fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b

Analysis

max time kernel
32s
max time network
19s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Size

94KB
MD5

bcba9be346fe1e7f148669c2350670fe
SHA1

920e12a2f371f0c5e3d3ff24d5e800b07199de87
SHA256

fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b
SHA512

c2eb268842ee533f889eb1f2819df2aa7b5ac0725fc7fee6af8eda98763e106002946b900967bd7d3f9241d990a2b6d17f372190f384f863d04ff01f040e878a
SSDEEP

1536:UAmbI8QZHxIjbfNO5W7rThvzf2LWS5DUHRbPa9b6i+sImo71+jqx:Iw8+WPlrkWS5DSCopsIm81+jqx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjopnh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqpqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kclmbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagkebpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmfchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lakqoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcehkeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqnpacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqnpacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mikooghn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jboanfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpndlobg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpcjfa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlikkbga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplhfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeidob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomdcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcafbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jccjln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllkaobc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Minldf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnaihhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmchhhe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnhgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjalch32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomdcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakqoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghigl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeidob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmdig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jboanfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllkaobc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkeialfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnfbcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghigl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpegka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnaihhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jadnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjalch32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbonmjph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmfchfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liibigjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnljc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kigidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpegka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcccglnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kigidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhmhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledpjdid.exe

Executes dropped EXE 56 IoCs

pid	Process
348	Jmnpkp32.exe
2408	Jeidob32.exe
2860	Jnaihhgf.exe
2704	Jbmdig32.exe
2892	Jkeialfp.exe
2600	Jboanfmm.exe
3056	Jiiikq32.exe
1040	Jnfbcg32.exe
2452	Jadnoc32.exe
2876	Jccjln32.exe
2576	Jjmchhhe.exe
2900	Kagkebpb.exe
2072	Kebgea32.exe
1620	Kgqcam32.exe
1240	Kjopnh32.exe
2236	Kmnljc32.exe
936	Kplhfo32.exe
1840	Kgcpgl32.exe
2964	Kjalch32.exe
976	Kakdpb32.exe
1536	Kpndlobg.exe
1760	Kfhmhi32.exe
1596	Kigidd32.exe
1232	Kleeqp32.exe
492	Kclmbm32.exe
2680	Kbonmjph.exe
2812	Kmdbkbpn.exe
2720	Kbajci32.exe
2840	Kfmfchfo.exe
408	Lljolodf.exe
2640	Lpekln32.exe
3064	Lbdghi32.exe
3040	Lhqpqp32.exe
2352	Lllkaobc.exe
1340	Lkolmk32.exe
396	Ledpjdid.exe
2872	Llnhgn32.exe
1824	Lomdcj32.exe
2384	Lmpdoffo.exe
1204	Lakqoe32.exe
2544	Lghigl32.exe
2184	Lkcehkeh.exe
824	Lmbadfdl.exe
1224	Lpqnpacp.exe
1052	Lhgeao32.exe
772	Liibigjq.exe
2140	Mpcjfa32.exe
2108	Mcafbm32.exe
1924	Mkhocj32.exe
1104	Mikooghn.exe
2708	Mlikkbga.exe
2616	Mpegka32.exe
2536	Mcccglnn.exe
2684	Mebpchmb.exe
2276	Minldf32.exe
3028	Mllhpb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2520	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
2520	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
348	Jmnpkp32.exe
348	Jmnpkp32.exe
2408	Jeidob32.exe
2408	Jeidob32.exe
2860	Jnaihhgf.exe
2860	Jnaihhgf.exe
2704	Jbmdig32.exe
2704	Jbmdig32.exe
2892	Jkeialfp.exe
2892	Jkeialfp.exe
2600	Jboanfmm.exe
2600	Jboanfmm.exe
3056	Jiiikq32.exe
3056	Jiiikq32.exe
1040	Jnfbcg32.exe
1040	Jnfbcg32.exe
2452	Jadnoc32.exe
2452	Jadnoc32.exe
2876	Jccjln32.exe
2876	Jccjln32.exe
2576	Jjmchhhe.exe
2576	Jjmchhhe.exe
2900	Kagkebpb.exe
2900	Kagkebpb.exe
2072	Kebgea32.exe
2072	Kebgea32.exe
1620	Kgqcam32.exe
1620	Kgqcam32.exe
1240	Kjopnh32.exe
1240	Kjopnh32.exe
2236	Kmnljc32.exe
2236	Kmnljc32.exe
936	Kplhfo32.exe
936	Kplhfo32.exe
1840	Kgcpgl32.exe
1840	Kgcpgl32.exe
2964	Kjalch32.exe
2964	Kjalch32.exe
976	Kakdpb32.exe
976	Kakdpb32.exe
1536	Kpndlobg.exe
1536	Kpndlobg.exe
1760	Kfhmhi32.exe
1760	Kfhmhi32.exe
1596	Kigidd32.exe
1596	Kigidd32.exe
1232	Kleeqp32.exe
1232	Kleeqp32.exe
492	Kclmbm32.exe
492	Kclmbm32.exe
2680	Kbonmjph.exe
2680	Kbonmjph.exe
2812	Kmdbkbpn.exe
2812	Kmdbkbpn.exe
2720	Kbajci32.exe
2720	Kbajci32.exe
2840	Kfmfchfo.exe
2840	Kfmfchfo.exe
408	Lljolodf.exe
408	Lljolodf.exe
2640	Lpekln32.exe
2640	Lpekln32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jboanfmm.exe	Jkeialfp.exe
File created	C:\Windows\SysWOW64\Jadnoc32.exe	Jnfbcg32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdghi32.exe	Lpekln32.exe
File created	C:\Windows\SysWOW64\Kdebqe32.dll	Lbdghi32.exe
File created	C:\Windows\SysWOW64\Bafeoijd.dll	Mcccglnn.exe
File opened for modification	C:\Windows\SysWOW64\Minldf32.exe	Mebpchmb.exe
File created	C:\Windows\SysWOW64\Fcnmploa.dll	Jeidob32.exe
File opened for modification	C:\Windows\SysWOW64\Lmbadfdl.exe	Lkcehkeh.exe
File created	C:\Windows\SysWOW64\Jccjln32.exe	Jadnoc32.exe
File created	C:\Windows\SysWOW64\Pdopmade.dll	Jadnoc32.exe
File created	C:\Windows\SysWOW64\Aandhbgj.dll	Kplhfo32.exe
File created	C:\Windows\SysWOW64\Cmgpnn32.dll	Kfmfchfo.exe
File opened for modification	C:\Windows\SysWOW64\Lllkaobc.exe	Lhqpqp32.exe
File created	C:\Windows\SysWOW64\Iaenpkpd.dll	Llnhgn32.exe
File opened for modification	C:\Windows\SysWOW64\Lakqoe32.exe	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Jiiikq32.exe	Jboanfmm.exe
File created	C:\Windows\SysWOW64\Minldf32.exe	Mebpchmb.exe
File created	C:\Windows\SysWOW64\Godaagfg.dll	Lpqnpacp.exe
File created	C:\Windows\SysWOW64\Jbmdig32.exe	Jnaihhgf.exe
File created	C:\Windows\SysWOW64\Lkolmk32.exe	Lllkaobc.exe
File created	C:\Windows\SysWOW64\Cdcpdjga.dll	Lkcehkeh.exe
File created	C:\Windows\SysWOW64\Mjelbl32.dll	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
File opened for modification	C:\Windows\SysWOW64\Jjmchhhe.exe	Jccjln32.exe
File created	C:\Windows\SysWOW64\Cokdcc32.dll	Jjmchhhe.exe
File created	C:\Windows\SysWOW64\Jioldg32.dll	Kagkebpb.exe
File created	C:\Windows\SysWOW64\Dgeoapde.dll	Kgqcam32.exe
File created	C:\Windows\SysWOW64\Iehnhk32.dll	Kakdpb32.exe
File created	C:\Windows\SysWOW64\Ojbachjd.dll	Kigidd32.exe
File opened for modification	C:\Windows\SysWOW64\Lomdcj32.exe	Llnhgn32.exe
File created	C:\Windows\SysWOW64\Mpcjfa32.exe	Liibigjq.exe
File created	C:\Windows\SysWOW64\Bboledln.dll	Jmnpkp32.exe
File created	C:\Windows\SysWOW64\Mikooghn.exe	Mkhocj32.exe
File created	C:\Windows\SysWOW64\Kagkebpb.exe	Jjmchhhe.exe
File opened for modification	C:\Windows\SysWOW64\Kebgea32.exe	Kagkebpb.exe
File created	C:\Windows\SysWOW64\Kgqcam32.exe	Kebgea32.exe
File created	C:\Windows\SysWOW64\Ikcakg32.dll	Kjopnh32.exe
File created	C:\Windows\SysWOW64\Kplhfo32.exe	Kmnljc32.exe
File opened for modification	C:\Windows\SysWOW64\Kplhfo32.exe	Kmnljc32.exe
File created	C:\Windows\SysWOW64\Kgcpgl32.exe	Kplhfo32.exe
File created	C:\Windows\SysWOW64\Dbpmba32.dll	Jbmdig32.exe
File opened for modification	C:\Windows\SysWOW64\Ledpjdid.exe	Lkolmk32.exe
File created	C:\Windows\SysWOW64\Pmeocnah.dll	Ledpjdid.exe
File created	C:\Windows\SysWOW64\Lmpdoffo.exe	Lomdcj32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgeao32.exe	Lpqnpacp.exe
File created	C:\Windows\SysWOW64\Mpegka32.exe	Mlikkbga.exe
File created	C:\Windows\SysWOW64\Apgkaakf.dll	Lpekln32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnpkp32.exe	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
File created	C:\Windows\SysWOW64\Kjopnh32.exe	Kgqcam32.exe
File created	C:\Windows\SysWOW64\Ajojkjfk.dll	Mpegka32.exe
File created	C:\Windows\SysWOW64\Mebpchmb.exe	Mcccglnn.exe
File created	C:\Windows\SysWOW64\Jmnpkp32.exe	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
File created	C:\Windows\SysWOW64\Liibigjq.exe	Lhgeao32.exe
File opened for modification	C:\Windows\SysWOW64\Mcccglnn.exe	Mpegka32.exe
File created	C:\Windows\SysWOW64\Kpfenk32.dll	Jiiikq32.exe
File opened for modification	C:\Windows\SysWOW64\Jkeialfp.exe	Jbmdig32.exe
File opened for modification	C:\Windows\SysWOW64\Kgqcam32.exe	Kebgea32.exe
File created	C:\Windows\SysWOW64\Bmigep32.dll	Kgcpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Lljolodf.exe	Kfmfchfo.exe
File created	C:\Windows\SysWOW64\Lbdghi32.exe	Lpekln32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqnpacp.exe	Lmbadfdl.exe
File created	C:\Windows\SysWOW64\Ijgkkd32.dll	Lhgeao32.exe
File opened for modification	C:\Windows\SysWOW64\Jnaihhgf.exe	Jeidob32.exe
File created	C:\Windows\SysWOW64\Hbdmij32.dll	Lkolmk32.exe
File created	C:\Windows\SysWOW64\Lomdcj32.exe	Llnhgn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	3028	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmnljc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kclmbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbajci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqpqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnfbcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpdoffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebpchmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmnpkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpndlobg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghigl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbadfdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jboanfmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjalch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdghi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikooghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jccjln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kigidd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbonmjph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljolodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeidob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnaihhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkeialfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnhgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlikkbga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomdcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgeao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpcjfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbmdig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiiikq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kleeqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkolmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledpjdid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpegka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjmchhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmfchfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgqcam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllkaobc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakqoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqnpacp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhocj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfhmhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcehkeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibigjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcccglnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minldf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpekln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcafbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jadnoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kagkebpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjopnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplhfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdbkbpn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpdoffo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhgeao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Minldf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkolmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbonmjph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godaagfg.dll"	Lpqnpacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlikkbga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kigidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfogm32.dll"	Kbonmjph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdbkbpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkhocj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpmba32.dll"	Jbmdig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnljc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbajci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdghi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaenpkpd.dll"	Llnhgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kclmbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkckdi32.dll"	Lhqpqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmij32.dll"	Lkolmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lakqoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll"	Mikooghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmchhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfenk32.dll"	Jiiikq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmchhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccfioml.dll"	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mebpchmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmnepnb.dll"	Lakqoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbadfdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkeialfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjalch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmfchfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllkaobc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomdcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbadfdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgqcam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komhoebi.dll"	Mkhocj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmdbkbpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelbl32.dll"	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkeialfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jccjln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgkaakf.dll"	Lpekln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpekln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhqpqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfjkcad.dll"	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpndlobg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbajci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgpkij.dll"	Mpcjfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdcc32.dll"	Jjmchhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnaihhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplhfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 348	2520	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	29
PID 2520 wrote to memory of 348	2520	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	29
PID 2520 wrote to memory of 348	2520	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	29
PID 2520 wrote to memory of 348	2520	fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe	29
PID 348 wrote to memory of 2408	348	Jmnpkp32.exe	30
PID 348 wrote to memory of 2408	348	Jmnpkp32.exe	30
PID 348 wrote to memory of 2408	348	Jmnpkp32.exe	30
PID 348 wrote to memory of 2408	348	Jmnpkp32.exe	30
PID 2408 wrote to memory of 2860	2408	Jeidob32.exe	31
PID 2408 wrote to memory of 2860	2408	Jeidob32.exe	31
PID 2408 wrote to memory of 2860	2408	Jeidob32.exe	31
PID 2408 wrote to memory of 2860	2408	Jeidob32.exe	31
PID 2860 wrote to memory of 2704	2860	Jnaihhgf.exe	32
PID 2860 wrote to memory of 2704	2860	Jnaihhgf.exe	32
PID 2860 wrote to memory of 2704	2860	Jnaihhgf.exe	32
PID 2860 wrote to memory of 2704	2860	Jnaihhgf.exe	32
PID 2704 wrote to memory of 2892	2704	Jbmdig32.exe	33
PID 2704 wrote to memory of 2892	2704	Jbmdig32.exe	33
PID 2704 wrote to memory of 2892	2704	Jbmdig32.exe	33
PID 2704 wrote to memory of 2892	2704	Jbmdig32.exe	33
PID 2892 wrote to memory of 2600	2892	Jkeialfp.exe	34
PID 2892 wrote to memory of 2600	2892	Jkeialfp.exe	34
PID 2892 wrote to memory of 2600	2892	Jkeialfp.exe	34
PID 2892 wrote to memory of 2600	2892	Jkeialfp.exe	34
PID 2600 wrote to memory of 3056	2600	Jboanfmm.exe	35
PID 2600 wrote to memory of 3056	2600	Jboanfmm.exe	35
PID 2600 wrote to memory of 3056	2600	Jboanfmm.exe	35
PID 2600 wrote to memory of 3056	2600	Jboanfmm.exe	35
PID 3056 wrote to memory of 1040	3056	Jiiikq32.exe	36
PID 3056 wrote to memory of 1040	3056	Jiiikq32.exe	36
PID 3056 wrote to memory of 1040	3056	Jiiikq32.exe	36
PID 3056 wrote to memory of 1040	3056	Jiiikq32.exe	36
PID 1040 wrote to memory of 2452	1040	Jnfbcg32.exe	37
PID 1040 wrote to memory of 2452	1040	Jnfbcg32.exe	37
PID 1040 wrote to memory of 2452	1040	Jnfbcg32.exe	37
PID 1040 wrote to memory of 2452	1040	Jnfbcg32.exe	37
PID 2452 wrote to memory of 2876	2452	Jadnoc32.exe	38
PID 2452 wrote to memory of 2876	2452	Jadnoc32.exe	38
PID 2452 wrote to memory of 2876	2452	Jadnoc32.exe	38
PID 2452 wrote to memory of 2876	2452	Jadnoc32.exe	38
PID 2876 wrote to memory of 2576	2876	Jccjln32.exe	39
PID 2876 wrote to memory of 2576	2876	Jccjln32.exe	39
PID 2876 wrote to memory of 2576	2876	Jccjln32.exe	39
PID 2876 wrote to memory of 2576	2876	Jccjln32.exe	39
PID 2576 wrote to memory of 2900	2576	Jjmchhhe.exe	40
PID 2576 wrote to memory of 2900	2576	Jjmchhhe.exe	40
PID 2576 wrote to memory of 2900	2576	Jjmchhhe.exe	40
PID 2576 wrote to memory of 2900	2576	Jjmchhhe.exe	40
PID 2900 wrote to memory of 2072	2900	Kagkebpb.exe	41
PID 2900 wrote to memory of 2072	2900	Kagkebpb.exe	41
PID 2900 wrote to memory of 2072	2900	Kagkebpb.exe	41
PID 2900 wrote to memory of 2072	2900	Kagkebpb.exe	41
PID 2072 wrote to memory of 1620	2072	Kebgea32.exe	42
PID 2072 wrote to memory of 1620	2072	Kebgea32.exe	42
PID 2072 wrote to memory of 1620	2072	Kebgea32.exe	42
PID 2072 wrote to memory of 1620	2072	Kebgea32.exe	42
PID 1620 wrote to memory of 1240	1620	Kgqcam32.exe	43
PID 1620 wrote to memory of 1240	1620	Kgqcam32.exe	43
PID 1620 wrote to memory of 1240	1620	Kgqcam32.exe	43
PID 1620 wrote to memory of 1240	1620	Kgqcam32.exe	43
PID 1240 wrote to memory of 2236	1240	Kjopnh32.exe	44
PID 1240 wrote to memory of 2236	1240	Kjopnh32.exe	44
PID 1240 wrote to memory of 2236	1240	Kjopnh32.exe	44
PID 1240 wrote to memory of 2236	1240	Kjopnh32.exe	44

C:\Users\Admin\AppData\Local\Temp\fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe
"C:\Users\Admin\AppData\Local\Temp\fea424a9f39d25ee28f3051934f340f07fc57d141e6343a06bde1c051e87679b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\Jmnpkp32.exe
  C:\Windows\system32\Jmnpkp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\Jeidob32.exe
    C:\Windows\system32\Jeidob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\Jnaihhgf.exe
      C:\Windows\system32\Jnaihhgf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\Jbmdig32.exe
        
        C:\Windows\system32\Jbmdig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Jkeialfp.exe
        
        C:\Windows\system32\Jkeialfp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Jboanfmm.exe
        
        C:\Windows\system32\Jboanfmm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Jiiikq32.exe
        
        C:\Windows\system32\Jiiikq32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Jnfbcg32.exe
        
        C:\Windows\system32\Jnfbcg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Jadnoc32.exe
        
        C:\Windows\system32\Jadnoc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Jccjln32.exe
        
        C:\Windows\system32\Jccjln32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Jjmchhhe.exe
        
        C:\Windows\system32\Jjmchhhe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Kagkebpb.exe
        
        C:\Windows\system32\Kagkebpb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Kebgea32.exe
        
        C:\Windows\system32\Kebgea32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Kgqcam32.exe
        
        C:\Windows\system32\Kgqcam32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kjopnh32.exe
        
        C:\Windows\system32\Kjopnh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Kmnljc32.exe
        
        C:\Windows\system32\Kmnljc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Kplhfo32.exe
        
        C:\Windows\system32\Kplhfo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Kgcpgl32.exe
        
        C:\Windows\system32\Kgcpgl32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Kjalch32.exe
        
        C:\Windows\system32\Kjalch32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Kakdpb32.exe
        
        C:\Windows\system32\Kakdpb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Kpndlobg.exe
        
        C:\Windows\system32\Kpndlobg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Kfhmhi32.exe
        
        C:\Windows\system32\Kfhmhi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Kigidd32.exe
        
        C:\Windows\system32\Kigidd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Kleeqp32.exe
        
        C:\Windows\system32\Kleeqp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Kclmbm32.exe
        
        C:\Windows\system32\Kclmbm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Kbonmjph.exe
        
        C:\Windows\system32\Kbonmjph.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Kmdbkbpn.exe
        
        C:\Windows\system32\Kmdbkbpn.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Kbajci32.exe
        
        C:\Windows\system32\Kbajci32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Kfmfchfo.exe
        
        C:\Windows\system32\Kfmfchfo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Lljolodf.exe
        
        C:\Windows\system32\Lljolodf.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Lpekln32.exe
        
        C:\Windows\system32\Lpekln32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Lbdghi32.exe
        
        C:\Windows\system32\Lbdghi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Lhqpqp32.exe
        
        C:\Windows\system32\Lhqpqp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Lllkaobc.exe
        
        C:\Windows\system32\Lllkaobc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Lkolmk32.exe
        
        C:\Windows\system32\Lkolmk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ledpjdid.exe
        
        C:\Windows\system32\Ledpjdid.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Llnhgn32.exe
        
        C:\Windows\system32\Llnhgn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Lomdcj32.exe
        
        C:\Windows\system32\Lomdcj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Lmpdoffo.exe
        
        C:\Windows\system32\Lmpdoffo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Lakqoe32.exe
        
        C:\Windows\system32\Lakqoe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Lghigl32.exe
        
        C:\Windows\system32\Lghigl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Lkcehkeh.exe
        
        C:\Windows\system32\Lkcehkeh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Lmbadfdl.exe
        
        C:\Windows\system32\Lmbadfdl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Lpqnpacp.exe
        
        C:\Windows\system32\Lpqnpacp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Lhgeao32.exe
        
        C:\Windows\system32\Lhgeao32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Liibigjq.exe
        
        C:\Windows\system32\Liibigjq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Mpcjfa32.exe
        
        C:\Windows\system32\Mpcjfa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Mcafbm32.exe
        
        C:\Windows\system32\Mcafbm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Mkhocj32.exe
        
        C:\Windows\system32\Mkhocj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Mikooghn.exe
        
        C:\Windows\system32\Mikooghn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Mlikkbga.exe
        
        C:\Windows\system32\Mlikkbga.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mpegka32.exe
        
        C:\Windows\system32\Mpegka32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Mcccglnn.exe
        
        C:\Windows\system32\Mcccglnn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Mebpchmb.exe
        
        C:\Windows\system32\Mebpchmb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Minldf32.exe
        
        C:\Windows\system32\Minldf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 140
        58⤵
        Program crash
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmdig32.exe

Filesize
94KB

MD5
0186a3bd7e9f6016ee39ee92d3d83e39

SHA1
6b6271a5f1aed24b81ced70305b08dfe8074f65a

SHA256
0ab741682d17d462e9faf281bae3b9b9ff00055200f43d4e58c7d29550a78f25

SHA512
0126e7a25abf2f724777c6b0bbbf48d122ce697040c73f1c1c816946e0f33cf3f47ce456aae6827caa043e65151b1ff7d3b8cae8c4e6bf35375480da8d4beec5

Download Submit
C:\Windows\SysWOW64\Jccjln32.exe

Filesize
94KB

MD5
d67a8b02e409ef50af7cfc7f9970071b

SHA1
bfd590aadc0d52240e8b5d56757fa3182532ae57

SHA256
343e52d3784e24305c48603d8ee05f337a9f2218e17753dab77699280641c649

SHA512
40251599238367f99587f9228bd91918188d0971e9e0da554cc225c9038921cdcac3c9a6277877c5d501a6a761b852eef35e424b103d714d078e00cc195dad40

Download Submit
C:\Windows\SysWOW64\Jeidob32.exe

Filesize
94KB

MD5
c30704f03bd52b5037d6f6ccd3d0de60

SHA1
a05d1c00a4ee3982df2c8732dfa7bdcd765fc7b8

SHA256
36f72c839adc964b6b2ecf945ea275d4ce60eced00b93b11637e6cc41e12cf56

SHA512
21c33a3aa7412adff3848f15ff0a636cec10adf887579cd54e0cbb407141b417de4541af2dfcac2076a1b2f5589a0df14bd17f48bc7d83838c5e4e5bd3af9141

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
94KB

MD5
e50e1bb515223a38bddcc2b7bfa4574a

SHA1
caedbd81c263ef299f26a8838cd25bba2b7b2162

SHA256
597378789a1b5e63a4c74f0f5f048aface37de234fe5310b74505d068bd78782

SHA512
9ed758c7bb777ced0919f0bb0d9884d4bf79eabf7d8f7c658689506a06290187564442444f22b74486433609a550c391d36c8f5e6a7457c2ce888e15c291e439

Download Submit
C:\Windows\SysWOW64\Kbajci32.exe

Filesize
94KB

MD5
d46350428a3ed3818cfa26cfbd5204bf

SHA1
281d56144835afc443cf40bddd8692eed42d06f8

SHA256
91b0645a032f72e7d0a5fdbd4bf036f9fe1a51d4fcbae3793825ba91d3ed57d9

SHA512
e70660f5d665b7b6da5ff5fc9b1f86dabf184252923dfabae11acee6fc5877c6f94b87cc0af5680d7a3a00e7163a70b84af678ac65329efb0f4c1cb954a87de5

Download Submit
C:\Windows\SysWOW64\Kbonmjph.exe

Filesize
94KB

MD5
5d97cf1c511a523f3b06dfa0db77b957

SHA1
4a7cea681f1589b356afaa97e3a6775a6793d561

SHA256
3e671294b6094bc7f9af0f7d3d1e1a8038bf96adf335a5044afdfc8834dc4826

SHA512
2743dd100a58cfaa0a104317bf8625720e449e227385f593b81d6ffa4fd6b942bfa1693979f8732d4d82716961505b4bc6e8133577d14229d4f2c2f46d56902f

Download Submit
C:\Windows\SysWOW64\Kclmbm32.exe

Filesize
94KB

MD5
359ae9b9ea7af01005cc42cf8389399d

SHA1
42226074cee1f0b925731ecf3eea226d2591b8d6

SHA256
fcbf6fbee231aa405bc1f3a7c7a14884962ca0ab7411cdf86d16f4181785fc8f

SHA512
b1a9e8ecdedbe08d73cb400f9ef8114df292f666078933203ad53f51c1d938243a1fd925521ca8b74835f8a4e5f6949a471530caccb0749a5a7f8ccce0a4d7fa

Download Submit
C:\Windows\SysWOW64\Kfhmhi32.exe

Filesize
94KB

MD5
45428c509e3fa661638868fe7a60d30a

SHA1
e7b547d5ca36c5c996c05b597ca6d73e37f1c9e7

SHA256
88d863b8808229e459bbc0511714c21d9da8ed816c0c93fb9d556f6833a21810

SHA512
23fae2eaf0341789556fabce8e6c5506655de511ab882f59c4bbede4b4dd55d427c45b537de92b436ad9acf1e0f488d6b6c3c72867503ded90153df90fdcc9d9

Download Submit
C:\Windows\SysWOW64\Kfmfchfo.exe

Filesize
94KB

MD5
d9d94d079a6054fe86f0a890a8dc502f

SHA1
5ad701366149ab391d1aac1cb3fc81ef79e9e71e

SHA256
cc9874e948b5d5bdf1597d0aae7035134d308cb06cb7359a816e752d149da843

SHA512
f336bbd70f959999063ca6e7db2a6fb11d3cb3b71f8d4a12b002d6e0f2507cddb80108276b8cd363472de0605aff415970e57d9defa42f8b70427e1f0a57e629

Download Submit
C:\Windows\SysWOW64\Kgcpgl32.exe

Filesize
94KB

MD5
0058ef90250c122f2af5946acaf96d0d

SHA1
4ea070b9b8ca6b6246b82aec44b70b79425e090c

SHA256
1dcde18d1d3f26f7fe224430b4b7ac08cf592de813f51837c784c222e9385e7b

SHA512
494b6086b63c13c2ecada6a1be474a867ee1b89639afd60c4497e018271b5fbb5b14166b49248c05767001ebac82c962cfe414931b83649a82f339dfcd4212aa

Download Submit
C:\Windows\SysWOW64\Kigidd32.exe

Filesize
94KB

MD5
4a05e5d23b622e5e313c34aab34fb410

SHA1
51eb4e4aa81fba10007119fd7614e0c97cedb06f

SHA256
2bda2ba3b0c56da77caa308509e6849bb990be175b1b2a940e1e2892932958b6

SHA512
2a81aa8b7618d19b2dcd6d7228b59fa5fbd0b5b2c5a2324b59bed07244fca58c0ab9b6734229d59e92b467e512868c0b3fa66bc4ecd6939c0778861a1e8bf2c3

Download Submit
C:\Windows\SysWOW64\Kjalch32.exe

Filesize
94KB

MD5
901f9e080329bdd6f58964d86723ea54

SHA1
61973aae1d850ca452d3422efedbef1908ce37fe

SHA256
3e579fe91cdf1f0a56ee40b8ca4dddd0090124c9b1b688a1362e434f54264fd8

SHA512
99c4b6694860e10de76bc4a7968f5c8e7d1421c8576064cb531b284052c773232c06a4d60dedf935969976083d6ec97ced37ca95bcef348d59b601f13aa0698e

Download Submit
C:\Windows\SysWOW64\Kjopnh32.exe

Filesize
94KB

MD5
3aa57b306d81b2626db52026f0f08a65

SHA1
3ccceae7f8e7af1307c0913e47375d93879b1b6c

SHA256
4b044ec09525495b5f04be75294edf85d7865e70de634695f010f97f6f247b7c

SHA512
217e4da2e2b69c46f57cf5f24600c2e7fdcedb8d85be6badd848e8a5892cb84c5ddcf60528e53b5c55ae079f84df158cd4b6a61a527ddfb94bdb920ece7f2a4d

Download Submit
C:\Windows\SysWOW64\Kleeqp32.exe

Filesize
94KB

MD5
6ade02a6472b93321de7efc74f9373ca

SHA1
7a2671eebd1aa948d41f9d3c474d2830e3fb0742

SHA256
7104fe0aa7cb8c682bf2b993b513b356e197d8bfbceab590c5fb5ca88cb494ef

SHA512
4097b6bdcfa8bf55c4804e3580878cefd32bdfc7f602f52e8166333b99808565de9b948c40a645118c55640c7536cf39334db0b3e0b8e8c2f52abcf3b989c26f

Download Submit
C:\Windows\SysWOW64\Kmdbkbpn.exe

Filesize
94KB

MD5
6aefcbd3dd4ec248e0b520acc2b39ca6

SHA1
c1b05272899672cddfec8af111debe0e51271f6a

SHA256
98630fe82a6e13e81600480bbc9a0473fd79b3f3aeb63a5acb611f64d04a5dc8

SHA512
4e7196c6e4bc36ee12b2340acf87b32e1931b0305ed59009c891d92f5d8081d8dd2e33f03975d184029ce64e083239fd3aa9b1605360fc35ef26ab5f287b8196

Download Submit
C:\Windows\SysWOW64\Kmnljc32.exe

Filesize
94KB

MD5
259f347054088602372a5d2bf9f5e75c

SHA1
604d76af4b980d64301e7b9229410966f5ca4da1

SHA256
80b98035e0b4c52d39b1057fadb5a2e356d09d9424c01df7ffc879cd29b3f1f8

SHA512
2a1682a531cc710a3617b2061c500b758ce672c995c78828cd47de59ca4b887538623dba1049224f532c7ea5345e7ea88d34554524ddc511a0c4552c5febfadb

Download Submit
C:\Windows\SysWOW64\Kplhfo32.exe

Filesize
94KB

MD5
ae020b1cdd86665cf5cd9e9dc04b80c3

SHA1
4b125761822e72b5a2c509b8d00c57dd55ce88f0

SHA256
6b8fcae42ce71c34e6002334b8f239f277bf6c850440087c1df560f2d877e2a6

SHA512
2e91c4d5141f983f89b58ce1ecfb0341767af03dadf0659d6034d8765b72a8f889cc9db419e3445c914a651d7a0849e12c6f4ef25f55956e2b63e568418e0e94

Download Submit
C:\Windows\SysWOW64\Kpndlobg.exe

Filesize
94KB

MD5
58e5e165ea3abd875cf493231a19e24e

SHA1
9bd92c1a23f076e1ddf091d1d07c18293e154d60

SHA256
4c32043742c2b75cf06f67426d4d7a223ac2cdab73595f75525db5a3834b287b

SHA512
2d582a0ae71de747037cdda8559f60647dc7193e73684ea48efb7f46717839d21f11d58e5f579ce9d973a014e2f346d4dfdb67b4922fc732916c7028cd349d03

Download Submit
C:\Windows\SysWOW64\Lakqoe32.exe

Filesize
94KB

MD5
414d5416fddfd9c69621562c53104335

SHA1
e244d2dcc005bdbda07a675fe745f033b69678cd

SHA256
70f6c911b1c0717c7d6a2a5bdc59a81436853d244a2420460d53c3b871fd53bb

SHA512
3645571e580fe1a6f21a26eb62e07193990b3d461a6f9cda25de36981c1e21516e44f9b82412af5e1dfce182867dbd6b4e49a995713835647961fb04305a1c81

Download Submit
C:\Windows\SysWOW64\Lbdghi32.exe

Filesize
94KB

MD5
53eab06e2945bffb7460f35c7d06322e

SHA1
1103f03c14570dd17c13862f23fcf799c97c49ae

SHA256
96ddd37f0e0ab81d416f8d83a3a6cb2ee10d09eb3f7b008bb2bf965f8ac16d82

SHA512
680b29a0aca278d9c8731224e94238af5614c57ef27874b3522f6e9c6401bac78890728038edf4ec358ba57b90ea8c41f3f7da90bcba3f2bcb875e62fb97f5b9

Download Submit
C:\Windows\SysWOW64\Ledpjdid.exe

Filesize
94KB

MD5
86d3a3d2a505af776f5b614c34e1dc1f

SHA1
226de208980cc92793a7c0f79bdd9d87841e2175

SHA256
b8d3700355a516a49375623943a996ff672880670116121291a341470749cc30

SHA512
78e69b2a3bc0d465472e4521a1a9bc0eef97310ae5ddd6e74670efda2cb905cfe355c1be168c7262737615b2d7cc3bbc9f3c7484a4809201b7c8abb8a4bd5570

Download Submit
C:\Windows\SysWOW64\Lghigl32.exe

Filesize
94KB

MD5
56b729d8d5e9af2ceb42984a83103080

SHA1
66537acbd9b112b5243473e756ef89fd47e1b720

SHA256
975abeb645d3ccddf82ffc0546aa15aff47fef4852a410310dccb53f0caaa4ed

SHA512
25ca0786226716da38971a48aa3992623c5e3f8baff1edcb2231de8b0f850fe72b4e3ab15a8e78cddb170d7906a64bc4a741c9c6b4ccd56eba9a0433fae74d6c

Download Submit
C:\Windows\SysWOW64\Lhgeao32.exe

Filesize
94KB

MD5
927bb679119b71defbd091dd9caf92bd

SHA1
c7e24e48d9d626ae958921aefcf64d263d5a6579

SHA256
0a9fa6e8c4e677fec713226087194122330ae14a3e57e37d8ebfe4b905a11d0d

SHA512
b8b5a7446f58cb7c6384f75573a59e09f27328e5f4a4a08a3063bf233c9fff21f0ac4252ee64284247e476b5b4857b65f2061b9ae0578ca044942696710f917a

Download Submit
C:\Windows\SysWOW64\Lhqpqp32.exe

Filesize
94KB

MD5
7f01ac4f590c1927a2f4a23bd1c650ef

SHA1
3a5a593f57a04ec0ac6781ee0943e35b04888d4e

SHA256
d38b78f1d0d0d1bcdbc1ca53d478d01fa319a0770c891b9ce44ffd98753de7d4

SHA512
4afabb5615a1794f4c2f74a61673ec75de654ecc39ec1f6993c653231eaa2025f1d8e2143b72f2f760840a9c8ccf32a2a61426ea0a0519ad2a1632549e122d7e

Download Submit
C:\Windows\SysWOW64\Liibigjq.exe

Filesize
94KB

MD5
bd21bd8cc827503dcb924728ef69bf63

SHA1
a355798d5bcd0ac0987819403d32d92f8ccd471d

SHA256
6bb49b4a7b9a280f8b7c004a5c515616d43f64e516bc64a123c44db6b6237bfd

SHA512
32143a3ddddc31a52231524dbde5b38ebfbda80231c8449803e02d852a206c42bf18bd9a71b8bb5c90443e2edfa92e7bcf23af1245dadd80f7207b015ed6425b

Download Submit
C:\Windows\SysWOW64\Lkcehkeh.exe

Filesize
94KB

MD5
5b020e6b9a2ec34c9ee5be045cad53ef

SHA1
ae07d9781409442574ba44add3caa240593176df

SHA256
1d6745ac71482740fd84cedff61349a6efd0631627a18a2b75a7a5e901fcb5ad

SHA512
917c3d1b85d9ffb9d022fe6a744228889075663d26d72f5a6239e5bfc4c6f5a6c4658a6fdd11543841b2da60d3b6ce5389ecd33a8aff1fde0dbc52e39c529168

Download Submit
C:\Windows\SysWOW64\Lkolmk32.exe

Filesize
94KB

MD5
c16f5b73c573785bba9cbd375c36c76e

SHA1
173f4161a15402892cecf777cc2d7dd0093dfd9a

SHA256
b59fcb64a126031de6e75fcbb3297d9a078e7f62957177997a5a8919c828b78d

SHA512
176dce347c151d1ebddaef02bd76eceb4be041bb2a6d2de56cc0060fa57d369adfbc2a133b6ae1925a911ffc7203531491b7030faff5e43398d5fc38ffa5f922

Download Submit
C:\Windows\SysWOW64\Lljolodf.exe

Filesize
94KB

MD5
d26c4a7cc0b6bd4a85efba0a0897318c

SHA1
4d71a84fdf0096774c6574d28cb969474de90300

SHA256
abd1518ac8a3717742c38732421e35c5e5e390d15a972ec785f9558194872d19

SHA512
36f39d11ba427c403a7208330a6b128c3a980ae8455b562cd3e6503100163649787f0d1764046c1e54d49fe81d105711fae32bba25b7b6a4abe087a9c60c18d3

Download Submit
C:\Windows\SysWOW64\Lllkaobc.exe

Filesize
94KB

MD5
b371a1cdf87bf5ac601f6054597285a9

SHA1
64b1a77209c7e3a2d179eaaa3767a2402bbf55b9

SHA256
de22e705ccca8ff8736a421b2f04bfa8fec55cd82f2d794c65e232fd136ebf5a

SHA512
9ea2370bee263e3510fd5f045a3ffcc6dcd54c8d737356d002a118c829effffb63b73e3ee9e885e37064af95cbba377fec187860655ad26947055857ee401f2d

Download Submit
C:\Windows\SysWOW64\Llnhgn32.exe

Filesize
94KB

MD5
23d79d22aa316632c24106e1b6166255

SHA1
9cd9ea35d28098efbb64f0fbb9833b1721d6d636

SHA256
7a3fcaacbd878cd5b23d96e63acd4c454bad13b957115e95bb73f96e7ac4dfc5

SHA512
ddae29ab4ff5775a0ec41ce72153f00b22041c227fc7a2b694763141be8dcee496aeca5af4cdae451a21f20649ecb4fa6546d1bed632265f68be34487bc67f7a

Download Submit
C:\Windows\SysWOW64\Lmbadfdl.exe

Filesize
94KB

MD5
8e411255404dcba4a134391e61344d7e

SHA1
15be313a760b6642ff757d97f07353b75b24424f

SHA256
2d9f5c9310f0ec8bfc91b8c4ffc4a87b895917fddcfc9b01da4327e9cdef3eb8

SHA512
43c6d804dc0c25ffc8d17d4ad18a186a5fb1bb53e71e33a427a864d84c73977ad441f15aa291f92089d8ceb9a668702d7701c51e832b0380b7f253ef06344cb9

Download Submit
C:\Windows\SysWOW64\Lmpdoffo.exe

Filesize
94KB

MD5
9a2e96ccd1ddb63060deddd72ca6fe63

SHA1
ed6fccd98a2b275a7fab310f644843c03ff60bf2

SHA256
a56d4a261727681c4f58d979bd31fb7df8f303f5bb09007a30c17be2dfcde728

SHA512
aec1bd621e945dae5a791864962b6252b350195eb14d1ca36c7c5dd6c042cd20c9ceba210688edad228e476b5ad85d5bad06362e1812dcdff6d8146975997fe3

Download Submit
C:\Windows\SysWOW64\Lomdcj32.exe

Filesize
94KB

MD5
169f8f2d8a2bda7727104ac9a8e76d93

SHA1
a0396573fa62870045acd11a7a3727e1a6a316f9

SHA256
0833db6b17886f55e87db36e0814c156eac8c9195c06ee5d3815affeb9faa707

SHA512
d6e1a93498ba0dde380a7367c3ae7d455f908ebaa3398b5de41b7279ffc531a323ad1e6b94a69578b000e28a488a8c378c346c20cf39bc420036a58e03a30026

Download Submit
C:\Windows\SysWOW64\Lpekln32.exe

Filesize
94KB

MD5
22f030d1f42201e03e38957c212d85c9

SHA1
8e8b534c8b25bbac2f22bd47d0784c765a12e922

SHA256
e9a752ba9b93ca3f469fa02ad44016cb4e24e87f4ddbaf5b0851fde4771d1e4b

SHA512
68d9f09b775718dada317fc354be8c77745403195a8bbb30aafc59b8f008bceaf75496665a9aec98684acf68179a5f49299c9b94a2238e2036cf88ae63e8ad0a

Download Submit
C:\Windows\SysWOW64\Lpqnpacp.exe

Filesize
94KB

MD5
67bab2358711cbb5bf96bb4c4e402ada

SHA1
972892055cd50747bccd9db99345ec8d9cc702e7

SHA256
6af9ca19a790257b1a44c62601167f8cf9551c7a09295448f13c0bcbad75c132

SHA512
c3887c55950d9cfec821b536e4646f9163f69183d2cf140e27646d29b619c9ee252752bdc1d46239da802166a6a08040e28c4847b86e1deaffd00eda90a8d1a8

Download Submit
C:\Windows\SysWOW64\Mcafbm32.exe

Filesize
94KB

MD5
b225318c17ac58ab674c7383f3abcca8

SHA1
5184c97ea012c53a38c7c032a4656e2a758b89a4

SHA256
4c6fdbe473e745e2223272745f357f287b4e436bf75f95371945efd204804d1b

SHA512
701c0f9288902b6184b604adeeac087e948cd82d13bb3b9b449a352f3ae60d01afa7a773df2d6e71530542355c3e535f0062f23d59f2401acbb4e7afd3d32bc2

Download Submit
C:\Windows\SysWOW64\Mcccglnn.exe

Filesize
94KB

MD5
377273ae472b54c4e62530879daf4f7b

SHA1
b60497bc6c91800ca7830cafd48ea94582fc0620

SHA256
92da483c895d398e7070632c55c7789b7f526bb9652e2a3e00db0269e5973618

SHA512
1ae5429abe06f8b2e30c09f49392b372d1b8f9594ca272289093d539d08d55a0b990f8416341d69a4cc4e3848a8636aeb41307a1707857132f27aa2d378aae5d

Download Submit
C:\Windows\SysWOW64\Mebpchmb.exe

Filesize
94KB

MD5
b81ce296ab5354b695b77b82287fe4a8

SHA1
1edb8638335b9ebfbea67a9b73580d678c851da8

SHA256
be58a9885e53ed290d69a87453ed9ecad4856aa483e41414bc308f26ef154e0d

SHA512
6be458c3895ea0781931d3fb9ae73f084beee257fa177078828948ca52cfd9cd94c1c484989fbf089e24ff2303b516b0ce8ff1d822cd13df63d7ebeb0306e2a6

Download Submit
C:\Windows\SysWOW64\Mikooghn.exe

Filesize
94KB

MD5
098c9fba0fd44ec1112b05357762f284

SHA1
d3c47009204ff41c3991994eefb1f48b52d52fff

SHA256
11c807bcbd1e6ba9b8d76eef70ac2d38acaa7e29d64e8124f1020dab53685de4

SHA512
89b03a6317e5f4f89480b4296ee7cb4f877dd812d4a4bb29beffae191490b0fd6ca4090590b4fcd2cef2d5706d840e8173b07d6f3a8b710aaf89e45a2915975c

Download Submit
C:\Windows\SysWOW64\Minldf32.exe

Filesize
94KB

MD5
cac22a25b5fda71b3197817e3e7c3e55

SHA1
59cd34afa5ae33b9d3c644fe56347c488e6d7df0

SHA256
9a45b412e178800232ed3e439cd83f1c9473419218bf416ef3c165ae6e190076

SHA512
694968ef48172763068610729b67183ec63344df2f46a868df9f2f534c73e2dafa53c837983d016576c400a4cf34a244cfd9a421647bbbcdd243cc3a6888b109

Download Submit
C:\Windows\SysWOW64\Mkhocj32.exe

Filesize
94KB

MD5
118570587d972340b0a98da18c806721

SHA1
06768e8b44c706ec2700e0da78ab8e98fb1ade77

SHA256
9d0cd7211f5004b9c510eb5586e55bb942b6f714ea04c5217d040af24290dcfc

SHA512
c9d0b45822f4e0a60f6330dfb5302f16e1013077129f10b58aa77ef226b6e8611c435cdc624fe2b9a15f8ea13339d0b93509c40e34a6555d51e6e3ebfde9cc84

Download Submit
C:\Windows\SysWOW64\Mlikkbga.exe

Filesize
94KB

MD5
37f9eb5fe5205b14f2a6c61e0dc35397

SHA1
d4ee99570b4a4a086f0e7d3d943838887784e083

SHA256
e969b051c08a096d908181441c2f86939162198fb2653473b4becfec481e8f22

SHA512
1a8bccae02a9d093c5c3f037805f725a4c521afa4ee0d547b4a99d487f52e4a1511fa132018af4f098bb8a85806a399d902a5d8f7883b8fd0b480777391c7f79

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
94KB

MD5
97c1f37594fe1161781136c8e4a2d71e

SHA1
d5d04333ab94390cb508f8a17f694c6772b7a5fc

SHA256
64f42b9738929786a84be10347be45b1b2520da04a8f6ed194a0df41c31f2206

SHA512
f0ef68c6524efcaeb6c1f2a5a674d197c0a8d17cded15dfb59ef09a0ae46b7c568214f81cd37837705a2819ee2926bf421fa79581c47cfc43d1c10f99b1fea8e

Download Submit
C:\Windows\SysWOW64\Mpcjfa32.exe

Filesize
94KB

MD5
f491317afc7ae6e88bfd36064af58d45

SHA1
a81251b24fb4f22a8f545c6bc69eac600052947b

SHA256
2093b43805716cdce0fe7b2ffc4b21a3d0a04d813b6bd5e1bd9c1d17c8cc7459

SHA512
36bdadc5e80c4d37a3cb1e175f066752c8d3348713dce0c54c5da3d4da26bd6f2645b0186692416157e702d2827a553c8c6b3f58a0762cf10504b2ccdc468422

Download Submit
C:\Windows\SysWOW64\Mpegka32.exe

Filesize
94KB

MD5
94b9182b47a8e1a0aedb134b83362fba

SHA1
7eeb2e3a824a19660f57adc8c54c733f21a98bfd

SHA256
55f8837e86cbfe525ca9c261b0e46098c2672621eb766ae159df7eba152162d3

SHA512
ed4767bffff67d4c981b8588e86d86843bbd8363803787a9dc15be4d1bf6cf51bc624204b6f247ad297c7f86c148ceb5e782d6bfb4323e8467c75ddad62471dc

Download Submit
\Windows\SysWOW64\Jadnoc32.exe

Filesize
94KB

MD5
2bb8d20a6488a3308c51ac1b186d59a4

SHA1
dae84795dc1b9ad11e98cc56e16b85427c83ea40

SHA256
64a7afb8c492323b682a39e3db961d2d7da6fb8de1c598e5b22113f61b3a0e4e

SHA512
46c4c3fdd0c6e5d9c9021c0c6c30e0cb614df2cc5aa4ac9b7c27943291f77e2455be7a2ec0dc072ad8a47e5bba2446837af14a7a18c60cdf2920a0c156d76617

Download Submit
\Windows\SysWOW64\Jboanfmm.exe

Filesize
94KB

MD5
ac27925c3f89b7e4592749a5128bbbc8

SHA1
87296f0000322d1b2b623e2d7b1c6f20eca69ed3

SHA256
3ad82a57edbed4beb65950a69900026e96183f7553324a4ab0b3a9db742e688f

SHA512
53d6bd1190cd19d80820dcf2e504f74fac0bdb71fed1e8ff6fa2c5f75ae61bb641e491a15f11db2896a6fac8f4f838e8f271ca7e616744965edd2aa818c7a82f

Download Submit
\Windows\SysWOW64\Jiiikq32.exe

Filesize
94KB

MD5
cc110adbcdbc2f5a371c531e986a9c78

SHA1
47f4aa25d78ff1b1265753d9611351daeda4b6cd

SHA256
5099f0de99b31b4b9c6e704ba96628c9c6e2a129ab4f91c299eb13ced38ab617

SHA512
f190260e0876ba9123d71a37c3b557996be5405108cc7d264dc1b9869885af5b3136fcd843058a33b58c564beb5173ad2045f2cf7bfd77079a957da1cb006aa7

Download Submit
\Windows\SysWOW64\Jjmchhhe.exe

Filesize
94KB

MD5
9cafb6419779ca39d116b0deca75c960

SHA1
5e61c386170763aff483a6338831e6bd75eb67ba

SHA256
91520a39a424cb37f09a79e7538a76db58e1523518e1fedd63196403890a5234

SHA512
98c38692d43b2bd7b40c33e80ecc0da7fd1617e02ecfd8aae0ff706532fbdc98f714cb34e73a54628f36cbaaed08638c41f0c0b5ed0e093317f7d4c47e33a379

Download Submit
\Windows\SysWOW64\Jkeialfp.exe

Filesize
94KB

MD5
4a19a4793d075a70a0b8d2a2ca896283

SHA1
6d5cfa8f13e2a44270a8030b8029ac8566283964

SHA256
657c9a157e05a4149363184d9f481bf3e52217c665ee5d9b99b08926625e9e80

SHA512
f9295b199eae6a8b064eb67a6a852da5f72a11b52e2e7aee2bd0d0e2913aede62fdd87fd59a34658760e316cfd987e6ca201b8da69266c9fbd0176226279d017

Download Submit
\Windows\SysWOW64\Jmnpkp32.exe

Filesize
94KB

MD5
1c09175446bd0ca6a0e0a83a2774bc94

SHA1
fbc1029df98902b4e22dcab742c17b7c82c21a23

SHA256
dbcfabbe76587f4eb0fd0101b420fa9a42d607d84e973db879de46f9cb2d0dd4

SHA512
9008e28799a4f2ef145da521cdb4d12b7a8d12959b8eb4cb342b0ceb6ae9bf0058fad4f8b2f72e42fda14e0a8c62ba6155af84538e1f5babc6b7c9ac4fb8094a

Download Submit
\Windows\SysWOW64\Jnaihhgf.exe

Filesize
94KB

MD5
9a4011e772cd02073b422cbd88785853

SHA1
06b2c1c05b581cf8ed74e17e45db271bc63d12ba

SHA256
e6480490315454090cab77e4064957eeb08c5f981ac791d258ddf6213a268a68

SHA512
d477e75d73e1d14ffa6eb0814e67b079c845dd900d38255b5fd08fd3c8709f8620e54966ca9eaadff29f7c220eaffa89d6f2725d0ea8d7d2e2139f11c06c873a

Download Submit
\Windows\SysWOW64\Jnfbcg32.exe

Filesize
94KB

MD5
bcfb6591d3801f2de376cb175abb6ed8

SHA1
da8effdb66f28db7d48c924cda298f77e40583c2

SHA256
2a0463189ec94762064d2b537ef11860ea2c4e02cbf9bb50f292e7d8647eee9c

SHA512
3a88b71b1e5fbfe943c61d74e9e84889e343d41a62193af67fbd2e44eb0dc3885453218ff26b73ba3019b2dd7dd5e740f13e39ef7d2a4c84907ca6687195dacb

Download Submit
\Windows\SysWOW64\Kagkebpb.exe

Filesize
94KB

MD5
3ab2c7d625c7e600ad04d275e5de506e

SHA1
6f19dd46b3df7f6af6fc276759a6b444675847e2

SHA256
182426c2621ea60848bdc3985ab0bd61879f51701e93e2c79ed61bca7827803b

SHA512
76195b94afbe2a894a3049de0e5903fc48d90eeabfff5a6bfaeedb2332648910c8d82b166e9bfe02e6f32d93083e454c737ab961657a545cd256b8359869bdd3

Download Submit
\Windows\SysWOW64\Kebgea32.exe

Filesize
94KB

MD5
02ce15d4e1185251e648152cce50330e

SHA1
bb5e9dd1f59ce2091629b5c2a7a41039662c837a

SHA256
4def1624b5974af5bcbaa833f9973452f233e379b629eaa4a86f3e57c5800fd4

SHA512
a3dcd0ad863460d9b9ef7bf1e3176218dad809726ef53daa0a66786a72e81bc3b00d22365eab589581b55f6fda1c7eb5ab15fde3595a6196aa49edb7636ac525

Download Submit
\Windows\SysWOW64\Kgqcam32.exe

Filesize
94KB

MD5
68e7c80aa5011573b646ecedb74efe1e

SHA1
dbfe94bccfe72fea1809180670e6febc06bfef0b

SHA256
a3b0d8ac4a227d1239f0a4506e094509c4b287474ab681f4fa740be18ac56b31

SHA512
5cbab6d410ca686be621d33ff7dc84f847a187968d2844fd28f6ccdcb89ddd2bb4f620d54c39a09b66713773a9cf758e05b70a4a42060b4625d1e131dba3d3a7

Download Submit
memory/348-25-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/348-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-435-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/396-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/408-371-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/408-367-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/408-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/492-316-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/492-311-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/492-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/824-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-233-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/936-232-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/976-258-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/976-263-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1040-434-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-477-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1204-478-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1204-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-305-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1232-301-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1240-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-273-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1536-269-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1596-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-295-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1596-294-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1620-194-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1620-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-284-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1760-283-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1760-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1824-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1840-239-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1840-243-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2072-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-220-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2352-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-413-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2384-467-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2384-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-466-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2408-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2408-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-6-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2520-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-490-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2544-481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-489-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2576-159-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2576-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-87-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2600-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-381-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2680-326-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2680-327-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2680-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-61-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2720-349-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2720-348-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2720-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-337-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2812-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-338-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2840-360-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/2840-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-141-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2892-412-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2892-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-75-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2892-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-168-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2900-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-252-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2964-253-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3040-402-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3040-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-107-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3056-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads