8cdc9a151be20b8131ca3c3e97a4c062107001a89d5d8778b688e2fea1e59c34

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0c82a6813cb875e3441d8c1d183b680N.exe
Size

64KB
MD5

f0c82a6813cb875e3441d8c1d183b680
SHA1

ef239bde47565c39eff7e3759312883cd4180ea6
SHA256

8cdc9a151be20b8131ca3c3e97a4c062107001a89d5d8778b688e2fea1e59c34
SHA512

d387661a8e9e476401ad8fe13219322d51cc476aa8344d2982671b269374a036ab132806aa41917ee728755052b6f2fae16c98959e2bafba2a1cefcc3e40a97c
SSDEEP

1536:rNklVhvfPfjMxw0lCLAXGD5KZgVDBFaS2ppoOCLwvanMON1chNV+VzDfWqc:rNkpvfjMeric5KCBMS2pp/CLwynMON01

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f0c82a6813cb875e3441d8c1d183b680N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f0c82a6813cb875e3441d8c1d183b680N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljmlbfhi.exe

Executes dropped EXE 30 IoCs

pid	Process
2684	Linphc32.exe
2564	Laegiq32.exe
1680	Lccdel32.exe
3068	Ljmlbfhi.exe
580	Lcfqkl32.exe
328	Libicbma.exe
2076	Mlaeonld.exe
2088	Meijhc32.exe
1248	Mhhfdo32.exe
1508	Mapjmehi.exe
2924	Migbnb32.exe
2436	Modkfi32.exe
1704	Mencccop.exe
2264	Mlhkpm32.exe
1864	Mmihhelk.exe
840	Mholen32.exe
1972	Mkmhaj32.exe
1216	Mmldme32.exe
2044	Ndemjoae.exe
2416	Ndemjoae.exe
688	Nkpegi32.exe
276	Naimccpo.exe
1652	Ndhipoob.exe
1712	Ngfflj32.exe
2452	Nmpnhdfc.exe
2656	Npojdpef.exe
2536	Nmbknddp.exe
1528	Ncpcfkbg.exe
2652	Nenobfak.exe
2596	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2736	f0c82a6813cb875e3441d8c1d183b680N.exe
2736	f0c82a6813cb875e3441d8c1d183b680N.exe
2684	Linphc32.exe
2684	Linphc32.exe
2564	Laegiq32.exe
2564	Laegiq32.exe
1680	Lccdel32.exe
1680	Lccdel32.exe
3068	Ljmlbfhi.exe
3068	Ljmlbfhi.exe
580	Lcfqkl32.exe
580	Lcfqkl32.exe
328	Libicbma.exe
328	Libicbma.exe
2076	Mlaeonld.exe
2076	Mlaeonld.exe
2088	Meijhc32.exe
2088	Meijhc32.exe
1248	Mhhfdo32.exe
1248	Mhhfdo32.exe
1508	Mapjmehi.exe
1508	Mapjmehi.exe
2924	Migbnb32.exe
2924	Migbnb32.exe
2436	Modkfi32.exe
2436	Modkfi32.exe
1704	Mencccop.exe
1704	Mencccop.exe
2264	Mlhkpm32.exe
2264	Mlhkpm32.exe
1864	Mmihhelk.exe
1864	Mmihhelk.exe
840	Mholen32.exe
840	Mholen32.exe
1972	Mkmhaj32.exe
1972	Mkmhaj32.exe
1216	Mmldme32.exe
1216	Mmldme32.exe
2044	Ndemjoae.exe
2044	Ndemjoae.exe
2416	Ndemjoae.exe
2416	Ndemjoae.exe
688	Nkpegi32.exe
688	Nkpegi32.exe
276	Naimccpo.exe
276	Naimccpo.exe
1652	Ndhipoob.exe
1652	Ndhipoob.exe
1712	Ngfflj32.exe
1712	Ngfflj32.exe
2452	Nmpnhdfc.exe
2452	Nmpnhdfc.exe
2656	Npojdpef.exe
2656	Npojdpef.exe
2536	Nmbknddp.exe
2536	Nmbknddp.exe
1528	Ncpcfkbg.exe
1528	Ncpcfkbg.exe
2652	Nenobfak.exe
2652	Nenobfak.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fjngcolf.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Linphc32.exe	f0c82a6813cb875e3441d8c1d183b680N.exe
File created	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Meijhc32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Naimccpo.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	Ljmlbfhi.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Naimccpo.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Linphc32.exe	f0c82a6813cb875e3441d8c1d183b680N.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lcfqkl32.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Noomnjpj.dll	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Aaebnq32.dll	f0c82a6813cb875e3441d8c1d183b680N.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Naimccpo.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Linphc32.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Linphc32.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Ecfmdf32.dll	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Ndemjoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	2596	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfqkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljmlbfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0c82a6813cb875e3441d8c1d183b680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Linphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Linphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaebnq32.dll"	f0c82a6813cb875e3441d8c1d183b680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f0c82a6813cb875e3441d8c1d183b680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f0c82a6813cb875e3441d8c1d183b680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f0c82a6813cb875e3441d8c1d183b680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f0c82a6813cb875e3441d8c1d183b680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Ngfflj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2684	2736	f0c82a6813cb875e3441d8c1d183b680N.exe	30
PID 2736 wrote to memory of 2684	2736	f0c82a6813cb875e3441d8c1d183b680N.exe	30
PID 2736 wrote to memory of 2684	2736	f0c82a6813cb875e3441d8c1d183b680N.exe	30
PID 2736 wrote to memory of 2684	2736	f0c82a6813cb875e3441d8c1d183b680N.exe	30
PID 2684 wrote to memory of 2564	2684	Linphc32.exe	31
PID 2684 wrote to memory of 2564	2684	Linphc32.exe	31
PID 2684 wrote to memory of 2564	2684	Linphc32.exe	31
PID 2684 wrote to memory of 2564	2684	Linphc32.exe	31
PID 2564 wrote to memory of 1680	2564	Laegiq32.exe	32
PID 2564 wrote to memory of 1680	2564	Laegiq32.exe	32
PID 2564 wrote to memory of 1680	2564	Laegiq32.exe	32
PID 2564 wrote to memory of 1680	2564	Laegiq32.exe	32
PID 1680 wrote to memory of 3068	1680	Lccdel32.exe	33
PID 1680 wrote to memory of 3068	1680	Lccdel32.exe	33
PID 1680 wrote to memory of 3068	1680	Lccdel32.exe	33
PID 1680 wrote to memory of 3068	1680	Lccdel32.exe	33
PID 3068 wrote to memory of 580	3068	Ljmlbfhi.exe	34
PID 3068 wrote to memory of 580	3068	Ljmlbfhi.exe	34
PID 3068 wrote to memory of 580	3068	Ljmlbfhi.exe	34
PID 3068 wrote to memory of 580	3068	Ljmlbfhi.exe	34
PID 580 wrote to memory of 328	580	Lcfqkl32.exe	35
PID 580 wrote to memory of 328	580	Lcfqkl32.exe	35
PID 580 wrote to memory of 328	580	Lcfqkl32.exe	35
PID 580 wrote to memory of 328	580	Lcfqkl32.exe	35
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 2076 wrote to memory of 2088	2076	Mlaeonld.exe	37
PID 2076 wrote to memory of 2088	2076	Mlaeonld.exe	37
PID 2076 wrote to memory of 2088	2076	Mlaeonld.exe	37
PID 2076 wrote to memory of 2088	2076	Mlaeonld.exe	37
PID 2088 wrote to memory of 1248	2088	Meijhc32.exe	38
PID 2088 wrote to memory of 1248	2088	Meijhc32.exe	38
PID 2088 wrote to memory of 1248	2088	Meijhc32.exe	38
PID 2088 wrote to memory of 1248	2088	Meijhc32.exe	38
PID 1248 wrote to memory of 1508	1248	Mhhfdo32.exe	39
PID 1248 wrote to memory of 1508	1248	Mhhfdo32.exe	39
PID 1248 wrote to memory of 1508	1248	Mhhfdo32.exe	39
PID 1248 wrote to memory of 1508	1248	Mhhfdo32.exe	39
PID 1508 wrote to memory of 2924	1508	Mapjmehi.exe	40
PID 1508 wrote to memory of 2924	1508	Mapjmehi.exe	40
PID 1508 wrote to memory of 2924	1508	Mapjmehi.exe	40
PID 1508 wrote to memory of 2924	1508	Mapjmehi.exe	40
PID 2924 wrote to memory of 2436	2924	Migbnb32.exe	41
PID 2924 wrote to memory of 2436	2924	Migbnb32.exe	41
PID 2924 wrote to memory of 2436	2924	Migbnb32.exe	41
PID 2924 wrote to memory of 2436	2924	Migbnb32.exe	41
PID 2436 wrote to memory of 1704	2436	Modkfi32.exe	42
PID 2436 wrote to memory of 1704	2436	Modkfi32.exe	42
PID 2436 wrote to memory of 1704	2436	Modkfi32.exe	42
PID 2436 wrote to memory of 1704	2436	Modkfi32.exe	42
PID 1704 wrote to memory of 2264	1704	Mencccop.exe	43
PID 1704 wrote to memory of 2264	1704	Mencccop.exe	43
PID 1704 wrote to memory of 2264	1704	Mencccop.exe	43
PID 1704 wrote to memory of 2264	1704	Mencccop.exe	43
PID 2264 wrote to memory of 1864	2264	Mlhkpm32.exe	44
PID 2264 wrote to memory of 1864	2264	Mlhkpm32.exe	44
PID 2264 wrote to memory of 1864	2264	Mlhkpm32.exe	44
PID 2264 wrote to memory of 1864	2264	Mlhkpm32.exe	44
PID 1864 wrote to memory of 840	1864	Mmihhelk.exe	45
PID 1864 wrote to memory of 840	1864	Mmihhelk.exe	45
PID 1864 wrote to memory of 840	1864	Mmihhelk.exe	45
PID 1864 wrote to memory of 840	1864	Mmihhelk.exe	45

C:\Users\Admin\AppData\Local\Temp\f0c82a6813cb875e3441d8c1d183b680N.exe
"C:\Users\Admin\AppData\Local\Temp\f0c82a6813cb875e3441d8c1d183b680N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Linphc32.exe
  C:\Windows\system32\Linphc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Laegiq32.exe
    C:\Windows\system32\Laegiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Lccdel32.exe
      C:\Windows\system32\Lccdel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\Ljmlbfhi.exe
        
        C:\Windows\system32\Ljmlbfhi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laegiq32.exe

Filesize
64KB

MD5
d93a9b04f185901b932ab86e82f01e21

SHA1
9b85f9bfc16ffb7ae84fe3e179b0e62fa42b918e

SHA256
24efb27e5cb1f2131404ae8872f12046657150a790fb34b9e5c1df44c4827f1f

SHA512
d6f0197a8c4643462773e727029c4136d830446f30b226e24cbf14861a6175a4cd5c6ae754f1cdfeab0e91865ca60256211adece5820d6a789e2acbbd5de66a1

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
64KB

MD5
7c0c484aa94551e525517fc0755b972e

SHA1
839775f8ebdc73fbcc0cf7414b40bd69493674c6

SHA256
af12ad8d7dba55e9aacd764c4da21eb4ebff8b7b4711c37ef28ad873c04d4c44

SHA512
b9b2079e97b357316b72c2870704dd06decfbbc48951caf91eaae2554a93b7315caca42b65bb1fcdd9a424351522b4e8c4a26badb1239a84d5a619bb6bb6efda

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
64KB

MD5
3a9a3c36a2e9c4eaaef9471c6542347d

SHA1
c583019c9a3a429221480417dd0f7225ea004519

SHA256
2fcab6ae42f156478b71972277f02d8e34636f88082a42d2cd551e5c06043f45

SHA512
1577407cbae9b6ae1ad8cefa7b22ad018a278c5e5da76900dae8c84cd950ee930cc5156edcf5c6d17285f8ce1974aac14c79b9fa5b63aa641d3835926b4cd122

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
64KB

MD5
e8d6a8258eb3a8c644fc686532cc0cf6

SHA1
57fa805cb51694b1bee8945b0fde4eacae65f469

SHA256
4dcb5e7d9cbe4c5bfe088e9cad18e61d74589c4436b264b415a33378fa3bf062

SHA512
ada14cba2daaad48151852252369a1567e9a733e21eada281f611606b04bb4442637916fa663e89151188d7fc1014214ad9543f6af41a06ca9ba14eef197b331

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
64KB

MD5
b427f38efcbd6f2ceb4629a07b9e4934

SHA1
922427b7fceeaa91433ed94acad6e60a79ba309f

SHA256
b964716afd8ed3ac0997d3c3de4d9a0aa7d2c53d764b2c16ff41f84b3f354bc6

SHA512
4020a81c40699e128a39fa62d2b196ed96f9433b3ff9da57cddcd2cd3fcf04553e3cfbe1ddb51100ee546794247dc25eaede31b4b09fd96f206297af0192ed61

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
64KB

MD5
57d50cc7b0372d170675e6f7f9301048

SHA1
1e7312bc8427724d76d7ee25b8560ee1a3d567c1

SHA256
d64c3708223ad9cc434fdf906da50986d18da852a2d0a902ba717f77a092fb8e

SHA512
45029234e66228276af76212d00397c384744c90ceb82d5c68654ad7c6f712c0382bff744d91acd1044c09079f4bad7d6a5225bbfe32f7f8f810243a11562838

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
64KB

MD5
7d822e3943b38b58e93df01d05912756

SHA1
65ccef461971ae684e05a03e3d635134b7df197b

SHA256
dc2e762b2436576f2e5891b76357c2970de16084d64759d0b1674b2235640ba7

SHA512
fd0d6c6dd7aa23e6b2a41d6ab22f1fddacb9f65a1c619236022dfa9ce009606c3706e544a9a1b47a48198d24da9655a29f7218fdb277d4dbe1ed01f4b13c286a

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
64KB

MD5
16bc50f6eba09933c1cccfd04705491a

SHA1
956cae527b4917fecdf8ce83733543bd7c7744bd

SHA256
8d0b53d232c5ab0b27c59cb992ab5a635b26449723cf041b0d3732760e536fc8

SHA512
b3073489cb95d2aebbfd75ae257b1e992028a421bebf39549b4feefef42c4360b1f1b09cde9e9383200bf301a6c3367a42e1d40f24a07d34bf5aac0390595214

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
64KB

MD5
b519d63cd1269a0cea18f87d100fcda8

SHA1
418dfe1885ac244ee421788ef62a08296987a8f0

SHA256
ae9539db19e874f6442e49234ba606206c1020a79c2ddb267ebe46a69792d6eb

SHA512
77b1ef24e723c5a64691d92a87d9a3f2bb30bc15c7bfb8eaeb1758c5f0f016c9c42c71f0adf7aa61f20d4185b3d6a887a0af573db55bff46d8ea3786084c3e77

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
64KB

MD5
589b3368696cc045d151582c9d2fccb9

SHA1
a5751319943d06ec2fbcacd80d04f766f5666c54

SHA256
efa879655c9a3124abb54d58d5c8ceed724c19b315957cb3fad2ecd830a4e643

SHA512
647e0218f19841a3c69b1f8a9906a5b18f20ee8785e46746b32d4abee3460ef34ac2e3a2b7a696ae418f913e6ff6976cbe087a95ddb10cd3e7304edba59a9952

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
64KB

MD5
e77c9747a03360b5aab74782642445eb

SHA1
4c169e9d3078d374bcb09f637bcf17c1b9239a89

SHA256
6c80b43950caa6c8f15396e51203ec131f01310d87675a9bb73481d8e0ee7788

SHA512
9fb26de36e860817a8e51818cda721b5e6ed67646d3770bb35196c73c8fb1d71690ef72b32756c280ea5de6b52afae5d56efbc1c980e9cd75799936559da1a1a

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
64KB

MD5
b608b9a78f4de9969e1b942214fd61ab

SHA1
87e4f446a9f63e83583cded55f8f01b24226b360

SHA256
a5db2ebfecfc8cfc1555af7abe4fdc284ad006f1c72c8fb62fdc975a040cf023

SHA512
938a5563a7ade418c4e392b79615409a61defe36aeab6087a1dd99b89971f59555e6ed82471f80ac9fb0e214f4ed95bc4e6b36347ad387e807aa6f1193ffd049

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
64KB

MD5
84512d740b855e740060587d1815ea99

SHA1
6be91d5becd68597cf4ab5a5dbc0c1cabb9aaa03

SHA256
fe91e3efe55c83476df5a64793e2187074b90886931e0596e13f5d4847ea49ce

SHA512
3345e10ef270b5782cdd8770797e76d199b08521514e2b2ec44da73c063bd10b3d6c6b5823a6f9e3aa79d99ba068c3a1bc82580427180a715d52e1524df69101

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
64KB

MD5
cc5ae7790bc91e3ccd558852dbf18fc8

SHA1
5064f8322c0e4f4fe30cdbaafdb83100ddda6e32

SHA256
f8ab76e731a8e65c8a85eb7b024cad32c7c0c70b621c21897f4fba6d7f1a89e9

SHA512
ea644d3072b008b4e2e387370c6cf3cbc602edeb202b0ed6153eab49e46d4dd3b7c220c2f746fc78b4b040a0153ae96a3e5f9bd8df030677e119f5dbeba97957

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
64KB

MD5
1edba57f4c14ed6feb17e72145781c8e

SHA1
84f8565a3a7b7cc20bf482b1a034a2c8f52cb056

SHA256
8624ee7a3a27d2df82a3595c272540bccbc0f15dba05dd084529f3cedcce06a8

SHA512
c9333e9986027388b7d5288b04911fa0a411c70e96189c9fae79de933d5625e0014885cbc95c8e4c926a40a8a94a2ae9923823906b8ff27eabb1e1d7c40cffeb

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
64KB

MD5
f88c5fcd74365474a1548dc410b27414

SHA1
ed2d2ffb007b6de604c9598ae4bc55e7b132e0ca

SHA256
ad1c35508bc7681477d95f4d5f83e3159a10262df912110301b7dc50b9780170

SHA512
cb4237ad4a04f2342e2832c7b7cc09bc75e13e17e4d657678f9ad95a1c706ef52e98085fb03359cf5581bd5ecad90d64e1a2bc51edc4d0b7139a01ee7084c42a

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
64KB

MD5
f4aeadcb22fb2b9a5c2840847e47b803

SHA1
014b4ececd02165a895be74a94903c548bc704c4

SHA256
880c8a70c689427550180578bda98c1f634e2056dfa8739e91e69c876c1cb21b

SHA512
c2590d7b10f05e7298c10bf09691183c757b694581e6659662c387393c1231344eb190038320373757274c88fd98bca2cf1e388b260b5f87c24f6a897842b249

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
64KB

MD5
17a10e5d8429867b9e97bc3ceaddfde3

SHA1
38e87a1172ced812239534bef7c44d481379026d

SHA256
5486092c76b557e4571dd0ab5810d3ae4f5181052e03300bef9fbd029da5f1c7

SHA512
cbb047e847cc01bd2ce0d34237ac621419fb275dd715b627a600d7e1ffaa71697aa07111fc5c0f0c39ec40151993c73eee88f79ae53d9a221dd98c91591b0eac

Download Submit
\Windows\SysWOW64\Libicbma.exe

Filesize
64KB

MD5
97d18477a7a2ecefb8cc29850162d0ef

SHA1
bdae5199de6b3376ce5404e29f5eb68fd7d01448

SHA256
3b35514783da741c1b39e2f7b465a54e0b357680d1975f4d06d0c92ce64069e2

SHA512
feeaaa7b7ecf39bef28208ab2b9856907d2a4f534e22af69bdb12766f464c2b7a5f2029aa3ce87c7af21a968a6d3a6cade736c91f0d6a8b13cfc446d9662e3a5

Download Submit
\Windows\SysWOW64\Linphc32.exe

Filesize
64KB

MD5
4cb6da679ea9ab5ed275abd04e141d63

SHA1
a855f5d3b60f5e3ac974310c4c3b88e5c45abf4e

SHA256
6a2ec81a11b70bc30f12860cb89a890488559119b52fc12405e95783d5686f92

SHA512
d229ea9dc0037bb02b91c2c165ed16b67d800e196c7646bc6518b8ee1bee74e5a58c5399f62d8ed664e4cf24150eb8dec2f5fed54500e053ee278bfe0b25c7f9

Download Submit
\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
64KB

MD5
30f82b600c8eeac39d514459e41fbede

SHA1
aee8066a692a6c0fedbac0bcb00f30a2a25bd39d

SHA256
39ce10c29dab9f90514d421691ac35eb55a055b11e064d5762adf7737dda80fc

SHA512
026e479ea576dce1ce4509423c6fe427f83ffa53b0e3a878214b0fafce7ef7781fa3198a1949437a2406aca64929b4336b9a46809b388f5ab7842f1c64d7a15d

Download Submit
\Windows\SysWOW64\Mapjmehi.exe

Filesize
64KB

MD5
44e616b0ad87cfef19439096207b1184

SHA1
59927ddad5e94e89ef3728582f31352b7f0833fb

SHA256
ad043e32e087ad9608dc27cd6a5594ac1b2d9c0964e3e99ee1bfdeebef47a206

SHA512
c1c8ad0b99d711253eb4e94d9bcea886b5c97d10dad6b8478cc42605d925218a738fd9f71525d8dd4fc7b7f0e3b22f15de466b03f3dd884811120574bdbd3ff4

Download Submit
\Windows\SysWOW64\Mencccop.exe

Filesize
64KB

MD5
c5568fd62aaca286444c160ac08c5732

SHA1
9696140457629fa27d4a36718f5a3c9ff9ee5dec

SHA256
d71542a62ee833ef45923edd96867a221a3b22338f776e69a5700efefd836ec7

SHA512
68662b741a98c7f146442a0e02fd0c224de6886b85599d10130a34e23dc52071563cdb68c55c8c33237859bf7ea8fe841efa313b1b3387e86fc50b4c303ebe8c

Download Submit
\Windows\SysWOW64\Mhhfdo32.exe

Filesize
64KB

MD5
8361f686fd9367fa47962740a6ccfbad

SHA1
0d821ff7373fd537f817e9b7eb178afeb9f56b5f

SHA256
1d6ff353366a3204c7cdc5212c1b4d57694316c8aa8da45a4038792436300367

SHA512
6ed99818eb4e2d13113bbb8f9a21e5b6441a879946f893760270c310010b95b4c0659a2e8a3fc5a8924f5b6d9c4ec0ac489d4eb130c5f6c04fd50cd31bad008f

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
64KB

MD5
5d8cda6d6e2e08021f007423548230d8

SHA1
95720268e46095fc0e36ac212747436b12cf6b26

SHA256
4661587b8e6d31b2aa28754cf09a6a654623c620e37c5fcf33212a1076ce9e36

SHA512
5bd326c320955658f48f1c9ba0e0934cbcaab9ae30555704f864389da6539736011584dd9b7dc1dcb6a0257299f9d314996f9cfdc7ed2bc4305f1d83492ad215

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
64KB

MD5
5451f9304259ba8494f931554613e3a8

SHA1
8256c9fd55aea13ed59919d8e2683c35f238bad2

SHA256
269d56c2f57a91acf21e67cfc59319b537a016da74b20857f18227078b2a6483

SHA512
a83be065b60f4e1d0fd7de8dce7b2e5a3c88343bb76ef65563bfd3ace3645a1a6dcafe33467c61b9f42f290103647846b4c83ea4f17466d49f0faea30ecf682f

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
64KB

MD5
a382f20885f66e139981f8d20ec07ded

SHA1
c656c9f5ae1d7fa45a806159119708be40f75f34

SHA256
148654c1029de1c8c348484fd97f7d15228ebfecd260ab1a247f333c6a31d9d1

SHA512
19866f00c62fb903ab9b98b02bcc6ed8e58f1abea9ae7630c6e3e2744e023d0102cb2e5b5e6d20ad69fa555678d1e10724e6cbc36376b9302bb74ac6bb5b23c4

Download Submit
\Windows\SysWOW64\Mmihhelk.exe

Filesize
64KB

MD5
748d1fe2feb3495e354659b16c75ede0

SHA1
9683a2fbb1007b810495eb6bd986b5b11cc48058

SHA256
0359011f2baf8b53714e3e4fda427eb2ab82443f6461e2dca4cbbd0b531713d5

SHA512
7a619d63264c850dff845074fc166db0093fbd0bfe654a902e42578dbcedc7055bdcecc116ed9655234df0d0fb27b92a2d4bf5298075353ee6083079d6cb036b

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
64KB

MD5
074cb79da6cd1b517a1561512817a7ed

SHA1
d37e1e07871182737e66ebd93b2866d721cfce86

SHA256
35fc4653c1a6e0d39d8cef7868a8c60b828afb2587083cfcade436b64abe4e82

SHA512
2c7c480e1f4f9996e5c8283251f64c53e0159ba54627e8df67b0f77b30f7e0817c3ff04930ec37fae1a107b3ad14d9d3ccfb5d73a1066b1bf14000ea30d378ee

Download Submit
memory/276-273-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/276-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/276-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/276-272-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/328-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-80-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/688-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/688-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-336-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1528-337-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1652-284-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1652-280-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1652-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-48-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1680-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-354-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1704-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-181-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1704-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-294-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1712-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-207-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1972-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-229-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1972-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-253-0x0000000001F70000-0x0000000001FA5000-memory.dmp

Filesize
212KB

Download
memory/2436-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-301-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2452-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-309-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2536-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-326-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2536-325-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2564-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-347-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2652-348-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2652-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-315-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2684-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-12-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2736-13-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2736-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-351-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2924-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-155-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2924-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-67-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/3068-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads