
e954100af78e0a8a42eaba473c19e7263069bef6e08d8b18a145bf27ca34a70d

SHA512
99bcb6c349e64b0f7170309ac450fef1d61aa1713a8220f1c3890d9d55f3926ea00be817202eb3111ab06d522cef8adbc2b7c1913fe048c300c14a94b861c670

Download Submit
C:\Windows\SysWOW64\Kffpcilf.exe

Filesize
144KB

MD5
528b346cff777a039af605f47999aa6a

SHA1
eb6f29af5428bc2119daea0868234b8f659e6b61

SHA256
b80a77d82dd540a325a162af706b1a5bb9445c1729a003d059422d3a967ca9e9

SHA512
66a7495d62f9e4c9b30e041354fd6c45ebde6c5d6098b5ee255605705e4353716c6aa1c58f314f537d4794b1e2e38b9a5ca9ad0dbb0d834eac2a3206a5e7cb2f

Download Submit
C:\Windows\SysWOW64\Kigidd32.exe

Filesize
144KB

MD5
c1878f1f0a70a5f1bbaca6a2544a0fde

SHA1
399620e3f78716af358f2a876d46334842e9118f

SHA256
03cc6518438c2b55f08e6fb9b1d1082b68e2fc9abb2e768ff80da95f15c2c85b

SHA512
51db398ac3bf7230f10d300541724b708b142ae0b636954fc47bb55b9a1f5e664d1d39f4344f063638fec93703e28166009bb383ca490bd4359cf6c12b0aee38

Download Submit
C:\Windows\SysWOW64\Kjalch32.exe

Filesize
144KB

MD5
f147b3ad5aae746acd7bf7a79308ca9d

SHA1
e64ebe45129d3f5365581386c07892023a36aca0

SHA256
96b28b4543e7d569114ab8cbb6e80c1fe48fe3a532d8713124695102214d1649

SHA512
12b7e6046955a3214f846f6391061d23020e96d17390be4136ba1fe66630bd5b64f888244ff59c3d9fe3d9f7604d552d5046ae8653b8917d6c3122f0185223af

Download Submit
C:\Windows\SysWOW64\Kjdiigbm.exe

Filesize
144KB

MD5
8b09f56cfaafec5a00d3b9220aa3fee3

SHA1
aa2f159616b1536650f85541e617b95cd8a45e85

SHA256
9383772ee23301fbe2f745cb81be39db68bbeb53c2367c1cda0dc13b1bef9114

SHA512
3e96c22b8515ad77b9d90a5899e0857ec00a7e7cfd9dfb39940b0520c03553862498ab8dd668a644903a61c3422af16419e15b729775d4b9bbc14e3f12c8f5b6

Download Submit
C:\Windows\SysWOW64\Kleeqp32.exe

Filesize
144KB

MD5
b57e248be50e72c66a42081beac45228

SHA1
7e668cd2d5dea6b3fe59cfcdc62267ef2b086a6f

SHA256
f3643878188dd6d465a8d678ee85c635a881eb8dda59f195e09289087577bca5

SHA512
a9353a2d54d0001dc150ab3c35955b2033033e046987e693967dfbf2a500c1a86313f2c92f8d2eeef23b9f12671e29d17aba10c02bf0182b23975bafc339e0b2

Download Submit
C:\Windows\SysWOW64\Kmdbkbpn.exe

Filesize
144KB

MD5
ba295c9f6687125e74b524d41c8d232f

SHA1
1fe3e8a53312d51fbcbbb25811b2de676f2dfb33

SHA256
b576e52f8d16d2463905bebf84be5dcb84f0c61762f351b6d38abf87d5b66da4

SHA512
f0515a63021ec62047ff13bcfbc3a5e7d5ca23bc24f7035188a0a92dde5f37f59b792ffba49d4f8d6256fd3acc6285372daa1d1f1dcd7de1271a79d641769adc

Download Submit
C:\Windows\SysWOW64\Kmnljc32.exe

Filesize
144KB

MD5
1382064a68eeba528a96207789a42667

SHA1
a7e813a5c9230e5e96c43757a5a9bd624af84041

SHA256
86be1ab9c7974b72cb7ffbea6f1ba0b75a11b982853df052e1d02e4b26ab8fec

SHA512
9a216549e61bf1d298ddb013f26762562a9164096885a5d301e1996ceb92591a7c3c22c96b911c5a866c0085caa27be590541d0afc7ad8846aee077177562d85

Download Submit
C:\Windows\SysWOW64\Knhoig32.exe

Filesize
144KB

MD5
b82652eb039812a661eaaad20c0e209f

SHA1
361f7065f8012c5d8636f632bab3254945ea0977

SHA256
abbb1f31927b018987ad9564bdc9b45809cd550035c5c4ba58c5d0ace949ad5a

SHA512
eb30314a5e8b7365703e45088ef1d61b5c1c4c59373ccd2699efad4f1142da4193c95ba1aae97a8479054784cac238249394fe782f131e1cba8c36897cbde2f0

Download Submit
C:\Windows\SysWOW64\Kpcngnob.exe

Filesize
144KB

MD5
e251010ecf2f2510ae97897639db189a

SHA1
cdc8217796ae66a0c3455b2efe0e58376d3b22ff

SHA256
f9d53c5a842d4c03cb61197ed046457412d7ce6299fd49239c2f12a153c02052

SHA512
a9e5fa002639c152653eaa1e57c3d3c486f2bf8ce4196b2414eb0277fa62438492be6a026eb79434157c0cecb39a7058a502df15ad60aca2b00a50d80cf96d24

Download Submit
C:\Windows\SysWOW64\Kplhfo32.exe

Filesize
144KB

MD5
3691360e8fb81cec5c9996c59caabd07

SHA1
2e4d4d5f3d0116aa9089fd2e288160b7cc039186

SHA256
4faef2d6e86d236bfd27c10d3c735b59316af63239c85c33356c533c0197e212

SHA512
5a4974bd35bfcec2bfccd77ce919e91709bccb6f04017c97dd917676c05afff16fdf288f7ed0431d1d3b4a380e068569b93b30241978047f9bfb5f29605ae270

Download Submit
C:\Windows\SysWOW64\Kpndlobg.exe

Filesize
144KB

MD5
4231ab31521d2e9ef6f321cc7c476a8a

SHA1
70bb01230368a7dc8ba8402e3db29825914d027f

SHA256
af9e1c58149781a669d0c224b1638153fdaddab95c53d7b20c2f12068a570acf

SHA512
04d16120c5cc8c52464181840fc3f71447a998cb157e1e7c327ffa2f890642a52737374dab6a02a571e202961dd483bd311207582aedc221c13584128e71f6d4

Download Submit
C:\Windows\SysWOW64\Kpqaanqd.exe

Filesize
144KB

MD5
c46bb36f2cc66c30bbba0c5410f5f895

SHA1
27e475b0693fd1fa025a7f2e075c3976ebc4f5ba

SHA256
db36c00fcb1ce68fca835bb397a8b5cf384aafe9a3d910a5880fe6d2b5ff89e0

SHA512
462e2384a7863eb7e71ea2092eea9d00247749c3b7bfd07a6f0b49274b215bfc4e87e3f22976168d61ef1036ac04d81f8b5ea4660b88f2f6577e51a70821dcdf

Download Submit
C:\Windows\SysWOW64\Lafgdfbm.exe

Filesize
144KB

MD5
30b292a5db98d4e678f7f1fa25eb5b4c

SHA1
a6353469049c5b97c78b54dd58b94265aeb56e30

SHA256
70a415dd7272bae75fd00019976b356466946de52801cd74f7d5f23d8fb63389

SHA512
4a8cccc5d236ad1827b8f5034abe455d6789ee948a8c019ad4a0df7346c8d6545d8d71dc12379b2d4203f7d970f446926daeb097a09e375bf706671706aa2add

Download Submit
C:\Windows\SysWOW64\Laidie32.exe

Filesize
144KB

MD5
2e734ec7cf64ba1761e5f169f88e1482

SHA1
b145ac0669f829d4491ec37cb9913bacdf029287

SHA256
bbc6d2e65c6e0b0e5b690dbb71964424f2d27ad3e4f2d81b61c9bc94fcff7609

SHA512
42d7c2322565769172fe8b428ea6793f5a2b89e3c1af79feafe15d375dbd04c3f7bd63325a8ba77cd145a69e87e116c114f8e47d52621a7f3ed973eedab405c2

Download Submit
C:\Windows\SysWOW64\Lakqoe32.exe

Filesize
144KB

MD5
45cb6fcdba415d3245b3244d9818365b

SHA1
276f7f22053b1e7518d9c429bd5576e3f1cc4fcf

SHA256
ed50fbf27d023962e98c22b094707e4071b6e3d6fc52c6cdfc355fdd96a85f2f

SHA512
6f8eaea024fffb4d3c4a37c5761b4e228142ea12095ceb67e8682e1ee171df5247ba841a4e452a949a14ae046f83df2e821880ef641c9b39dc5dafbab50d8658

Download Submit
C:\Windows\SysWOW64\Ldgpea32.exe

Filesize
144KB

MD5
216493445dc4e88cdff9f77d8376fa56

SHA1
08187d98e758a489774f3ab55056c96146f5b751

SHA256
3ff779072afc34be4ee7c26f3854e2d995252a12577366cda59795671981fba3

SHA512
2189a22bd4628ef1a96a6621b7076e60172fcd5ac0f195ac8824681ae4a915f899aa4a3361f77ea75b9ee2b0ab897b8e7442f99c9e57f0d6bc88f5a2c33ee2dc

Download Submit
C:\Windows\SysWOW64\Lhgeao32.exe

Filesize
144KB

MD5
a67813bef59ddc0939d51d074be0cb5a

SHA1
2e86c5302c36afbdeb08f1401262a1080ff4a442

SHA256
c4e8eb31c64e40e17654c9ccb8119e82b24f994a71bc2378a18afa8fac4f190c

SHA512
fab25c0fc2c41829d5ea0583671a302f526f5558f66fd36f4b34c8c8c2e93c1f0c72e677a3052c215db5a2b42a836178a81b5573a11596ba74f98c107928191b

Download Submit
C:\Windows\SysWOW64\Lihkjgpf.dll

Filesize
7KB

MD5
d52cd5c0cb5ee084004d47221fb20bed

SHA1
3f7b737ba22b07b2a1b0cc459eeb014c977e499e

SHA256
6b168e11b7973cf9c8fa44aa0daf68e3ae4a7f2b273453672d2d8fe7096061c7

SHA512
e41ce1986bd75387abda5edc7b38adc0717c2c505e08ed94905000b34690e136b0e79af575019a95b4273fc8d952b3c5c795c4d5ea84a70824fee7dad6ab145c

Download Submit
C:\Windows\SysWOW64\Liibigjq.exe

Filesize
144KB

MD5
55ec0e32c45fcabed0f6ff285634b21f

SHA1
fccd6ae44f8c0fbeec61d84b4eb1cdafca4663e5

SHA256
d810b3d1ec6606d081d36d04d8464daa2ac2fff17e3a12085bb133d5a9eec698

SHA512
359a9e2ab1798f18bd0cf428934da7c1fb00f6316c8f24d4bfd76f377e93d3e6d662b5a3ac7a083da6cd5042b463c249517330dc4400d6071841e7de0532a949

Download Submit
C:\Windows\SysWOW64\Likbpceb.exe

Filesize
144KB

MD5
07981398951a81e41f711608eb46e659

SHA1
67ba7de567c8d662937a320e085cb180a2965d2a

SHA256
c9c5362978470e4be135c60e246ffbe99d8a67f09aab6da38e40c4c51aafe23a

SHA512
c15d4570860de2013d6f1e779723a78f1355a1d5456fe12df879c31205d4c4b101217189d14cf1ae66c71be954df567b4d1a0a900b64bdb1ce1ec938e3f691cb

Download Submit
C:\Windows\SysWOW64\Linoeccp.exe

Filesize
144KB

MD5
3f0d1c25ff5965bea412bf71e1dc0b8a

SHA1
e9176f231f72cf89facaeeced6c850a1b046f7cf

SHA256
395ffa38d99b1c9f9ce6c26ff54f3914651207c240992519a1ff48511005c15b

SHA512
4bd9bc33de70eb1f68bead61f3db147c7ae39f080088873e4eb51ab67f6bc6bd03e57fa3beb6115b51e33621bb39bd6d2fff800599adb940212732ba2d7beeb4

Download Submit
C:\Windows\SysWOW64\Lkahbkgk.exe

Filesize
144KB

MD5
6ce75b3a814aa2edf0ab15958c57158c

SHA1
355adf51df52011abdb63aa5fa7e3890ddc45809

SHA256
ea35c0113017d6c2436ac1ea31d9584d190af99595ad94705e9e6628860ca82d

SHA512
40bb0de326915e711852661f9668f151d3d5e3a721cddb258c8049843cf5195f1b7e70816fa2a5c08c0f70e7bfccd6da634caefe42a7a648355d1db6b1aeece3

Download Submit
C:\Windows\SysWOW64\Lkcehkeh.exe

Filesize
144KB

MD5
69f4e965c069d71ece03371fe652c4bf

SHA1
06164f0398e33db5ede3b559ed53655b8306f365

SHA256
b4b781450705390bae6d188766976053be94251eb25faec40ad57ca3eaf57c02

SHA512
a340e7521219f5557a23f1d9207a96b6c51574c2f479442e9bf0d4f6b2d6269e128a0c5e89f0b49e9ac711ede71055416f153b90139ae0caad64fd8ccaaa19da

Download Submit
C:\Windows\SysWOW64\Lkfbmj32.exe

Filesize
144KB

MD5
4a9bad60499844cd13fe1be7d9eb5378

SHA1
f221af7a68beab6bc1f82a14684a97a208cacd0e

SHA256
7910419517ac184c1ce089d6ce9f29ddd45acfff5670bddd241a90f76a6a4d01

SHA512
e3a8199919e767e5dce2e5214a5aaa98069cc1eb3210df36293a36c654767d7f5aab42fac10277c81ea578907438a5397dc94e5e6f115733cd7bc86f765d85fb

Download Submit
C:\Windows\SysWOW64\Lljolodf.exe

Filesize
144KB

MD5
c4ca7af2603e95d0480c3ace59f48bd0

SHA1
751286ffba2ac03a0ea28c4a793c6c38ac95ce0c

SHA256
d2f52492f7f745a7deaeeddb8e359e56c90b69a90be75d485e7e8f032e745be9

SHA512
36ef64be18c8d4d0e63fbb549ea10b79990728c76a2a226357b5fe049581b45d5bc687abfdffc66e767bc8b5f65f43d0f762635bd9e0e7275272b4a14444790d

Download Submit
C:\Windows\SysWOW64\Lllkaobc.exe

Filesize
144KB

MD5
0a913aab79ab5fd7f6311448e79c618d

SHA1
83d21cfe1565d9e44b93e1fba8c467834d227f7f

SHA256
26e0bc5796c6992b2fb4bece5d2084cf1bad4c8df469b814b9a79ea004e84742

SHA512
42fd80af3dad6ddf96e5ceee7093e08f8941c8d321beb7a29ab277e8879c44c2762a013588febf4eb342e23f84900170bfbf1cbf9798867c2e92554dddd99538

Download Submit
C:\Windows\SysWOW64\Llnhgn32.exe

Filesize
144KB

MD5
5e32dce3a85081c0ddcf759756686b07

SHA1
237ca975b409eff20140d96a52900dee5d6bd829

SHA256
c569e6af54afc79ebc191db8b9e6503a7f32910e5d163afe814502f830b975c4

SHA512
4929793e9479c9f3cb4b0c393cd32914605e9ac729caf3602b2b5420cf73c173e567f5251ff1597b237404ed567e7586345dd3a05e74b5e6a6f886b851a4b11c

Download Submit
C:\Windows\SysWOW64\Lmpdoffo.exe

Filesize
144KB

MD5
0f2a14e36e88852d0fb85d4b212b1878

SHA1
0f1f4579a0189ab63ce21e3fe95070a982dfe172

SHA256
d895c365bb96dd495e0406bf623379e3cfc7930c7fc1fdc3affb4e03a591b419

SHA512
1fb6a2440c9bc9b59d7c3e1f444e1e9994dc8413d91e0b2e2891672398b2f3dc0c3b48e4cb16cc6587787d83f26d0f6a99d343b156af403cc331370fb29c351c

Download Submit
C:\Windows\SysWOW64\Lohkhjcj.exe

Filesize
144KB

MD5
2850a530d37c41a4e8173f9c5169f602

SHA1
077c2f79f07d7c75b492ab235089894341aebd4d

SHA256
fd32d4049894e1e24abbdd773e8b83aaf53600745d73fdb5e03833d19e50d1e5

SHA512
40cf64b28a12dfe97aa8d6b8a9b8c557ce456a1df153575a4ed08e0e788fb790b8067ba931b0449fb700d614d1b77490718b00275b33c4c5620fc8680ae8e51b

Download Submit
C:\Windows\SysWOW64\Lojhmjag.exe

Filesize
144KB

MD5
4233bc20cb7422220d2112650c5e2b0c

SHA1
e235b374032eb2498e891c8ef96c5cb180040736

SHA256
83b36e14c13bc593c25f2caa2562819bbd82e001a307fe70019d49babbe0225e

SHA512
be301de73227f9a1c312af0054ba78e212c4ce3ca8215ee30ecdfdff1cf2f2d09b25e727f3c17530031a8bf250b046e68608bc549aec97eb1e7861d2fbc9fa88

Download Submit
C:\Windows\SysWOW64\Lpqnpacp.exe

Filesize
144KB

MD5
907cc818ff1122ade215e10e9a9a7479

SHA1
c0c5f360fbac32b223dcd53704f335c295c4c50f

SHA256
621b5a6a428c246ea1396301f9bff9ad0b8a4db834dced46a6b6888fa3657885

SHA512
750ba08299797a29798559dfb96027310227b57dd834dbe1b94dd6cdf9a11b23ed2da70a862e372fcfec1760f66b3e5f1ac5559a492c97f14da71d2b79c6bca7

Download Submit
C:\Windows\SysWOW64\Mcafbm32.exe

Filesize
144KB

MD5
8c06303d3389ad7c1dd63a77f960b5f7

SHA1
ee3c109ba744c944b81144421d6a083d1dd7f89b

SHA256
49bf7c0254b01274b2a6c9bfc71376e5f678604468bd6f331dc6825a0d56be72

SHA512
79f77249370e61e167f2ef38fe2cc647c8e8c0b9df2dcc874d3de2f09123d792901b3be155d63aa2d06cf57ad4a7c96f16be5acbb7f2f9b8fc34a07b84c87852

Download Submit
C:\Windows\SysWOW64\Mdqclpgd.exe

Filesize
144KB

MD5
3e18d08fa2c6c1384ec46e3ff577557c

SHA1
9462371f45ae5922a929d88da79e2cacdefe84bf

SHA256
7a5f9d850524dfb12f2a40126e4ede0b3b8696c676bd82fb726a5a49cc455ba0

SHA512
439745982522c221621337384d15d23a34ce56ba7e7d580ca9c8471e7ab93b6414fca2f261f3d58dc66396a895d3b910c697ece4ef8658b297d8ef3c38e33bb8

Download Submit
C:\Windows\SysWOW64\Mebpchmb.exe

Filesize
144KB

MD5
27c1831121b0d9ad442a68ea738ff8bd

SHA1
91668fdf6b7a01b27a24ab7ad0eb1081ea0cc636

SHA256
c8e29a37e120e18c906fb62700ef11d437ded4bdf0c633f4582b2d51f0aabfe1

SHA512
ade96cbe976b733bcf53d0b2d1c143c9dbfdbc89457c1228f67a44896e4a859591eab6424d7958625b343b7882e68f8732986bc4f17e438e231c55bda623874c

Download Submit
C:\Windows\SysWOW64\Mgmbbkij.exe

Filesize
144KB

MD5
001f26dbe83eea1c956a07a143aadf10

SHA1
bf0e05a413ddc99d6ed0bed551c48d824ef41fb0

SHA256
58d915d10a8e0ba90b4001de0fccdd7e9135f31276ccc76646a553a72a14d154

SHA512
9827ce62a75df2895133f2948c10c33e3d8c09536ef8d710464f17731fdeaa249d912328c620ae969ad33a210d20bdcc88804178c39e03d6a55be74d6872b229

Download Submit
C:\Windows\SysWOW64\Mgoohk32.exe

Filesize
144KB

MD5
15f40758462cd7658beecf8eaeb9185b

SHA1
573e7c2fe6f59c7ecedb352d1d07316de11b2184

SHA256
83c6490e7deda3e9d629d725e4d4e02762c5365a6ed7384031bc4baa2aeb1bbb

SHA512
46080ade7975658b0df3fe1e546fed9b6b7e03214a450ef9400bebd2728db883ba0e0353005c290eaa674bd9c875256faafc807bcb63ff7042ffa472ac073c74

Download Submit
C:\Windows\SysWOW64\Mikooghn.exe

Filesize
144KB

MD5
41ece5a9d91e14752ba0318a41248080

SHA1
58a0d8b494f6447248d9e3ff8c90a1282ef1f7c2

SHA256
957c9ac51135aa87cd13fcf9b8902b80071c1cb621e6da79dbb0023296203fd6

SHA512
d6049b422129fb18c57fc36c25339c1a4e905c135476eb76bb6a8cf20990416994e6237fdb728df4725815a4b99ba0a927ba9bf92b6754585387ec7a92befccf

Download Submit
C:\Windows\SysWOW64\Mlikkbga.exe

Filesize
144KB

MD5
152b5e75933b88ff00d76f7bd3058135

SHA1
fc0ea6e1e0bc9be2dd3e20afcb235f99f987c4ed

SHA256
099b76358153bdc78d5f4e7fff70ee21eb7cb059fb7c19bbf1617be7551c8e70

SHA512
33dcf77aa6ae8218f99a8b2979ba93a902b91f8ff402635ebb22e1216f28e578340eddbc1f1f75f7293833975382208940b8e5bc7a7a1df81839a868b97231f5

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
144KB

MD5
19ca17762853e35050e4bba9bd02b5f2

SHA1
4fc1b8c1c56f3bdf2e53fcd5df8dcdf62ffd96f8

SHA256
7d4c4b4bba9e0b187e2beede43b19456aabf0d2a0b78f2d585412c397a13317c

SHA512
6bbb863a76d95aa8dc4e3da7cd7ca41609f78b13e4da7e440dbe74800e410abd0ba02f74d1759f1f3f00fcb791daf165f0ed160154fba655a54c32ce31749081

Download Submit
C:\Windows\SysWOW64\Mmgkoe32.exe

Filesize
144KB

MD5
d0f7f1d3116ae02f555d07d018a599b9

SHA1
3559b32f12eb3ba94436c38cb4442105dca9fb7d

SHA256
41f416750135b4b715b647646cd8140cc33417fd30717306b6362b00738d9c20

SHA512
9b44e2bca02c1690827bd4d27ae6e8e13816e0a0620d401bb8a39b4ca12c77904867ba167c61b112f1cac298ce6d93b9e10261c1f3a676187072dbb1f4202cf6

Download Submit
C:\Windows\SysWOW64\Mmigdend.exe

Filesize
144KB

MD5
ad7468c459ee3196d7e2d9a0090bc660

SHA1
658b769064f289feb060498e280cf07984849881

SHA256
403b4a11919c8f28218b5aa49b5e62908c3d51f718ab4b6b0e214276ad47b6d5

SHA512
144ee2f61d31b03302c2d6abccb8bee0f5211b8a53ce472baa9bf143e19ede4fbe26ae73d4b62ecd09dc9684a41b132f5a21691858b9d9299495e266693a72ef

Download Submit
C:\Windows\SysWOW64\Mpcjfa32.exe

Filesize
144KB

MD5
ee1157e59563311a0764ae1249de5629

SHA1
e1124cc38223987cc48e0c5abd4fa3acc115305f

SHA256
0e73f9c4c77e8c2a682272d06df8dfca15f906f87edff79209df085c917a47f8

SHA512
538ababfc11d0d01bd86228edc8af66067a0f7198bfbb307648b10445138631f947a0e20ea8a4c72e2e30c92c971bb8f47a3869333af289f625b1b3133e020ad

Download Submit
\Windows\SysWOW64\Jekaeb32.exe

Filesize
144KB

MD5
e9065a818b82706f31159917b3b4229e

SHA1
282e311fcd69830182ae77f9a82bfc20d4e8130c

SHA256
910b282e1388b2a79e4491acae72c515828fffb92439e841bbe19e044f2f7c27

SHA512
6d2714982010fbc4dd5b71a8d7d676c876e12bcedde720819c4df7ccd4e368cb0c43539ffd2308406082cde404027a38f9d6b370eb3cba34c8bd9b2e082cf466

Download Submit
\Windows\SysWOW64\Jigmeagl.exe

Filesize
144KB

MD5
596ca84e2fa984caba573199268c970b

SHA1
1210e7bcc2753741034d3320c29e7f63e9f0e3e4

SHA256
d5ad6192dd2b8cb800ac7e7219097f1f9dcc1d11ca8518499eb4529f93c5116a

SHA512
408d50ecf20b14a3117034e6decbedc2b8fdd6695c15d08cd22b5d94a069d4da25630a3083556993d1e4bc476389f761ec1a0f95e4f4dafff38dfb54e949f1f7

Download Submit
\Windows\SysWOW64\Kgqcam32.exe

Filesize
144KB

MD5
4d8c221531727311c18bbed42e3391f6

SHA1
333386c72e92eac8ae157b5ef364fa5fc7b046ca

SHA256
41351944008add7af97263bf622b3705279358f479bba521c1bec750ab801b43

SHA512
8395a3b8a272141b576bac9e3a01f1790adc8afef668af798e86414ce3034ab36f28219b57cc1779d4cdb94f2d2da8f955a460848a2794a145e4b25addc20eb9

Download Submit
memory/776-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-399-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/788-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-265-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-261-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/916-295-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/916-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-296-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1028-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-414-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1088-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-316-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1104-317-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1112-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-144-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1136-197-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1136-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-475-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1440-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-275-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1896-274-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2000-382-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2000-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-63-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2096-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-117-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2096-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-456-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2152-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-223-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2164-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-467-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2184-255-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2184-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-489-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2292-490-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2324-306-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2324-302-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2376-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-503-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2380-281-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2380-285-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2408-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-34-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2408-40-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2408-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-240-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2484-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-24-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2532-23-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2576-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-450-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2608-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-361-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2608-360-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2640-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-90-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2732-328-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2732-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-327-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2740-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-50-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2800-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-339-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2816-338-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2816-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-170-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2920-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-491-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2940-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-350-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2960-346-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2976-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-424-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/3064-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads