913d3a7bb632a61ee95e68ca3311c9665e459155de34ef30189083c99c4b2ae4

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f47182f6960ee9e62f41cae41aa9d0N.exe
Size

92KB
MD5

13f47182f6960ee9e62f41cae41aa9d0
SHA1

dafb5d4e398865134fbefb500bcc924ea5d6fcc1
SHA256

913d3a7bb632a61ee95e68ca3311c9665e459155de34ef30189083c99c4b2ae4
SHA512

123707c9b5d45b10422da75ce736d5f4a64144398005f64d8375f7fdf4016091b7841b3085bb17f8b1cce42e879f1fe9511108c42b363cc4a5a5257819c7e6ba
SSDEEP

1536:InKTn8GsohT0XA9Ik7HCw9ThUNrKblJkoBPmW822HXgoTwOOOrnKQrUoR24HsUs:+M8GsohTuA5Z9tKrilvPph6THsR

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legmbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	13f47182f6960ee9e62f41cae41aa9d0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	13f47182f6960ee9e62f41cae41aa9d0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljmlbfhi.exe

Executes dropped EXE 29 IoCs

pid	Process
2776	Lcagpl32.exe
2804	Linphc32.exe
2540	Lphhenhc.exe
2388	Ljmlbfhi.exe
596	Lmlhnagm.exe
624	Legmbd32.exe
1920	Mmneda32.exe
2928	Meijhc32.exe
2516	Mlcbenjb.exe
2784	Mapjmehi.exe
2300	Melfncqb.exe
1912	Modkfi32.exe
2100	Mencccop.exe
2976	Mkklljmg.exe
684	Mmihhelk.exe
1568	Mgalqkbk.exe
444	Mmldme32.exe
2160	Magqncba.exe
968	Ndemjoae.exe
1732	Nkpegi32.exe
1668	Nmnace32.exe
888	Nkbalifo.exe
2440	Nmpnhdfc.exe
1876	Nlcnda32.exe
2184	Ngibaj32.exe
2848	Nekbmgcn.exe
2572	Nodgel32.exe
3060	Nenobfak.exe
1268	Nlhgoqhh.exe

Loads dropped DLL 62 IoCs

pid	Process
2768	13f47182f6960ee9e62f41cae41aa9d0N.exe
2768	13f47182f6960ee9e62f41cae41aa9d0N.exe
2776	Lcagpl32.exe
2776	Lcagpl32.exe
2804	Linphc32.exe
2804	Linphc32.exe
2540	Lphhenhc.exe
2540	Lphhenhc.exe
2388	Ljmlbfhi.exe
2388	Ljmlbfhi.exe
596	Lmlhnagm.exe
596	Lmlhnagm.exe
624	Legmbd32.exe
624	Legmbd32.exe
1920	Mmneda32.exe
1920	Mmneda32.exe
2928	Meijhc32.exe
2928	Meijhc32.exe
2516	Mlcbenjb.exe
2516	Mlcbenjb.exe
2784	Mapjmehi.exe
2784	Mapjmehi.exe
2300	Melfncqb.exe
2300	Melfncqb.exe
1912	Modkfi32.exe
1912	Modkfi32.exe
2100	Mencccop.exe
2100	Mencccop.exe
2976	Mkklljmg.exe
2976	Mkklljmg.exe
684	Mmihhelk.exe
684	Mmihhelk.exe
1568	Mgalqkbk.exe
1568	Mgalqkbk.exe
444	Mmldme32.exe
444	Mmldme32.exe
2160	Magqncba.exe
2160	Magqncba.exe
968	Ndemjoae.exe
968	Ndemjoae.exe
1732	Nkpegi32.exe
1732	Nkpegi32.exe
1668	Nmnace32.exe
1668	Nmnace32.exe
888	Nkbalifo.exe
888	Nkbalifo.exe
2440	Nmpnhdfc.exe
2440	Nmpnhdfc.exe
1876	Nlcnda32.exe
1876	Nlcnda32.exe
2184	Ngibaj32.exe
2184	Ngibaj32.exe
2848	Nekbmgcn.exe
2848	Nekbmgcn.exe
2572	Nodgel32.exe
2572	Nodgel32.exe
3060	Nenobfak.exe
3060	Nenobfak.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkbalifo.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Mmneda32.exe	Legmbd32.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	13f47182f6960ee9e62f41cae41aa9d0N.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Magqncba.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Mmneda32.exe	Legmbd32.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Linphc32.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lphhenhc.exe	Linphc32.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Gnddig32.dll	Linphc32.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Mlcbenjb.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nmnace32.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Linphc32.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Ipjcbn32.dll	Ljmlbfhi.exe
File opened for modification	C:\Windows\SysWOW64\Mlcbenjb.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Fjngcolf.dll	Lphhenhc.exe
File opened for modification	C:\Windows\SysWOW64\Lmlhnagm.exe	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Lmlhnagm.exe	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Legmbd32.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	13f47182f6960ee9e62f41cae41aa9d0N.exe
File created	C:\Windows\SysWOW64\Oaajloig.dll	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Mmneda32.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Aaebnq32.dll	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Legmbd32.exe	Lmlhnagm.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Melfncqb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	1268	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcagpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcbenjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Linphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkklljmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljmlbfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legmbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlhnagm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmneda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13f47182f6960ee9e62f41cae41aa9d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphhenhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	13f47182f6960ee9e62f41cae41aa9d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	13f47182f6960ee9e62f41cae41aa9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll"	13f47182f6960ee9e62f41cae41aa9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	13f47182f6960ee9e62f41cae41aa9d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	13f47182f6960ee9e62f41cae41aa9d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mkklljmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2776	2768	13f47182f6960ee9e62f41cae41aa9d0N.exe	30
PID 2768 wrote to memory of 2776	2768	13f47182f6960ee9e62f41cae41aa9d0N.exe	30
PID 2768 wrote to memory of 2776	2768	13f47182f6960ee9e62f41cae41aa9d0N.exe	30
PID 2768 wrote to memory of 2776	2768	13f47182f6960ee9e62f41cae41aa9d0N.exe	30
PID 2776 wrote to memory of 2804	2776	Lcagpl32.exe	31
PID 2776 wrote to memory of 2804	2776	Lcagpl32.exe	31
PID 2776 wrote to memory of 2804	2776	Lcagpl32.exe	31
PID 2776 wrote to memory of 2804	2776	Lcagpl32.exe	31
PID 2804 wrote to memory of 2540	2804	Linphc32.exe	32
PID 2804 wrote to memory of 2540	2804	Linphc32.exe	32
PID 2804 wrote to memory of 2540	2804	Linphc32.exe	32
PID 2804 wrote to memory of 2540	2804	Linphc32.exe	32
PID 2540 wrote to memory of 2388	2540	Lphhenhc.exe	33
PID 2540 wrote to memory of 2388	2540	Lphhenhc.exe	33
PID 2540 wrote to memory of 2388	2540	Lphhenhc.exe	33
PID 2540 wrote to memory of 2388	2540	Lphhenhc.exe	33
PID 2388 wrote to memory of 596	2388	Ljmlbfhi.exe	34
PID 2388 wrote to memory of 596	2388	Ljmlbfhi.exe	34
PID 2388 wrote to memory of 596	2388	Ljmlbfhi.exe	34
PID 2388 wrote to memory of 596	2388	Ljmlbfhi.exe	34
PID 596 wrote to memory of 624	596	Lmlhnagm.exe	35
PID 596 wrote to memory of 624	596	Lmlhnagm.exe	35
PID 596 wrote to memory of 624	596	Lmlhnagm.exe	35
PID 596 wrote to memory of 624	596	Lmlhnagm.exe	35
PID 624 wrote to memory of 1920	624	Legmbd32.exe	36
PID 624 wrote to memory of 1920	624	Legmbd32.exe	36
PID 624 wrote to memory of 1920	624	Legmbd32.exe	36
PID 624 wrote to memory of 1920	624	Legmbd32.exe	36
PID 1920 wrote to memory of 2928	1920	Mmneda32.exe	37
PID 1920 wrote to memory of 2928	1920	Mmneda32.exe	37
PID 1920 wrote to memory of 2928	1920	Mmneda32.exe	37
PID 1920 wrote to memory of 2928	1920	Mmneda32.exe	37
PID 2928 wrote to memory of 2516	2928	Meijhc32.exe	38
PID 2928 wrote to memory of 2516	2928	Meijhc32.exe	38
PID 2928 wrote to memory of 2516	2928	Meijhc32.exe	38
PID 2928 wrote to memory of 2516	2928	Meijhc32.exe	38
PID 2516 wrote to memory of 2784	2516	Mlcbenjb.exe	39
PID 2516 wrote to memory of 2784	2516	Mlcbenjb.exe	39
PID 2516 wrote to memory of 2784	2516	Mlcbenjb.exe	39
PID 2516 wrote to memory of 2784	2516	Mlcbenjb.exe	39
PID 2784 wrote to memory of 2300	2784	Mapjmehi.exe	40
PID 2784 wrote to memory of 2300	2784	Mapjmehi.exe	40
PID 2784 wrote to memory of 2300	2784	Mapjmehi.exe	40
PID 2784 wrote to memory of 2300	2784	Mapjmehi.exe	40
PID 2300 wrote to memory of 1912	2300	Melfncqb.exe	41
PID 2300 wrote to memory of 1912	2300	Melfncqb.exe	41
PID 2300 wrote to memory of 1912	2300	Melfncqb.exe	41
PID 2300 wrote to memory of 1912	2300	Melfncqb.exe	41
PID 1912 wrote to memory of 2100	1912	Modkfi32.exe	42
PID 1912 wrote to memory of 2100	1912	Modkfi32.exe	42
PID 1912 wrote to memory of 2100	1912	Modkfi32.exe	42
PID 1912 wrote to memory of 2100	1912	Modkfi32.exe	42
PID 2100 wrote to memory of 2976	2100	Mencccop.exe	43
PID 2100 wrote to memory of 2976	2100	Mencccop.exe	43
PID 2100 wrote to memory of 2976	2100	Mencccop.exe	43
PID 2100 wrote to memory of 2976	2100	Mencccop.exe	43
PID 2976 wrote to memory of 684	2976	Mkklljmg.exe	44
PID 2976 wrote to memory of 684	2976	Mkklljmg.exe	44
PID 2976 wrote to memory of 684	2976	Mkklljmg.exe	44
PID 2976 wrote to memory of 684	2976	Mkklljmg.exe	44
PID 684 wrote to memory of 1568	684	Mmihhelk.exe	45
PID 684 wrote to memory of 1568	684	Mmihhelk.exe	45
PID 684 wrote to memory of 1568	684	Mmihhelk.exe	45
PID 684 wrote to memory of 1568	684	Mmihhelk.exe	45

C:\Users\Admin\AppData\Local\Temp\13f47182f6960ee9e62f41cae41aa9d0N.exe
"C:\Users\Admin\AppData\Local\Temp\13f47182f6960ee9e62f41cae41aa9d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\Lcagpl32.exe
  C:\Windows\system32\Lcagpl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Linphc32.exe
    C:\Windows\system32\Linphc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\Lphhenhc.exe
      C:\Windows\system32\Lphhenhc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Ljmlbfhi.exe
        
        C:\Windows\system32\Ljmlbfhi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\Lmlhnagm.exe
        
        C:\Windows\system32\Lmlhnagm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mlcbenjb.exe
        
        C:\Windows\system32\Mlcbenjb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Mkklljmg.exe
        
        C:\Windows\system32\Mkklljmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ipjcbn32.dll

Filesize
7KB

MD5
6de12256153329057073084c1df79df4

SHA1
8333257502b7cc6f4126fa3d871f468d677e39e6

SHA256
312dbdb8777b0df81f53c544f8fac9a05dd30d1f2a24dd769ec94fc548f5447d

SHA512
f5bbe0a7eefa16e0d5faeb628bdfd84a1ab09d6cfb211e22b946d1fe92b011773b0c4eaf1e1656c364b438d769a781c9435283e8deb359e7fb4be026f3677aae

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
92KB

MD5
755df3305ce20c07b531fd586adc8f75

SHA1
795607015965af0bd4e9e542afb31a344bb560f0

SHA256
c72ecd3b7e6d1ef2ece957c32363867ebcba892a3cd66ec44654a4770dfce40e

SHA512
f5faaef266afd7f4ed60d36f6e886cfc06b7c2ae9ba77d195c0688031e1c7c50439492e296462a4047ad05ddaefc3cbbefed00f9658f4dabdc2eeaa628250ad7

Download Submit
C:\Windows\SysWOW64\Lmlhnagm.exe

Filesize
92KB

MD5
27dfc4f0eb9640b62c54f8718ee741df

SHA1
fcad85d32a69735a232b516090b69de5397fde7a

SHA256
3e935530752e02c574a0d515e6ef4d8cbe7cc677faa535997409e42fc4a64ef8

SHA512
7501a74ec104ede3fa0a63af5f06e79061b460c4c1527bb667fd40f3d1810d4e55496152160a1e63be8ef90da327c901fc682dc0d7eec55ef2bfb10e2f00a391

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
92KB

MD5
c5cf67ee39b06bda1ffb9cc91cab2a01

SHA1
26395bfa1b3d6bbe267954add861351e847041da

SHA256
18e7d52afae2c6d968852f9f6c5240d061ab56b59c5c5b5a69ea2a1befb3b4d4

SHA512
f4ae9530f3a8daf2edb3fb090c8ba9257140d03c6d84ec1515a8fd74fcaa56e294bfaebe10fb810a523f7711ade19bca786813ac9a7f78a42e0df297e74fbcaf

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
92KB

MD5
8362e59cb69099e06d4ad94d99573cf3

SHA1
93b7777916e51b3f4bbb8d1598c062a446fa3ba4

SHA256
29dd54d4a3a038c263f4f5485dbd9a292698a31696bddaf5a009faf476fbe8e3

SHA512
04d6c678952c8bd70a347552ce9074e762646f4a4e4e40cdc566a8730e4add0120b35ad6df72a75201a0b11352351212b78963c9c438b6039f0aa41df6a27f88

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
92KB

MD5
733f5b36254d97f9f00125cf9565835f

SHA1
b444ee40df4b07b3829224fec643084043376b0c

SHA256
af3b714184226bdf042d84a548fd77eda96290d5ef5f0fe3a530e1a532e5e49b

SHA512
f70a1aba921852b26d4a301d4d80818c87b8cde193a7a99c89f1e01ad26123b0326d42fb8ada1c2c6bff097f327c5ad95ea3421d7a5b61c2be27bf247b071f90

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
92KB

MD5
a1bf7385136442e3fca0b8cd6d6878a9

SHA1
796ea4d26b681cc90d23e251822c0132f39ad799

SHA256
0e1eb51323c32631b09c772b60ae08f12490a393264a6b0cc282747491ec9ffe

SHA512
0a73c2cf653e23d2581a2c77eb5cc1d3adad0f0401156e7b2b6ab2e855fc8e925e05521cb287273b2fc207c447eaced40cd57784cb0151d790a7ec803cedc761

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
92KB

MD5
86d9c7226f2c2d7fd5916b7213a9df7b

SHA1
49448f2926c873919902ea3df56de86b7e250d0b

SHA256
f26f82d7af05eb631963926d27e9183506f25b31d45e0c0fd98e02b55b834bb8

SHA512
616d3e7c27e792949fa7789cf0f5a521151a25e711144997d16d338c923147810ec369e98ea8071a0a68410314730b6b946b2547d177989405d14e1a27a6048b

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
92KB

MD5
728e8331ddcb30cd49732cb11af93f1d

SHA1
771bd481afd984341d5189f4ea3058833645904e

SHA256
820ec30ccfe8a740a5a8001c5c78c69ac6fc041f9a554d782501eeb62d9b0f47

SHA512
462e2e0d4032fcbb7d5731e16bc27c6ce1a92daa87c0edafce991d587a4734de7b45ab5971b4111ebd80c3930e800ba4c784aadc195058e119f64f992f3dfafc

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
92KB

MD5
b66178f8127671de124ac64a65228a84

SHA1
db51dd0a56a6bf2ca5112ae09c4b3e2d89489d4d

SHA256
e4844f04fac29525bd8ee23d793a40ab2aa7c06ef7132964616cf6e217d994ec

SHA512
81ecacda52b6af2c6ecf83b333a2c431adc8fed1df018b57135ea823e5f6dfd5623dcb7bc66e10f9a17cf34928da450cec2c3d75d837728164701e9465a0e1d8

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
92KB

MD5
3e8245db18aa65c0d980f0b63640941a

SHA1
719c53943b60d4b6e62e32ccfa9c3553b5500017

SHA256
49c06bf141100269c734ac2177bd176575c2ec2dd27d858d70612298146c99d8

SHA512
294163a18935562fec3ac1e1385f73cfddd2853890f0579e5160c17395df04f3b24346acb6d88ccf98ddc53c29ab4de5fd9814eb20dd76d7f5907cbebc3731ed

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
92KB

MD5
4c05a2bc8587866416fec4ddef15b97f

SHA1
9a7d5013de0ede5c5fef5d82cc61667b1794d17a

SHA256
bb473c6693260fe606d5e65422b2aad2de98ce159f5a568f419b6c323e9f39a3

SHA512
0c93522ec86b7bfd8bdf7a155e7f97319e96373acfe42e1109f43c0a9dbb3af5f64643fd91d81480f6bbc84f739c56a8f9cdcb24e4dd04c446472fbf25434e24

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
92KB

MD5
125eba3f58da0c6ac1b09504b16e4678

SHA1
58027c7adbe3f3174901f1e3890b0379013646f1

SHA256
06c31b8889b9b434a38b2e38f5bfc915d56937484b3ea3308840ac7a3b009452

SHA512
c708e319b66d30df7e4513475f62162fb9b079b4bb451ea0c786102b1c571ed9605c034d834d7ba60549678cea9eb6129e1a322fd0b57068942595081801cc7a

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
92KB

MD5
2d60b042a83fd71e6530db4f99a7dba6

SHA1
e344754f547ffb165b97b31dbf52628c985cb233

SHA256
8b96f115491515d88ebc44dcea9f97a8d320c231ecf3c3cbd16ca36d9f0d2cc9

SHA512
ef3794b6097b88996b4e7901b62c64af436ff3683f675bba7239dd9062d8d9c7943b0a4d113e574f1f04f823057b6b317dce9f56b80040a97fd33e1da52a2552

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
92KB

MD5
c59070e5099a91ec7f1c500effcc8805

SHA1
93eef3fa5500304a7ff3ecf82df2791f97b39847

SHA256
e50f4d1283f8918645b4f2790f91a896cb83228d966211f5fc531c3cc4ca4608

SHA512
b1d84d98ae4101eb77523cba1d79a89c2abf8cd15a3f4a89ba34d7e2e1038bc515bf4c997cc5e7bc40dbafd4b62ad049726363c6256074a861c4d93777cf535b

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
92KB

MD5
2c8c6d30dde9f0f37e280211252fb5e1

SHA1
150099e8245a9777cf690c57ea3c36a563674333

SHA256
44fb78f8ff3dee80332ee6e5160bbd693667cc34ef21b55a3fcad9481255f1da

SHA512
01a31a142eb1667baf83b9634cb0f9b03a3a68416ddda9750a8c7ff8c0151f9dda3cb7f8c344d6c9ec2ab9b4855867b782e16766f38854dbee1d47286eade90f

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
92KB

MD5
dab1a01f6ee9be9852c10df2b7157041

SHA1
c0fd67a21f3cc2a3e7df5911691395c1f0d68d4b

SHA256
24d32604a3444d115f9245b5914a288aabe709092fec33f0814732ba4d5269d2

SHA512
5ac14063b52ce6369bb539d69d8b88add3dbc862458d4467d019b18bef862066888ba016cceaea50482f53695998fa97cafd0037ba13beb7948018de166b8eda

Download Submit
\Windows\SysWOW64\Legmbd32.exe

Filesize
92KB

MD5
78533cd79994a808e5c2403cc849b4fa

SHA1
f20a913167ac5606367adca1710c1cff5b1678ca

SHA256
df1f5290074340b7be3e51d2b8ffaae1020816371362678273d2e1afefff0e62

SHA512
ad76ac559710d2ea73101e3f0a799ba3bf7d7550f0f3ea4987c5f035cd1e9f0f1dded6adf6090746dbe4c857cb7186e34ceea242ad5bdf58cc054d6b1df21c46

Download Submit
\Windows\SysWOW64\Linphc32.exe

Filesize
92KB

MD5
cecc1c062a13cbd64c7b3bce87e272eb

SHA1
2096a4505266a08375dea165b9c97c10625b6352

SHA256
3a15dd35360b8b356a57892c2088b87254657f17d4dd80e0cc0c5470f266e6a2

SHA512
d8f28cf1253a1e7e6952714eba976262ed0d05da25734e98c369d0585649700feb723b5d339790462966ab808aa0df56be18c35b615ef9a44c34be8d6b98c3c8

Download Submit
\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
92KB

MD5
b2dbda06b2261efddb0fd47eef049804

SHA1
45f88cc670d62b2621b616b79a9f2b2c143f19cf

SHA256
ff94bd198b8820ae1fe96150a7408b916483e59d2e4f6ab9866f35d8dd88801e

SHA512
996eb40bf3a23aab040c7b97d94ad1ff77c9c89774abab913be035357995075d3f917c33fdb0607462bdd43f9e5ed2f5045f6bae5bcedfc42f0cb8347b56bef4

Download Submit
\Windows\SysWOW64\Lphhenhc.exe

Filesize
92KB

MD5
6936a0e6ce10aa9d31a0bdccf4a105fe

SHA1
904c0b41649829ff0810e4f7292b2cebcaba7fe8

SHA256
2d5aac34d10050c54c04a5bad2f5cf6b0aac8de3be666aafd2f98699cf7345de

SHA512
e5de0370a4e4819b92c4c229de71e654e8053c2a5d06b717fdbb7048e3aa8741c991c308b521062fc0006b09b23dbba4d40a9b32c05c7a6a57b9fbcd8d451fc3

Download Submit
\Windows\SysWOW64\Mapjmehi.exe

Filesize
92KB

MD5
4a8401781204644edb0a5a6720a5fb88

SHA1
201ed6888e1aeecc682723332c9167ee17442cf5

SHA256
f901e516fc1a289616aaac0c6dc050360399755a10a967947362ea75f113728f

SHA512
9c3e207428033f1f1ad569557835c95516231425739ca4c672e55a04c782581aa7b6fa17d9efeea038f537b1d32e2f2cf9490949286d345a5c5400aec090dc25

Download Submit
\Windows\SysWOW64\Meijhc32.exe

Filesize
92KB

MD5
50655eeb33dad736c38bfb3fec522bd5

SHA1
fd934642b20ae6c42943691a46d8ab68abf6a273

SHA256
590cce5b0982b5c45e523c8bda32d3cb9273aaedcdba8cee66c23ed108e5b703

SHA512
ec6bbbf31810fa81c3940d5afc84c1debe9e92e1a07bb88c5c81e75bd40b6afae174fc249199caf019115346a578f025cbf6ab7f586dc78136917ea5034304e4

Download Submit
\Windows\SysWOW64\Mencccop.exe

Filesize
92KB

MD5
934982ccdb66b8f01c298f88f529deb6

SHA1
b3279af9aee2a766f132d5cf57392fa2cbfe0894

SHA256
32960f43ffdfc52ed5f2d742a7d83d122bb1673bb1c9b920f14c7017a336f094

SHA512
d6ba62902e393e7739f2b4153aaaa4dcea73a25d4708d4ce147ea29c0f93aaa17e1dab97f650f74f1cd63578dfa3e3a7d11c61d0735a683ad8df16e3f3ea2686

Download Submit
\Windows\SysWOW64\Mgalqkbk.exe

Filesize
92KB

MD5
b274a19f6894f647c974908e3790b4d1

SHA1
a8ce7392b01dceb994b20790258f563a718450df

SHA256
00ae73dbd4b86648051fc370d954e6cfa84e60fc50f73dc050f0e3dff47c622a

SHA512
2c41a7252b600def297cfc95e13b9dfcb6f19c4b8b7f00b900fd900e1d97e1eb91769070f6ecc1698b026078483f1a679633a7bcb28439a9dc35532093df070d

Download Submit
\Windows\SysWOW64\Mkklljmg.exe

Filesize
92KB

MD5
946141ca656d386c81945820e29cd3c2

SHA1
fe745e25cfaa7e5ba4ce98e5e6b0e7dbe4e42c0b

SHA256
69e7a5e440829ac47a3632c1d0eb011546bdac6ecc0d3dbef758d1e9445187a3

SHA512
137c6efe6e2ee1b774c07629be3d651dd52ecf9c95dde153eb3c5fa389148edc1405997392bbf32d1c3151ccf2553a8fd930d65843cf7dae1d602e63ff2bfda4

Download Submit
\Windows\SysWOW64\Mlcbenjb.exe

Filesize
92KB

MD5
401fb84967c96ab07bacac23511a6b57

SHA1
99f7777c7c237c030ed7fd9be5a6290207cad1c8

SHA256
16b8be8285fb5fed0353b9340c441260f4293bc01d30625b18053d1259a503fe

SHA512
e6ce67424a1f35409d9334b075ad8f1fbfb7c0b560350e86cc5c23e0aa4c89b2a920b20221b3fd5f4b73bc7ef0773e339f55f395a364176236187e1a86888d27

Download Submit
\Windows\SysWOW64\Mmihhelk.exe

Filesize
92KB

MD5
d210fa86675d72a91136ec3194ea6a36

SHA1
7bef98f10b2dbfb0c96d5b7f538c2f464c38b444

SHA256
747d25bea0fdefd464468b80f4c7a099e0bcbe4755ce1db6851b14effe3069b2

SHA512
2a3e805178c76b2416f1d61c647cade2b3372bd8ecd1a2c7a4d522c5c2c885b968ff85c37051820934291704312bd3ac4d67fb4c7bb9826f761a830af129390c

Download Submit
\Windows\SysWOW64\Mmneda32.exe

Filesize
92KB

MD5
cfa5f0fe4097042bdcf9ea7fe62b7465

SHA1
fcb4b7668609b05a870414e5577429f52690a339

SHA256
b592cdda7a21036a28a23a6523a18fecdf7c62eacf4da605a56436780d75acad

SHA512
1f31a2380c4f4c355e7a41162ea0a8fb74c1860b7a0544adbc815542a9c5de42c171daed7dadbead31c22a3e50381c5e810b7f0f3c2e290d432ded5d4ec28139

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
92KB

MD5
975668e9286aefd7d4687dab365ebcd1

SHA1
1396b68ee9e60274cd968fda1ea6dde741b161ad

SHA256
7fd3846900e3c901e7c69dfd3e0e497a74e90ac5a52fe9c0845ff0a141d76c3b

SHA512
f046489b89b22c3938ecac83024477e1e3a8bce5df77eddcd7a02f0fb7cc42e5cd3cbc88e1e7bb1cde0a228f82ed4179f0af666d4a660e3b505e0050c042be23

Download Submit
memory/444-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/444-234-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/444-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/596-92-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/596-75-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/596-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/596-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/684-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/684-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/684-211-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/888-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-288-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/888-295-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/968-372-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/968-256-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/968-257-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/1268-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1268-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1568-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1568-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-279-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1668-275-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1732-268-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1732-267-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1732-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1876-314-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1876-315-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1876-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1876-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-163-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-102-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1920-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-184-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2100-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-189-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2160-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-247-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2160-243-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2184-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2184-321-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2300-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-162-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2300-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-156-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2388-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-300-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2440-299-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2516-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-343-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2572-342-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2572-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-11-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2768-12-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2768-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-22-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2776-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-331-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2848-332-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2848-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-110-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-354-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3060-350-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3060-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads