44386f65ecf32c33dfe025b275b2cc7eadd139b2585f858667e9009fcda85eed

Analysis

max time kernel
117s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55613d7931b26ff05b39e05aca62a2d0N.exe
Size

256KB
MD5

55613d7931b26ff05b39e05aca62a2d0
SHA1

7239fbc8f4ab89ffeeb933f219c3a43ad66d83b1
SHA256

44386f65ecf32c33dfe025b275b2cc7eadd139b2585f858667e9009fcda85eed
SHA512

f5476d5df1583ff5294333e19902efa8fa742b42cba5ece8df035fdbefeb33392c592516a53809cb5dde1db394a024c8c11dda8bb94871312c5cb8d750e58640
SSDEEP

6144:ScbmNXktahlY1uTLp103ETiZ0moGP/2dga1mcywM:+NVnZpScXwuR1mKM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqldpfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjaddii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmffa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhcgkbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opcejd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cihojiok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmlnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcejd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phjjkefd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmldji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oingii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqldpfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	55613d7931b26ff05b39e05aca62a2d0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmlnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhcgkbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmilmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kccian32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Magfjebk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhbpfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cahmik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phjjkefd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkbqfcp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cihojiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cahmik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjaddii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	55613d7931b26ff05b39e05aca62a2d0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjihci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magfjebk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjihci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiljcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiljcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deahcneh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmilmkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kccian32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmldji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deahcneh.exe

Executes dropped EXE 29 IoCs

pid	Process
2348	Kjihci32.exe
2820	Kgmilmkb.exe
2780	Kmjaddii.exe
2224	Kccian32.exe
2336	Lpcmlnnp.exe
2236	Magfjebk.exe
1312	Mchokq32.exe
1004	Nmgjee32.exe
2756	Nlmffa32.exe
2768	Nhcgkbja.exe
1732	Opcejd32.exe
2728	Oiljcj32.exe
568	Oingii32.exe
2352	Phjjkefd.exe
2376	Pgacaaij.exe
820	Qqldpfmh.exe
948	Amebjgai.exe
2060	Aalaoipc.exe
1508	Ajdego32.exe
2252	Bcoffd32.exe
1300	Bmldji32.exe
1592	Chhbpfhi.exe
2556	Cihojiok.exe
1548	Cligkdlm.exe
328	Cahmik32.exe
2292	Dkbnhq32.exe
2604	Ddkbqfcp.exe
2812	Deahcneh.exe
1496	Eceimadb.exe

Loads dropped DLL 62 IoCs

pid	Process
1640	55613d7931b26ff05b39e05aca62a2d0N.exe
1640	55613d7931b26ff05b39e05aca62a2d0N.exe
2348	Kjihci32.exe
2348	Kjihci32.exe
2820	Kgmilmkb.exe
2820	Kgmilmkb.exe
2780	Kmjaddii.exe
2780	Kmjaddii.exe
2224	Kccian32.exe
2224	Kccian32.exe
2336	Lpcmlnnp.exe
2336	Lpcmlnnp.exe
2236	Magfjebk.exe
2236	Magfjebk.exe
1312	Mchokq32.exe
1312	Mchokq32.exe
1004	Nmgjee32.exe
1004	Nmgjee32.exe
2756	Nlmffa32.exe
2756	Nlmffa32.exe
2768	Nhcgkbja.exe
2768	Nhcgkbja.exe
1732	Opcejd32.exe
1732	Opcejd32.exe
2728	Oiljcj32.exe
2728	Oiljcj32.exe
568	Oingii32.exe
568	Oingii32.exe
2352	Phjjkefd.exe
2352	Phjjkefd.exe
2376	Pgacaaij.exe
2376	Pgacaaij.exe
820	Qqldpfmh.exe
820	Qqldpfmh.exe
948	Amebjgai.exe
948	Amebjgai.exe
2060	Aalaoipc.exe
2060	Aalaoipc.exe
1508	Ajdego32.exe
1508	Ajdego32.exe
2252	Bcoffd32.exe
2252	Bcoffd32.exe
1300	Bmldji32.exe
1300	Bmldji32.exe
1592	Chhbpfhi.exe
1592	Chhbpfhi.exe
2556	Cihojiok.exe
2556	Cihojiok.exe
1548	Cligkdlm.exe
1548	Cligkdlm.exe
328	Cahmik32.exe
328	Cahmik32.exe
2292	Dkbnhq32.exe
2292	Dkbnhq32.exe
2604	Ddkbqfcp.exe
2604	Ddkbqfcp.exe
2812	Deahcneh.exe
2812	Deahcneh.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bcoffd32.exe	Ajdego32.exe
File opened for modification	C:\Windows\SysWOW64\Bmldji32.exe	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Kgmilmkb.exe	Kjihci32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjaddii.exe	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Nmgjee32.exe	Mchokq32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmffa32.exe	Nmgjee32.exe
File created	C:\Windows\SysWOW64\Nhcgkbja.exe	Nlmffa32.exe
File opened for modification	C:\Windows\SysWOW64\Ajdego32.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Deahcneh.exe	Ddkbqfcp.exe
File opened for modification	C:\Windows\SysWOW64\Nhcgkbja.exe	Nlmffa32.exe
File opened for modification	C:\Windows\SysWOW64\Pgacaaij.exe	Phjjkefd.exe
File created	C:\Windows\SysWOW64\Amebjgai.exe	Qqldpfmh.exe
File created	C:\Windows\SysWOW64\Cligkdlm.exe	Cihojiok.exe
File created	C:\Windows\SysWOW64\Efoodo32.dll	Cligkdlm.exe
File opened for modification	C:\Windows\SysWOW64\Eceimadb.exe	Deahcneh.exe
File opened for modification	C:\Windows\SysWOW64\Kccian32.exe	Kmjaddii.exe
File opened for modification	C:\Windows\SysWOW64\Oiljcj32.exe	Opcejd32.exe
File created	C:\Windows\SysWOW64\Kmjaddii.exe	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Jqfcla32.dll	Kccian32.exe
File created	C:\Windows\SysWOW64\Bopplhfm.dll	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Kagbmg32.dll	Amebjgai.exe
File opened for modification	C:\Windows\SysWOW64\Ddkbqfcp.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Deahcneh.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmlnnp.exe	Kccian32.exe
File opened for modification	C:\Windows\SysWOW64\Magfjebk.exe	Lpcmlnnp.exe
File created	C:\Windows\SysWOW64\Obchjdci.dll	Bcoffd32.exe
File opened for modification	C:\Windows\SysWOW64\Cligkdlm.exe	Cihojiok.exe
File created	C:\Windows\SysWOW64\Ngcjbg32.dll	Cihojiok.exe
File created	C:\Windows\SysWOW64\Dkbnhq32.exe	Cahmik32.exe
File created	C:\Windows\SysWOW64\Pgmobakj.dll	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Cahmik32.exe	Cligkdlm.exe
File opened for modification	C:\Windows\SysWOW64\Kgmilmkb.exe	Kjihci32.exe
File created	C:\Windows\SysWOW64\Lbgkic32.dll	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Lpcmlnnp.exe	Kccian32.exe
File created	C:\Windows\SysWOW64\Eocmep32.dll	Mchokq32.exe
File created	C:\Windows\SysWOW64\Nlieiq32.dll	Nlmffa32.exe
File created	C:\Windows\SysWOW64\Aalaoipc.exe	Amebjgai.exe
File opened for modification	C:\Windows\SysWOW64\Qqldpfmh.exe	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Hbbhogeg.dll	Ajdego32.exe
File opened for modification	C:\Windows\SysWOW64\Cihojiok.exe	Chhbpfhi.exe
File created	C:\Windows\SysWOW64\Cdmbfk32.dll	Cahmik32.exe
File created	C:\Windows\SysWOW64\Pfaokb32.dll	Dkbnhq32.exe
File opened for modification	C:\Windows\SysWOW64\Kjihci32.exe	55613d7931b26ff05b39e05aca62a2d0N.exe
File created	C:\Windows\SysWOW64\Mchokq32.exe	Magfjebk.exe
File created	C:\Windows\SysWOW64\Lbbpgc32.dll	Nmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Opcejd32.exe	Nhcgkbja.exe
File created	C:\Windows\SysWOW64\Epfopk32.dll	Chhbpfhi.exe
File opened for modification	C:\Windows\SysWOW64\Dkbnhq32.exe	Cahmik32.exe
File created	C:\Windows\SysWOW64\Oiljcj32.exe	Opcejd32.exe
File created	C:\Windows\SysWOW64\Chhbpfhi.exe	Bmldji32.exe
File opened for modification	C:\Windows\SysWOW64\Chhbpfhi.exe	Bmldji32.exe
File created	C:\Windows\SysWOW64\Onllmobg.dll	Nhcgkbja.exe
File created	C:\Windows\SysWOW64\Dcihik32.dll	Oiljcj32.exe
File created	C:\Windows\SysWOW64\Pgacaaij.exe	Phjjkefd.exe
File created	C:\Windows\SysWOW64\Jpobja32.dll	Qqldpfmh.exe
File created	C:\Windows\SysWOW64\Kccian32.exe	Kmjaddii.exe
File created	C:\Windows\SysWOW64\Nlmffa32.exe	Nmgjee32.exe
File created	C:\Windows\SysWOW64\Opgcne32.dll	Opcejd32.exe
File created	C:\Windows\SysWOW64\Bmldji32.exe	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Cihojiok.exe	Chhbpfhi.exe
File opened for modification	C:\Windows\SysWOW64\Mchokq32.exe	Magfjebk.exe
File created	C:\Windows\SysWOW64\Oingii32.exe	Oiljcj32.exe
File created	C:\Windows\SysWOW64\Phjjkefd.exe	Oingii32.exe
File created	C:\Windows\SysWOW64\Dlbloflp.dll	Oingii32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2796	1496	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55613d7931b26ff05b39e05aca62a2d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oingii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmldji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcejd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cihojiok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcmlnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhcgkbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgacaaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phjjkefd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalaoipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoffd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqldpfmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amebjgai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kccian32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiljcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahmik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deahcneh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgmilmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmjaddii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchokq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhbpfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cligkdlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjihci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magfjebk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdego32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkbqfcp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhcgkbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfopk32.dll"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cihojiok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbpdhee.dll"	Magfjebk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Magfjebk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obchjdci.dll"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll"	Cihojiok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deahcneh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmlnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgkic32.dll"	Kgmilmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjaddii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmobakj.dll"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deahcneh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjihci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcicjgkh.dll"	55613d7931b26ff05b39e05aca62a2d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgmilmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnmhm32.dll"	Kmjaddii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kccian32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqfcla32.dll"	Kccian32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbloflp.dll"	Oingii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	55613d7931b26ff05b39e05aca62a2d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlmffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopplhfm.dll"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Deahcneh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Magfjebk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhcgkbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opcejd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqldpfmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	55613d7931b26ff05b39e05aca62a2d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfaokb32.dll"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cligkdlm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cahmik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll"	Qqldpfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onllmobg.dll"	Nhcgkbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiljcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cihojiok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	55613d7931b26ff05b39e05aca62a2d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjon32.dll"	Lpcmlnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgcne32.dll"	Opcejd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	55613d7931b26ff05b39e05aca62a2d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhogeg.dll"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cahmik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kccian32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmlnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoodo32.dll"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjihci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjaddii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2348	1640	55613d7931b26ff05b39e05aca62a2d0N.exe	30
PID 1640 wrote to memory of 2348	1640	55613d7931b26ff05b39e05aca62a2d0N.exe	30
PID 1640 wrote to memory of 2348	1640	55613d7931b26ff05b39e05aca62a2d0N.exe	30
PID 1640 wrote to memory of 2348	1640	55613d7931b26ff05b39e05aca62a2d0N.exe	30
PID 2348 wrote to memory of 2820	2348	Kjihci32.exe	31
PID 2348 wrote to memory of 2820	2348	Kjihci32.exe	31
PID 2348 wrote to memory of 2820	2348	Kjihci32.exe	31
PID 2348 wrote to memory of 2820	2348	Kjihci32.exe	31
PID 2820 wrote to memory of 2780	2820	Kgmilmkb.exe	32
PID 2820 wrote to memory of 2780	2820	Kgmilmkb.exe	32
PID 2820 wrote to memory of 2780	2820	Kgmilmkb.exe	32
PID 2820 wrote to memory of 2780	2820	Kgmilmkb.exe	32
PID 2780 wrote to memory of 2224	2780	Kmjaddii.exe	33
PID 2780 wrote to memory of 2224	2780	Kmjaddii.exe	33
PID 2780 wrote to memory of 2224	2780	Kmjaddii.exe	33
PID 2780 wrote to memory of 2224	2780	Kmjaddii.exe	33
PID 2224 wrote to memory of 2336	2224	Kccian32.exe	34
PID 2224 wrote to memory of 2336	2224	Kccian32.exe	34
PID 2224 wrote to memory of 2336	2224	Kccian32.exe	34
PID 2224 wrote to memory of 2336	2224	Kccian32.exe	34
PID 2336 wrote to memory of 2236	2336	Lpcmlnnp.exe	35
PID 2336 wrote to memory of 2236	2336	Lpcmlnnp.exe	35
PID 2336 wrote to memory of 2236	2336	Lpcmlnnp.exe	35
PID 2336 wrote to memory of 2236	2336	Lpcmlnnp.exe	35
PID 2236 wrote to memory of 1312	2236	Magfjebk.exe	36
PID 2236 wrote to memory of 1312	2236	Magfjebk.exe	36
PID 2236 wrote to memory of 1312	2236	Magfjebk.exe	36
PID 2236 wrote to memory of 1312	2236	Magfjebk.exe	36
PID 1312 wrote to memory of 1004	1312	Mchokq32.exe	37
PID 1312 wrote to memory of 1004	1312	Mchokq32.exe	37
PID 1312 wrote to memory of 1004	1312	Mchokq32.exe	37
PID 1312 wrote to memory of 1004	1312	Mchokq32.exe	37
PID 1004 wrote to memory of 2756	1004	Nmgjee32.exe	38
PID 1004 wrote to memory of 2756	1004	Nmgjee32.exe	38
PID 1004 wrote to memory of 2756	1004	Nmgjee32.exe	38
PID 1004 wrote to memory of 2756	1004	Nmgjee32.exe	38
PID 2756 wrote to memory of 2768	2756	Nlmffa32.exe	39
PID 2756 wrote to memory of 2768	2756	Nlmffa32.exe	39
PID 2756 wrote to memory of 2768	2756	Nlmffa32.exe	39
PID 2756 wrote to memory of 2768	2756	Nlmffa32.exe	39
PID 2768 wrote to memory of 1732	2768	Nhcgkbja.exe	40
PID 2768 wrote to memory of 1732	2768	Nhcgkbja.exe	40
PID 2768 wrote to memory of 1732	2768	Nhcgkbja.exe	40
PID 2768 wrote to memory of 1732	2768	Nhcgkbja.exe	40
PID 1732 wrote to memory of 2728	1732	Opcejd32.exe	41
PID 1732 wrote to memory of 2728	1732	Opcejd32.exe	41
PID 1732 wrote to memory of 2728	1732	Opcejd32.exe	41
PID 1732 wrote to memory of 2728	1732	Opcejd32.exe	41
PID 2728 wrote to memory of 568	2728	Oiljcj32.exe	42
PID 2728 wrote to memory of 568	2728	Oiljcj32.exe	42
PID 2728 wrote to memory of 568	2728	Oiljcj32.exe	42
PID 2728 wrote to memory of 568	2728	Oiljcj32.exe	42
PID 568 wrote to memory of 2352	568	Oingii32.exe	43
PID 568 wrote to memory of 2352	568	Oingii32.exe	43
PID 568 wrote to memory of 2352	568	Oingii32.exe	43
PID 568 wrote to memory of 2352	568	Oingii32.exe	43
PID 2352 wrote to memory of 2376	2352	Phjjkefd.exe	44
PID 2352 wrote to memory of 2376	2352	Phjjkefd.exe	44
PID 2352 wrote to memory of 2376	2352	Phjjkefd.exe	44
PID 2352 wrote to memory of 2376	2352	Phjjkefd.exe	44
PID 2376 wrote to memory of 820	2376	Pgacaaij.exe	45
PID 2376 wrote to memory of 820	2376	Pgacaaij.exe	45
PID 2376 wrote to memory of 820	2376	Pgacaaij.exe	45
PID 2376 wrote to memory of 820	2376	Pgacaaij.exe	45

C:\Users\Admin\AppData\Local\Temp\55613d7931b26ff05b39e05aca62a2d0N.exe
"C:\Users\Admin\AppData\Local\Temp\55613d7931b26ff05b39e05aca62a2d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\Kjihci32.exe
  C:\Windows\system32\Kjihci32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Kgmilmkb.exe
    C:\Windows\system32\Kgmilmkb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Kmjaddii.exe
      C:\Windows\system32\Kmjaddii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\Kccian32.exe
        
        C:\Windows\system32\Kccian32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\Lpcmlnnp.exe
        
        C:\Windows\system32\Lpcmlnnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Magfjebk.exe
        
        C:\Windows\system32\Magfjebk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Mchokq32.exe
        
        C:\Windows\system32\Mchokq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Nmgjee32.exe
        
        C:\Windows\system32\Nmgjee32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Nlmffa32.exe
        
        C:\Windows\system32\Nlmffa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Nhcgkbja.exe
        
        C:\Windows\system32\Nhcgkbja.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Opcejd32.exe
        
        C:\Windows\system32\Opcejd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Oiljcj32.exe
        
        C:\Windows\system32\Oiljcj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Oingii32.exe
        
        C:\Windows\system32\Oingii32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Phjjkefd.exe
        
        C:\Windows\system32\Phjjkefd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pgacaaij.exe
        
        C:\Windows\system32\Pgacaaij.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Qqldpfmh.exe
        
        C:\Windows\system32\Qqldpfmh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Amebjgai.exe
        
        C:\Windows\system32\Amebjgai.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Aalaoipc.exe
        
        C:\Windows\system32\Aalaoipc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ajdego32.exe
        
        C:\Windows\system32\Ajdego32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bcoffd32.exe
        
        C:\Windows\system32\Bcoffd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bmldji32.exe
        
        C:\Windows\system32\Bmldji32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Chhbpfhi.exe
        
        C:\Windows\system32\Chhbpfhi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Cihojiok.exe
        
        C:\Windows\system32\Cihojiok.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Cligkdlm.exe
        
        C:\Windows\system32\Cligkdlm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cahmik32.exe
        
        C:\Windows\system32\Cahmik32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Dkbnhq32.exe
        
        C:\Windows\system32\Dkbnhq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ddkbqfcp.exe
        
        C:\Windows\system32\Ddkbqfcp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Deahcneh.exe
        
        C:\Windows\system32\Deahcneh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalaoipc.exe

Filesize
256KB

MD5
a2a230510f414d30327f570ee7ecba5b

SHA1
89fbf1716746b79d6998ddea755c4eca64908453

SHA256
ed9daa324033b5e6bcbe65c897dd75c2cd0d08ed9c4abfee1a635515dbe8f022

SHA512
32cc391e8bd8922acceb57d4616f4d456807579601a0498e2464316d21931f27259eef86ad65fc1fad4000865b8044e0bf4466ba9578818b6823cf1ec4f5efbc

Download Submit
C:\Windows\SysWOW64\Ajdego32.exe

Filesize
256KB

MD5
a082ca69572a94d602211d62c4077b8b

SHA1
e1172fee8bbb3aa1c4bae5a1deb72c4c8e3475d5

SHA256
8ed02ba4a6e91536e4fcf4591f29d62a7a26db651cadb7beca80dde538d5afaa

SHA512
306e097bd3ebd3e4a62c6b8ebbbe073bdfabb3128fd266e90ab54bd5d0f326027bbf1226023a34cb443021ac16e3223172a7234a3be1a4fd5c9f951ff5006335

Download Submit
C:\Windows\SysWOW64\Amebjgai.exe

Filesize
256KB

MD5
71bdbd57ae11d243d6888ec16343eaa3

SHA1
56e0056c1030e7c6baf0945ce44a5a17b4b442d5

SHA256
2b9366a2f80d0f1ff652602d0cd1ff8fc4046a378cdfb632d98b0475dcb2712c

SHA512
fb5846690b5dd90b5997780f6018b4c47e3a7a9981d786d3fcab3706e2d88984af566e757c909eee65071b61745b03789c9db687fda2689559286dfedd899012

Download Submit
C:\Windows\SysWOW64\Bcoffd32.exe

Filesize
256KB

MD5
826013c355542d4451f6143b8b61fd57

SHA1
1a5b9e9b89ce0f527d6e4e0f2bf8000f97dbf459

SHA256
05c5860bbd986541ab620a65dcae18854fabed380f5bb41f6d3fb0cf23700ba4

SHA512
86b307ddad3ecd2d5dcd385eb892392484f8022a82230e11d93d018c66297551b729eaa0b5afa4b1c8be7828f87785b8651316f8e382b9d09a21feceaf248bc6

Download Submit
C:\Windows\SysWOW64\Bmldji32.exe

Filesize
256KB

MD5
c05417be0af53df556dadf8e6e7dba79

SHA1
0c695a20d3fc8ec9f826db5cfb6b2e5574435077

SHA256
cbe1583b543ea10a7f594b06c5bac931f2ca389301c49a2f009057d17da1c183

SHA512
35c1129bb93fc11743759c85a935fcb57a7f088ac2a23f62fac1e3992a29ee7a8fb7a32939a6635306d97cf929f7d70ee1266d14116aacda05a48c7027558798

Download Submit
C:\Windows\SysWOW64\Cahmik32.exe

Filesize
256KB

MD5
cac83ebece038e9571bf271811d5c00a

SHA1
fdb3b9e411fbd35ac902f9a707aa4bf096d2624e

SHA256
47e34613678e7244d98627518588921103252b322bbad93a2e0c8eb1d0e4a141

SHA512
0f0d5f2b8850059bfb549575c4fb758119863dfb2ecc17e11e34cc1b21916182dbe199b2155497552e591679d61278763b5e06517d291963fe6a76f73adf0785

Download Submit
C:\Windows\SysWOW64\Chhbpfhi.exe

Filesize
256KB

MD5
4f1bb71be759b55f5032c8ab13c66fb5

SHA1
3dee7b52760f6ebaa475bece1b9de660be8ddaad

SHA256
5a107efcf35078bde1de5a0da7be5ebf5304c22373f604e56f92f4a3827a1e37

SHA512
19ddd310468542cbf42a139102b6efb5984e8481dd5e9ec6c7d4e8c8b6db46ced5420c5b5637c396f30eb86d5c778bf8183f4e81756a3165d8c720574c15a8f1

Download Submit
C:\Windows\SysWOW64\Cihojiok.exe

Filesize
256KB

MD5
0cbe30804c9d4055b194574ee85b86b9

SHA1
dfbb7441ec3494382fd5661973b1f32c0b458c19

SHA256
96c52918d99aef2d52414ed3a36e756b0739c424cb94539ddd1fd777770746a0

SHA512
40fb57cd44f6efce78d3960fbf1d6875f7b30ec190f0966063c6267f14373a0be0fb5d079afb765dbaf8f0386407d4627a71404434f4e8f2459d9d16962e0f7b

Download Submit
C:\Windows\SysWOW64\Cligkdlm.exe

Filesize
256KB

MD5
603570e50e3be3370657f785e03d9c17

SHA1
1db35b245703d55f2400b051353ef3ec55230001

SHA256
23733f332eb1be08b8de4214105f6be64f19ac6709e06f94568fc15a5249493a

SHA512
29cdf4bbc524ebe6792f942eeff6a75639d733925ff34d77ab420e16225dd825c3cfd821eacc1c859fac074b2a8969cdecdcfcfa08f56f30884a47a5fa105cbf

Download Submit
C:\Windows\SysWOW64\Ddkbqfcp.exe

Filesize
256KB

MD5
8f3beb2b167d4cc673139b59904a9530

SHA1
69039942fad52be9348fafd076cf6d4419dd426d

SHA256
7aa0cd5e2a1ab10a237fa93aeba8ce7bde3bcbbfc1608b20229fa44d5e13344c

SHA512
aa2a8c79ca634097769bb88b591b642eedd0cfcdb12d726c2b3334e21abc07d541ce6fd7f1a2fc2f2e1e1bf32ea8702db0651755252747947c10a84b96097d91

Download Submit
C:\Windows\SysWOW64\Deahcneh.exe

Filesize
256KB

MD5
e33271a7c9e8f9a0de2315311ade5171

SHA1
1bebd897a6df3416a461c67ee0ec44c460e53977

SHA256
cc9242434919b0bc50a9af4b703fca03cc67f0139d15703a9d9ca5d71184ac20

SHA512
664bbfabcbbb8d0c6f13eab7cca218f29480825f3526422f485ab4ecaf27370dfa19c6e95ea5aff70f24b6ffa9ee314559f0b5ec8014c51c988d7d306035d534

Download Submit
C:\Windows\SysWOW64\Dkbnhq32.exe

Filesize
256KB

MD5
33ec77b860645b25256928b41e729c2d

SHA1
4a15356dbac7fe3e7a773f1ef50998d3c5732002

SHA256
d9bb7b5150f7a2489f24bc68e60c80072db2bdca195e8b35ea32302baff01fce

SHA512
d5147317f1e62b8ceea15ff3efb95b1cd5b392e87e11ebc3d7c9815f57f10f41b0bbd983106a7fc5114733946b76e2f1be1df7af00a695933fdfa901bdc2d7ef

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
256KB

MD5
ca2d0622e5834e6381e82bf9867be813

SHA1
f654ba56716b7ab344a011f059b4b7eea5cf7c06

SHA256
1d0015510eb3b8c4b7bc5d1bd6c4b52c584a5a40fb43c91a2bffef75963499fe

SHA512
1819a40483a679b6ead183be0df4da4ae46e0c25a3d8332d8d8ed961e46fc839ed2d5ee15e510cd2b2be299651eb45f607abdcc780e5319b37da41110bf18187

Download Submit
C:\Windows\SysWOW64\Jqfcla32.dll

Filesize
7KB

MD5
5d858a6cd2b9017d4621c8f4e5dbc5ac

SHA1
74d3fba9ab7ed53091f8633a775eca25b7f16058

SHA256
fd18a9c1d0838b19e29eab2f1aab5c316e6dde81726c3fdc558c7a1d8883d94b

SHA512
f8820482e886f3f10cf18640ff0f01adfdbeaa2966aca0afdef7b4f47729b75b20863ee59aa54c72126c88f2841bb905fddfeef570b223fcac03f9de98f772f8

Download Submit
C:\Windows\SysWOW64\Kjihci32.exe

Filesize
256KB

MD5
b41f75ea037e88effdc035b5c90f9a08

SHA1
cfc99a2087b08441b440a175077f0450a5bbe987

SHA256
101cf3e65b9d195765d50e9b950c1b0ea628048cc509326637336cf423421b7f

SHA512
b9ffef754def482d7b34e38341854cf7fd8a2ee9ace07acc6c21893859f5ce50dba26ac44ca918f21e2f6b9a6968d1d1148e6876cd0a85e7c8f104da42989c31

Download Submit
C:\Windows\SysWOW64\Kmjaddii.exe

Filesize
256KB

MD5
e303ee4845df5c02372702c3f0ae1754

SHA1
536c77cb2a67f9cd3b8d46249db64528fc6f5023

SHA256
03685323d1917e6ed8a81a838fea2ed1fe01facc7226362c9a91a3f7264d6761

SHA512
856c1c97f973d857bf86b336537bb40a90542f127d431f5c97b97cc0ba824adb6af576da4f1f1ddfa37b2e4d6779eb7579fb00dca80a0ec30ce5e81007bbbe7f

Download Submit
C:\Windows\SysWOW64\Nhcgkbja.exe

Filesize
256KB

MD5
667356beff1d549434062069b3a7e294

SHA1
67af72dea7190c383a9d3fb2616c7f36ae06d660

SHA256
0dfc543cb56f86e1e8011d9d385693922bb3a68932959a9de1e1657e1172de2e

SHA512
0cb3eb6883ca1bd1270a214c0a5a3ac5a8f202d180b8464d84ea75acf3699b71f3611a9e7e56c47040ac8d931b512439d43b5f7c6a9a6932122d6cd1f1e67378

Download Submit
C:\Windows\SysWOW64\Oiljcj32.exe

Filesize
256KB

MD5
58e429cb61197fda434d272c4062a196

SHA1
9f8dddb05dd113e1e25065be7811cb5eab9fe68a

SHA256
4d4a42473dab081397e448c00dd6106550fbea3475903aed97ffbd619f3018d0

SHA512
add5f361b6fa59f4aff2e60282f2ef9fd81f2bf204670ece7c2f213e3397bbc94aa3382bde0a4d85e04ecced87bfaa086e90c8ef69207f5b81f2724fe64656e8

Download Submit
\Windows\SysWOW64\Kccian32.exe

Filesize
256KB

MD5
9417c60a96bd5197c28e8e128735edf7

SHA1
ac4e47fdaefc9dfb397a2a1351b2766090cf070d

SHA256
893ec292a073ee6e31033d81cf20f5d02be813917a51897267ed1ab9180c3b07

SHA512
96d745a4e2678cafb710c4271019b1a6ed7b4db8f748b8dcea451929b2306871395cbc3bc9104314883111fdfe4efe96a87b4b20f0edb1b4b8c4717bcd28123d

Download Submit
\Windows\SysWOW64\Kgmilmkb.exe

Filesize
256KB

MD5
ae6345b9c78b01349c78b4f1ef8557ad

SHA1
1acc8d2dc5e8e4701ea9ebc6f9223f65960d70f8

SHA256
9ff45a3fa1c10af01dd7350513305463388f09dd6bdae8f1cb59abdfae6d6263

SHA512
c2fd4ca099080eb2bc1ce5f0f6841103246fb69aeb0fe4bacaea9f5793142a5bf7888421a29e94d99e252d1fb2c814556ea8c15e19423a25149ecde54b9a6fa4

Download Submit
\Windows\SysWOW64\Lpcmlnnp.exe

Filesize
256KB

MD5
6a82181fdecdce377ba78301694eb8ba

SHA1
251fd98551529dc2245c73b812d77654ee1adb35

SHA256
583da8a8a5357fde7cdba42271bff864ed31abeae837eff104df46af3db0783c

SHA512
283126df59df67499922d5d2ce6e20e7cd12a99c74dda4738d86bb3b36b73839981221257de4e63084fa32913e3151c54cacc5d108aed0359a584c2748e01f8a

Download Submit
\Windows\SysWOW64\Magfjebk.exe

Filesize
256KB

MD5
c168026fb876c0ed33dd148ab6bdcc82

SHA1
69f0167e99d804ac4ad17d8a699a50897e1868e5

SHA256
1255ffbfef26ce6ca185fb330ed96df17abea0ba61429990cb64951f0dd0e699

SHA512
58032488492b57cc2e455eb6d3751e67959b81b5fae6295eddab5011af35be33c4cfe6f838635bfaaf7c455be84705059588522cf0cc64e5067faf8740a7f812

Download Submit
\Windows\SysWOW64\Mchokq32.exe

Filesize
256KB

MD5
87d1368eb090881320780512abc5621e

SHA1
56d6b3fbc05fb4908c489fa25487afbc6b7ee2a8

SHA256
a4396ff0901671b3e6a99a8cecd1b575fa8a8e38576dfbb358feeb72adffbfc9

SHA512
9537abb1359246213a9e9a85474856fde0cffcc4c2a9610f6fe90c77e19ccf62b241f5c86f9ca09f7ba6ea2bff524e67c904e6a14949f5c359158ef0b0d38ad8

Download Submit
\Windows\SysWOW64\Nlmffa32.exe

Filesize
256KB

MD5
13dba6b308b53cd7f8b92e9b5b0bc88e

SHA1
b6bd7dad30b584cc86696faee45e3a3ac05d47fd

SHA256
661e8f6b76fe15efa403c95ff74b90eca24efa931dbf24aa540c8acd622b5411

SHA512
fabbae13dc7c646b3e9158275cd55fb24b513794fb95abaab6e918bfec8c032c20d9f142447b9036f7cb7dcda0f623077d7a24a30572cc26c978ee60c5dabb98

Download Submit
\Windows\SysWOW64\Nmgjee32.exe

Filesize
256KB

MD5
b69c3c8139d8ea24c26178ef9485804c

SHA1
4122b951ca2ecd9c89af5f67e652a8d6c4a8ae2d

SHA256
d5f5dba897c8794aef5920ae2da8cb30c4b0efc2dd96b762edb1873a40f3a689

SHA512
fe96f2db36650b9ce09fee86be7ed0a810363166390cac6df2a3464aa97ba2fade8d403548a717c6c963d10657bf8a5e243dcadeb48ba3f8059aa421c4830033

Download Submit
\Windows\SysWOW64\Oingii32.exe

Filesize
256KB

MD5
dcc14944a100aa0c489530fe596fac50

SHA1
23318347b84a5e1926c058212010157dbd7c066f

SHA256
d99967374c01a3db12d6044335e3bd13bbec87220115dfd5619cf2d45ea44ba7

SHA512
4705f49d01289b8939acc420053b01447c326dd65e548f465f60a342fc630e846ef700dae30e2f5ad909f0b838abd3d13b15b673af2ef20fb4a525d880bbd417

Download Submit
\Windows\SysWOW64\Opcejd32.exe

Filesize
256KB

MD5
2769522c46b196aaf9f8e8ee522c7772

SHA1
08481db9646eabe1d2a770f4abc0dff307a8c296

SHA256
b9df8a0c5cfc8857a2083ba0a2e225591c6f74db51948efbbe33bfd85401642b

SHA512
ce96e1c50e393709f7e0bd19a2d383f13e117ad9cfed41aac49fc4ac5e835d07c0ee6ae90f2cacd3e8890c07e08de2512f309b3fbbd83932ec34fbf7608c3b4a

Download Submit
\Windows\SysWOW64\Pgacaaij.exe

Filesize
256KB

MD5
68ff9963a160e92ced627d8d1c73c565

SHA1
4f8f107b02d65938b6c100da6dd1afaac8415cfa

SHA256
4afe3e296a9978f0e5ab56d28a6a024d318e453af06999d28d99ae2c290467ed

SHA512
a2bc8a8aaba2d91da193e51f9197cb761506e09882ba6a6082ea8a81e2c79635788f85c4de5c28ce061b8ec20e3e0ca8026ffd0f3615bda2f714a810d94f2dec

Download Submit
\Windows\SysWOW64\Phjjkefd.exe

Filesize
256KB

MD5
efd5919cc3721a51dd175042f3ba34e2

SHA1
491eb3a47dc5fe2255e4bde8b48a0dea0aa49d1d

SHA256
c7c90c8e233c2af5abd01453767a7513b9abf581aee6ba2b7d8ce3d46b8d1109

SHA512
4bdbf5e0b3868fd5832656dfe78c41df1e6d709cfff007f7d46a2a3f5a603ba0323e4d37930affb3cd53a444f8cb4d5d08071e39b4a8a43de9add78d1083662a

Download Submit
\Windows\SysWOW64\Qqldpfmh.exe

Filesize
256KB

MD5
5187dce70f7c5939e0408170c09a4247

SHA1
ac506d12d32b4bf82cf5f0ed1f1414a1538ea379

SHA256
d0772df440d7db57051c8949ba4685f03bc5499b43d4c2982babee150a62f63d

SHA512
2aa189e094c0ed7c47393303e2c55fff61cc7d8e3840d32be615a29ce9fbb35ec745dece813e29bed283cb4c9185e01bdfa38a6c54aa9cba6f27bfee208d00eb

Download Submit
memory/328-312-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/328-321-0x0000000000310000-0x0000000000367000-memory.dmp

Filesize
348KB

Download
memory/328-490-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-459-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/568-186-0x0000000000290000-0x00000000002E7000-memory.dmp

Filesize
348KB

Download
memory/568-173-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/820-226-0x0000000001C50000-0x0000000001CA7000-memory.dmp

Filesize
348KB

Download
memory/820-465-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/820-220-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/948-227-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/948-470-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/948-236-0x00000000001B0000-0x0000000000207000-memory.dmp

Filesize
348KB

Download
memory/948-237-0x00000000001B0000-0x0000000000207000-memory.dmp

Filesize
348KB

Download
memory/1004-447-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1004-119-0x00000000002F0000-0x0000000000347000-memory.dmp

Filesize
348KB

Download
memory/1300-277-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/1300-482-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1300-281-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/1300-271-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1312-101-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/1312-93-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1312-445-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1496-353-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1496-505-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1508-249-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1508-259-0x0000000000290000-0x00000000002E7000-memory.dmp

Filesize
348KB

Download
memory/1508-258-0x0000000000290000-0x00000000002E7000-memory.dmp

Filesize
348KB

Download
memory/1508-474-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1548-311-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/1548-488-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1592-296-0x0000000001BD0000-0x0000000001C27000-memory.dmp

Filesize
348KB

Download
memory/1592-291-0x0000000001BD0000-0x0000000001C27000-memory.dmp

Filesize
348KB

Download
memory/1592-484-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1592-284-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1640-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1640-367-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1640-423-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1640-12-0x0000000000260000-0x00000000002B7000-memory.dmp

Filesize
348KB

Download
memory/1732-149-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1732-453-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2060-244-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2060-238-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2060-472-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2060-248-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2224-394-0x0000000001C00000-0x0000000001C57000-memory.dmp

Filesize
348KB

Download
memory/2224-434-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2224-63-0x0000000001C00000-0x0000000001C57000-memory.dmp

Filesize
348KB

Download
memory/2236-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2236-438-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2236-418-0x00000000001B0000-0x0000000000207000-memory.dmp

Filesize
348KB

Download
memory/2252-260-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-270-0x00000000002F0000-0x0000000000347000-memory.dmp

Filesize
348KB

Download
memory/2252-476-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-269-0x00000000002F0000-0x0000000000347000-memory.dmp

Filesize
348KB

Download
memory/2292-492-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2292-328-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2292-326-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2336-73-0x0000000000370000-0x00000000003C7000-memory.dmp

Filesize
348KB

Download
memory/2336-436-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2336-408-0x0000000000370000-0x00000000003C7000-memory.dmp

Filesize
348KB

Download
memory/2336-416-0x0000000000370000-0x00000000003C7000-memory.dmp

Filesize
348KB

Download
memory/2336-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2336-79-0x0000000000370000-0x00000000003C7000-memory.dmp

Filesize
348KB

Download
memory/2348-425-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2348-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2352-188-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2352-199-0x0000000000300000-0x0000000000357000-memory.dmp

Filesize
348KB

Download
memory/2352-461-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2376-214-0x00000000001B0000-0x0000000000207000-memory.dmp

Filesize
348KB

Download
memory/2376-201-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2376-463-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2376-213-0x00000000001B0000-0x0000000000207000-memory.dmp

Filesize
348KB

Download
memory/2556-486-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2556-306-0x00000000002D0000-0x0000000000327000-memory.dmp

Filesize
348KB

Download
memory/2556-298-0x00000000002D0000-0x0000000000327000-memory.dmp

Filesize
348KB

Download
memory/2604-497-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-345-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/2604-332-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2604-341-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/2728-167-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2728-455-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2756-120-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2756-449-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-133-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-146-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2768-451-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2780-51-0x00000000004D0000-0x0000000000527000-memory.dmp

Filesize
348KB

Download
memory/2780-429-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-352-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2812-499-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-347-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2820-427-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2820-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads