423c1250791ce1015093717d2305d746c7b06d396e8bf185470d9baea781399e

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67dea9950f97f79ffe4a3a526333f530N.exe
Size

73KB
MD5

67dea9950f97f79ffe4a3a526333f530
SHA1

86754db3b3418d53292dc085863112ca8228dac5
SHA256

423c1250791ce1015093717d2305d746c7b06d396e8bf185470d9baea781399e
SHA512

0160d7d94cbb04e69b275d7f0ad3b9dd6177925e33963362c7724beeda36357195675a99c293ed00e4d8d0936f52d386aa2fa7e452b7e05b087ad6fe6715d203
SSDEEP

1536:7uX0GBhrtHLt07kyg/d0O9C4V5YMkhohBM:c1BhWKy4HUAM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndohedg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	67dea9950f97f79ffe4a3a526333f530N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghjel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	67dea9950f97f79ffe4a3a526333f530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcpjmcb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kincipnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfhbeek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kincipnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfhbeek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lndohedg.exe

Executes dropped EXE 57 IoCs

pid	Process
2880	Kocbkk32.exe
2608	Kfmjgeaj.exe
2652	Kjifhc32.exe
2708	Kfpgmdog.exe
2636	Kincipnk.exe
2520	Kohkfj32.exe
2456	Kbfhbeek.exe
476	Keednado.exe
1488	Kgcpjmcb.exe
552	Knmhgf32.exe
2588	Kbidgeci.exe
2036	Kgemplap.exe
1752	Knpemf32.exe
1076	Lanaiahq.exe
2236	Lghjel32.exe
1980	Ljffag32.exe
2944	Lapnnafn.exe
1208	Lcojjmea.exe
2484	Lfmffhde.exe
1704	Lndohedg.exe
2188	Lpekon32.exe
1300	Ljkomfjl.exe
1788	Lmikibio.exe
1228	Laegiq32.exe
868	Lbfdaigg.exe
1844	Liplnc32.exe
2732	Lpjdjmfp.exe
2648	Legmbd32.exe
2144	Mpmapm32.exe
2524	Mooaljkh.exe
2496	Mffimglk.exe
1936	Mhhfdo32.exe
604	Mbmjah32.exe
1604	Melfncqb.exe
808	Mbpgggol.exe
2016	Mdacop32.exe
2824	Mofglh32.exe
1800	Maedhd32.exe
548	Meppiblm.exe
1080	Mholen32.exe
2040	Moidahcn.exe
2076	Mpjqiq32.exe
2184	Nibebfpl.exe
772	Nmnace32.exe
1640	Nckjkl32.exe
2156	Niebhf32.exe
700	Nlcnda32.exe
2044	Npojdpef.exe
888	Ncmfqkdj.exe
2132	Nekbmgcn.exe
3020	Nigome32.exe
2372	Npagjpcd.exe
2788	Nodgel32.exe
2512	Ncpcfkbg.exe
2552	Nenobfak.exe
320	Nhllob32.exe
2808	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2284	67dea9950f97f79ffe4a3a526333f530N.exe
2284	67dea9950f97f79ffe4a3a526333f530N.exe
2880	Kocbkk32.exe
2880	Kocbkk32.exe
2608	Kfmjgeaj.exe
2608	Kfmjgeaj.exe
2652	Kjifhc32.exe
2652	Kjifhc32.exe
2708	Kfpgmdog.exe
2708	Kfpgmdog.exe
2636	Kincipnk.exe
2636	Kincipnk.exe
2520	Kohkfj32.exe
2520	Kohkfj32.exe
2456	Kbfhbeek.exe
2456	Kbfhbeek.exe
476	Keednado.exe
476	Keednado.exe
1488	Kgcpjmcb.exe
1488	Kgcpjmcb.exe
552	Knmhgf32.exe
552	Knmhgf32.exe
2588	Kbidgeci.exe
2588	Kbidgeci.exe
2036	Kgemplap.exe
2036	Kgemplap.exe
1752	Knpemf32.exe
1752	Knpemf32.exe
1076	Lanaiahq.exe
1076	Lanaiahq.exe
2236	Lghjel32.exe
2236	Lghjel32.exe
1980	Ljffag32.exe
1980	Ljffag32.exe
2944	Lapnnafn.exe
2944	Lapnnafn.exe
1208	Lcojjmea.exe
1208	Lcojjmea.exe
2484	Lfmffhde.exe
2484	Lfmffhde.exe
1704	Lndohedg.exe
1704	Lndohedg.exe
2188	Lpekon32.exe
2188	Lpekon32.exe
1300	Ljkomfjl.exe
1300	Ljkomfjl.exe
1788	Lmikibio.exe
1788	Lmikibio.exe
1228	Laegiq32.exe
1228	Laegiq32.exe
868	Lbfdaigg.exe
868	Lbfdaigg.exe
1844	Liplnc32.exe
1844	Liplnc32.exe
2732	Lpjdjmfp.exe
2732	Lpjdjmfp.exe
2648	Legmbd32.exe
2648	Legmbd32.exe
2144	Mpmapm32.exe
2144	Mpmapm32.exe
2524	Mooaljkh.exe
2524	Mooaljkh.exe
2496	Mffimglk.exe
2496	Mffimglk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Lghjel32.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Kohkfj32.exe	Kincipnk.exe
File opened for modification	C:\Windows\SysWOW64\Knpemf32.exe	Kgemplap.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Agmceh32.dll	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Ihclng32.dll	Kgemplap.exe
File created	C:\Windows\SysWOW64\Ljkomfjl.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Padajbnl.dll	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Kincipnk.exe	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Lndohedg.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Kfmjgeaj.exe	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Legmbd32.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Legmbd32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	Nenobfak.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Lmikibio.exe
File opened for modification	C:\Windows\SysWOW64\Knmhgf32.exe	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Legmbd32.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Giegfm32.dll	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lapnnafn.exe	Ljffag32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Allepo32.dll	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Lgpmbcmh.dll	Lbfdaigg.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Mbpgggol.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Mbpgggol.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kbfhbeek.exe
File created	C:\Windows\SysWOW64\Lpekon32.exe	Lndohedg.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Mffimglk.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Lghjel32.exe	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Kbfhbeek.exe	Kohkfj32.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Fpcqjacl.dll	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Ogikcfnb.dll	Lpekon32.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Meppiblm.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Keednado.exe	Kbfhbeek.exe
File created	C:\Windows\SysWOW64\Gabqfggi.dll	Lndohedg.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Kacgbnfl.dll	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Nffjeaid.dll	Lapnnafn.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1484	2808	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpekon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liplnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kohkfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knpemf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67dea9950f97f79ffe4a3a526333f530N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfpgmdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfhbeek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knmhgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legmbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbidgeci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmikibio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmjgeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpjmcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndohedg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjifhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfdaigg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keednado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgemplap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kincipnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanaiahq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljkomfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffimglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lndohedg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	67dea9950f97f79ffe4a3a526333f530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll"	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgemplap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legmbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpekon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnekbi.dll"	Kjifhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfhbeek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfoak32.dll"	Kincipnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqjacl.dll"	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpekon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpgmdog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2880	2284	67dea9950f97f79ffe4a3a526333f530N.exe	28
PID 2284 wrote to memory of 2880	2284	67dea9950f97f79ffe4a3a526333f530N.exe	28
PID 2284 wrote to memory of 2880	2284	67dea9950f97f79ffe4a3a526333f530N.exe	28
PID 2284 wrote to memory of 2880	2284	67dea9950f97f79ffe4a3a526333f530N.exe	28
PID 2880 wrote to memory of 2608	2880	Kocbkk32.exe	29
PID 2880 wrote to memory of 2608	2880	Kocbkk32.exe	29
PID 2880 wrote to memory of 2608	2880	Kocbkk32.exe	29
PID 2880 wrote to memory of 2608	2880	Kocbkk32.exe	29
PID 2608 wrote to memory of 2652	2608	Kfmjgeaj.exe	30
PID 2608 wrote to memory of 2652	2608	Kfmjgeaj.exe	30
PID 2608 wrote to memory of 2652	2608	Kfmjgeaj.exe	30
PID 2608 wrote to memory of 2652	2608	Kfmjgeaj.exe	30
PID 2652 wrote to memory of 2708	2652	Kjifhc32.exe	31
PID 2652 wrote to memory of 2708	2652	Kjifhc32.exe	31
PID 2652 wrote to memory of 2708	2652	Kjifhc32.exe	31
PID 2652 wrote to memory of 2708	2652	Kjifhc32.exe	31
PID 2708 wrote to memory of 2636	2708	Kfpgmdog.exe	32
PID 2708 wrote to memory of 2636	2708	Kfpgmdog.exe	32
PID 2708 wrote to memory of 2636	2708	Kfpgmdog.exe	32
PID 2708 wrote to memory of 2636	2708	Kfpgmdog.exe	32
PID 2636 wrote to memory of 2520	2636	Kincipnk.exe	33
PID 2636 wrote to memory of 2520	2636	Kincipnk.exe	33
PID 2636 wrote to memory of 2520	2636	Kincipnk.exe	33
PID 2636 wrote to memory of 2520	2636	Kincipnk.exe	33
PID 2520 wrote to memory of 2456	2520	Kohkfj32.exe	34
PID 2520 wrote to memory of 2456	2520	Kohkfj32.exe	34
PID 2520 wrote to memory of 2456	2520	Kohkfj32.exe	34
PID 2520 wrote to memory of 2456	2520	Kohkfj32.exe	34
PID 2456 wrote to memory of 476	2456	Kbfhbeek.exe	35
PID 2456 wrote to memory of 476	2456	Kbfhbeek.exe	35
PID 2456 wrote to memory of 476	2456	Kbfhbeek.exe	35
PID 2456 wrote to memory of 476	2456	Kbfhbeek.exe	35
PID 476 wrote to memory of 1488	476	Keednado.exe	36
PID 476 wrote to memory of 1488	476	Keednado.exe	36
PID 476 wrote to memory of 1488	476	Keednado.exe	36
PID 476 wrote to memory of 1488	476	Keednado.exe	36
PID 1488 wrote to memory of 552	1488	Kgcpjmcb.exe	37
PID 1488 wrote to memory of 552	1488	Kgcpjmcb.exe	37
PID 1488 wrote to memory of 552	1488	Kgcpjmcb.exe	37
PID 1488 wrote to memory of 552	1488	Kgcpjmcb.exe	37
PID 552 wrote to memory of 2588	552	Knmhgf32.exe	38
PID 552 wrote to memory of 2588	552	Knmhgf32.exe	38
PID 552 wrote to memory of 2588	552	Knmhgf32.exe	38
PID 552 wrote to memory of 2588	552	Knmhgf32.exe	38
PID 2588 wrote to memory of 2036	2588	Kbidgeci.exe	39
PID 2588 wrote to memory of 2036	2588	Kbidgeci.exe	39
PID 2588 wrote to memory of 2036	2588	Kbidgeci.exe	39
PID 2588 wrote to memory of 2036	2588	Kbidgeci.exe	39
PID 2036 wrote to memory of 1752	2036	Kgemplap.exe	40
PID 2036 wrote to memory of 1752	2036	Kgemplap.exe	40
PID 2036 wrote to memory of 1752	2036	Kgemplap.exe	40
PID 2036 wrote to memory of 1752	2036	Kgemplap.exe	40
PID 1752 wrote to memory of 1076	1752	Knpemf32.exe	41
PID 1752 wrote to memory of 1076	1752	Knpemf32.exe	41
PID 1752 wrote to memory of 1076	1752	Knpemf32.exe	41
PID 1752 wrote to memory of 1076	1752	Knpemf32.exe	41
PID 1076 wrote to memory of 2236	1076	Lanaiahq.exe	42
PID 1076 wrote to memory of 2236	1076	Lanaiahq.exe	42
PID 1076 wrote to memory of 2236	1076	Lanaiahq.exe	42
PID 1076 wrote to memory of 2236	1076	Lanaiahq.exe	42
PID 2236 wrote to memory of 1980	2236	Lghjel32.exe	43
PID 2236 wrote to memory of 1980	2236	Lghjel32.exe	43
PID 2236 wrote to memory of 1980	2236	Lghjel32.exe	43
PID 2236 wrote to memory of 1980	2236	Lghjel32.exe	43

C:\Users\Admin\AppData\Local\Temp\67dea9950f97f79ffe4a3a526333f530N.exe
"C:\Users\Admin\AppData\Local\Temp\67dea9950f97f79ffe4a3a526333f530N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\Kocbkk32.exe
  C:\Windows\system32\Kocbkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Kfmjgeaj.exe
    C:\Windows\system32\Kfmjgeaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Kjifhc32.exe
      C:\Windows\system32\Kjifhc32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Kfpgmdog.exe
        
        C:\Windows\system32\Kfpgmdog.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Kincipnk.exe
        
        C:\Windows\system32\Kincipnk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Kbfhbeek.exe
        
        C:\Windows\system32\Kbfhbeek.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Knmhgf32.exe
        
        C:\Windows\system32\Knmhgf32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Knpemf32.exe
        
        C:\Windows\system32\Knpemf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 140
        59⤵
        Program crash
        
        PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Keednado.exe

Filesize
73KB

MD5
140c38e1a1ce2024891cd365b54517cb

SHA1
3b637ea11717355e281ec9c1501c49a02b8dbdae

SHA256
2dddcc0efc75376dbf10781f7b560345ae31b0977e59dcb702d000017896385f

SHA512
d44ad188471a330d6a75a199a7c5d3b2aebf82292fca99ab781e5003618beb3874905ad56493fbb810e2c1bb3b91d7c76e6eadf6b3b7c87257b079cc393b299a

Download Submit
C:\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
73KB

MD5
2ce36771975a0450121bdd93e141c77a

SHA1
ca61734e2e4b1399d6e4c7353914bca1a9df4ec4

SHA256
48a61ace0dc8318bb30834428ab628f7606c101333f0a16ac451f147bfdcc972

SHA512
e492f57fed2c8a96de4cf96fe36bbc76b039f6ec6e9ee9097442bae0db90e6a40fbb59f07a14b161690976a2207076f30dc5c9af9c026b2a7215b7664aaa4cdb

Download Submit
C:\Windows\SysWOW64\Knmhgf32.exe

Filesize
73KB

MD5
708fde12a6b24d548dbd6774e2d3842e

SHA1
e143226c7cd5d2ba1dd3de30aa0f7da9d81f1eed

SHA256
9612efd81c4ca27ed1622bb35a1e78b00484d3d499cfdbf4ef60f9048c21aae3

SHA512
d8a7c513cc451a33115613df57a76c09e146ac7bb19407878e7e80f4c753401438596b10027d86d94f86813a2e60566652fbc77f15f111355572ef7409f31e56

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
73KB

MD5
67cf47f2c26fc57d24332da13e81fb14

SHA1
881ec69862688dc4ff31117a05f8b33d08b8a847

SHA256
374d816164b37098441dbf6ed68d135016699051f8d6c01b89cee051b62c26ba

SHA512
d1e4c1f6e9a1c79c7e4ea83d8764e91b6dc673bd9aeb6e06640512474c0277af9c34f46e0b997511f4a7e0fc2d801dbf372d67f7151ae76e40bbf38c27406a8a

Download Submit
C:\Windows\SysWOW64\Kohkfj32.exe

Filesize
73KB

MD5
5bca7fa91ffa5c6819d619fa4ddcdb50

SHA1
178a14b983633b85633bd7bb18ec2945f4281df8

SHA256
b40052f96c8fcdbefaac249280eef7ad04becd2e17e836214bbbb445b6efe040

SHA512
d7168453e50f863fbf4afa821dc5f3dd6dcccca5b1aa35274dd1c750488ad5dfde0713ba3c40821fd13a7b1588c931284bae2fb2b393d6937e7e47a8da3baef0

Download Submit
C:\Windows\SysWOW64\Laegiq32.exe

Filesize
73KB

MD5
5f0b1ead81e14cc5dbaf3ed3313c584f

SHA1
a6dbc0498e047b66cf541942d6c0956a98bd5d78

SHA256
83b74307fc3741601101fade11490ff6f9f58ab15a3e286885bd5a904431c238

SHA512
72d996d86f85f46e5cc540859c499902dedccdd0b085bf7e9e4b8e504c76051bebeccc00b7fdbe9c777707ba0d9d0ae5277e173c113dbd0fab31b5e51a5a43c2

Download Submit
C:\Windows\SysWOW64\Lapnnafn.exe

Filesize
73KB

MD5
1f2c595a57fb35b31fa7a4832d2249ad

SHA1
55fccbb9ad960e43a09850ae70ed570fbeebdadb

SHA256
a943c97a882e2ba6670fffd7fc10edc93e88e783152e0a004631d0978f4087ae

SHA512
45be8b0e533889f4c1c7f82a01cef535fbf1ce8ebe26dc9ee5ad0e0a09933ab41e597149c184b8eea18759d1dea76edc9e89144075667c896fdb4b51e8c2aae3

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
73KB

MD5
8aed9bcb383da039aebbec0ee2e90e5e

SHA1
b3cd2b7de0ee971539c477fad63c3714c96c467f

SHA256
2549f40d5656140910f7678abab2b309524196edf5edfaff0226981f9095683b

SHA512
7ac446365f110d071b9edfd1287ebd2a00379cb8928041ade6352254a99afa0454410fce44f19d1755c07033d9ad04a9132fc2a0bf547e0415a1c0a90590336e

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
73KB

MD5
6242f6975551fbff473a746a668f8bf4

SHA1
674677ccbbc08b6585ccacfbfd10dadac0a4b09a

SHA256
359800029f1cabc7d67cdeea94b622619331ca95e260d8c6107c0dddc82f67e7

SHA512
e1150d77262e06ec1e99c8fbd9ccef92c1bb6775a3b0a9972dfc46b1000b631ceacdce0fdefc9b37d216e9f52ab953637f98698045e485bf1b5600b89c235207

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
73KB

MD5
471beaeec2a92b08d67ff23c4d3a73a1

SHA1
8a9c47486e250a974081bef91c798c56195ff740

SHA256
7c23a525c9308c64f9986b3af3523fe3420210701c459d8a065c47d6cde8c20f

SHA512
be5f4419ed2210d91121c4a6fb252bb8489b3bcef2100d8187bf54353df7639a0ccf668bf91037f9bef16853c614a730741a2ac49438bedacb35634068d45e02

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
73KB

MD5
8778e0bea6cb678925574940aaefedd7

SHA1
c1e6137bdb05af88a643e91e627408caf0bee648

SHA256
e8b6bd77d43212cc25e406884a354c6c82ef3705aa22d807a45c73b883e1369b

SHA512
3336d1fddee4b53dae4a18c6426026720ddf01c37d97da6a8787345463996d2b8229cf63905003fc89a89a20d5901766c185ff616aa80150f720d1ee1fab0d04

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
73KB

MD5
6e8fd2e2e7537f472ec7ed6d504fec90

SHA1
bfce6c52546f7dd1a11a523e2dd7580850962613

SHA256
4e347736ed5f074322b148d9b44b956616fe60d41a7d9e30b92605899619dd31

SHA512
5af67108da33379cec566a35c87406d9fa3e85d66e2049e7afe9073caa5d89622d68de9d33b5772e0272ca3800008aae3226449981798f569674f6bc863b2ef6

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
73KB

MD5
54096ae0f05a44bcd33d166d7719ed8f

SHA1
c26d0cf215ad2c24e89ed6b63cd6afcbcf1274ff

SHA256
d8d48217a4c7ce93ec7d503747bb431b4e01516cee3c33002751097e4ab13018

SHA512
850049d80163b970e1473ded7cf981ed833929840961dcb24a65897da9c7b775f0f8cc1ac8bda8a3135dd7cbd4ef066b6811b178b1978049778b9a2b6b0585b9

Download Submit
C:\Windows\SysWOW64\Lmikibio.exe

Filesize
73KB

MD5
c4cafc956b390e5d5c10a8728c08eee6

SHA1
f14492e52944a773e45373ecc72afd92b62e66c4

SHA256
504b7fcfbf191ce7a64bee47d0d50a4fc44e7048c5ce6287e4ad94acfbdbbeef

SHA512
c6890ab2884b23683410967e0a8b303f1d6d451c9198f61e514aa82bdf98a161d7fc876dc0f8dd9b406a5d07ffbb415b8219fc7fc59a0ab0fc865c06965351eb

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
73KB

MD5
a46d41ce54f4dff4bfdd486093e8e2c6

SHA1
c1463cb4746613eff51b74d33b850222163c9e36

SHA256
5ccd78e89d0b484b286a1eafca7cf5e7b7815fddc216f6aac53f177ee87c2c2b

SHA512
65d885a99f1f934aac6c907616dbb71f60f1fd729e2bcadd05ee0a3c896491f6857d4c020b1d19a3b0b86633c350c768f19805a2f39e61d8082f47d7b6ec75a8

Download Submit
C:\Windows\SysWOW64\Lpekon32.exe

Filesize
73KB

MD5
c10c4ee79b092c7e8cee62fee31e3c64

SHA1
49c9b0f6c3ff1b5efda3ecc243328253a9d78f8e

SHA256
beae9d8127a94099e0aedaf479c83076afc89934df6749189548002b5ff81b07

SHA512
8cff9db4230ee1a710ee04737b7cb01703c18f7e0e5fd2311afd5491251fd37e65cfacb270e18bccd4a8f209b6e7e4ae58d58611dcd64ced9b878e851775ab91

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
73KB

MD5
6b55f93dd8d38f612a8482e0328badf7

SHA1
a419b20e6cfe7e5574c8e39d0dc201387b56aa53

SHA256
ba1882e2c00d52e9183839803e17664b70fc5cb87af916af5d28abea5a72fe19

SHA512
ebd47ddecbbd7fc4a1e5b1968e81f2762e56e7e6fa0f49acf6498c615ba2d8bfcf4bbd0167a41186468d7f6c230e384d67e66d38477f8fd39111ff61e540ddb4

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
73KB

MD5
a3117d4fe444969dc8c4f7b4bb6a1207

SHA1
7ea7c6a85a5f9c62bcf1fa2d5e7f5614d945e8cd

SHA256
0fd1de0ecc8dda147da3c872742d578615c48f4b320f14f618d962d60a823671

SHA512
32f4b47682dee78d6297fc5e0f5c0eaaad33201636a7413090a369107ef20ddc2e081acdbcd5afbda7819fad2abe9a5fd6d4325521e8ea0b26c3c8d6f12d8c2e

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
73KB

MD5
c3f290b3a365eec86e0e9fc06390080c

SHA1
a678c10f4358c7d48e4c5a4a7a35a602c48f6cbb

SHA256
70c7fe82e39511b240ed8d59ae6481e565db390da03ae3d3f8be4b7686f97b86

SHA512
51478665ceab60f1e3e97a2bc8bb9647681658ed6b481d0ffbc34c62ea3f36008050dab30b5844c13da645b38605cb2dde14f36c2be9aa051f2cc5f8550d4355

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
73KB

MD5
b531369d81a598ace09c703c2a78dc8a

SHA1
066671fa6c90910b12bfd14c03c822bded67460a

SHA256
3fc00f3add9566d49e5a900bd7064ac1838ee798558ef11b1d249794c3639746

SHA512
4f05a0cf5a01ab107627b9aa67a8756f38ba539b455bf997e6f3d9c6925c0acd52740a89cd817f17dce47220bcb010c102a8dd9b4ab75a290dfef2049718748d

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
73KB

MD5
1a882100bd240425451541de7c89219c

SHA1
bc49ea88740cedd6b9fe095cba34db275700865e

SHA256
050c3a525a3fa84f698ed275f1dc12a043598a43824ca0b5068fd57b99b90c56

SHA512
5b26728bdaca27513864a9b2ed3a144710bb8c129ec53580afecce96b3e9b97c989e1698e112522c3cbfcb0b75634b622c8f58412caf1943a9dc6b725618b032

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
73KB

MD5
cc538b43ba9261497d36e303347b8c9d

SHA1
4ba948be2de0df3654e21a6fdb969499010ecb93

SHA256
3f3c2c272d324f15ff7fa4aa2ece5eb7dabc08c577492678f5535fbd3fe4c4f8

SHA512
ccbf020fbf035504829f4e75f59eeab500aefb56499ef957544f987778003fbc06cf2ed6fd62dd3645564c9e4b1b2a6424aae42d4245260c452210c37f2db9f5

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
73KB

MD5
06a71ce52b54d4938b9f097c572f3a4d

SHA1
d9a5c908eaa6ec05d13b734ff61957ea292b2f07

SHA256
74b23cd8dbfbef9cdf8eb9a364a1328dd298f34225d92e05dfd84d3bdc1bdf41

SHA512
6db3aeeaaf0876807e66d8b40ced9878d2fb4c9f4a078797aa63c8dfc431d90b7cd50997738bcf44d76b19c46a28297cec5285e9995db16f1f61e5329f6efb8c

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
73KB

MD5
bbef9356047d77c65335ad601850e28c

SHA1
f8f7e5df2c71733b414608ea9d10db5bca066aab

SHA256
d0ff34559b5b56c08a509b9f3cb0f271ed29827cc9c4002c1f8bbced2d474318

SHA512
4fadd3167f8a682058cc5e8e5fa470f47860e6d1edb6557d9ece301bd8257bda8539d9be120f1b64019b2c732bd09fd837b632380c102812dec0bd1c7d8e63cb

Download Submit
C:\Windows\SysWOW64\Mhhfdo32.exe

Filesize
73KB

MD5
89187b7c3b16efe51168fe4432d3bc82

SHA1
a04f120db98bdbd736405098cb51db87b58e581a

SHA256
eb4cdc9957cdf35b2313424b91e7e453f179d622fbf52ca011adebf1928212ff

SHA512
61613384c437e3ab1d25abccb0987b9161c95980092ef99a610cb85bbddad374c487a1755fc99749990cc786a4a07c402a04b7f72e6cdd851f8f1d8044fa8c14

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
73KB

MD5
524a55fbd626dc2b50acaa794e1c0ffb

SHA1
f7446fa210807f67074c40d3b0d8999a7615f7bb

SHA256
771becd50639d3987541410ba73c812f6a3a0f940efc8be61915d18d9021cc7b

SHA512
bbf9b624d5c4f23c0a33bfad58d2ba6e9b7ad7d6a9454031c66b361e5df9714f8002f5c9b73191f8677b12e38c4a662fc8a05545bf8fd902d49c3bb94402893c

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
73KB

MD5
7b89395690243d8f1536074404758fe4

SHA1
c7e03c6854ecd7c154d83243cada504622359e13

SHA256
754ecb1750cc93528eaf22c320ef35d57c4e81501dedadd60a2fe8574689922d

SHA512
981120dff1f9da78da46bca11b2689929357ad15a086a1d53a23f40f5ef87c7ed1bffab1220bc01eecacec596b218f94398ea3345e6789033cd9cc101590dc5d

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
73KB

MD5
ed6514d55f9993aa8c0eefc1a450b7a8

SHA1
d419a3330a01803f95576117995c2f5046c74a1e

SHA256
6c73a7cf122cf39f1b17394a3c9d34e812eeec2c56af2e04a7b144736425046d

SHA512
f44ba9d57b055306d6298fb204850e38f700afeed794a3a4f9fcedfca36aeacf1fad3a501c052a03f14e9ac044084bbe2c5d11a68abd1074486c1f9a844c0738

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
73KB

MD5
8e704cc356cb3df17e6e1c85e402d770

SHA1
3ad807195d4d698a639fcedd46c039a3c0c0c12d

SHA256
46bcea1d47796dfc9483839cf6f950f51967848d2a8d68b2ee174492bf153e06

SHA512
d9bd1262cfce55b3fe247f57ffbdf97aaff68d08545a5547836c384ab111f2fa777de94c5ecf2467775309cc794ffbe8ff9be796f1c1c37dff3ea6b853924a0b

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
73KB

MD5
3d2d9fa9c8f1abaa4d69a1e8eceb2bbf

SHA1
991412acd57daa5cba27d32eb819abf03bcd0d3f

SHA256
4e89db32dcb2a07997e832bf5dc3f73f99a9b343a5878bd8137cbf758965ae78

SHA512
dd14d58c01be1466f80eafae8be91e775240cf5b3a2e9910a4eb51fe80d1626d47b789f3e785e9f8b53e8e86bbc221b30e941169a5486ecb036304012e7601ae

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
73KB

MD5
96158a350616665a7ad7479eb2b3f857

SHA1
1b345aa290acdec34703c10f9b4df81b5ab66c3c

SHA256
9abaf7ca9540945afe7fdacc7eeb4e16567f6ea59be991f14360e309b9fd54d5

SHA512
bf7082f5738355b80596f351b876d6e4f776f6cab6a2fd219ec2eae28fc9703c54a1625a4bec86302b635dc27cf59c0288baa49176891102cadc7eef97dc7f83

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
73KB

MD5
de00e879cd440602f6cc06af119783f5

SHA1
149f0f656bf6c29a127ce9a220a0b28192c9967a

SHA256
aa3792c86344c117d528be1450f7f3e346b48acd85b976d79c6ab3ef49f430fc

SHA512
1e3b85332edfb810614be801060dba405776bf454c1d2085b136f011a9482126f03d0096b753fccf169b25dec694ebe34d93f7280d7c2922e8c78a0ea48a159b

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
73KB

MD5
164a92e4130ecb5ee17e4c3d6c2e464f

SHA1
b21cc384d5cf33c6cd1c515d3cb0ccf2b3851821

SHA256
7930ce875eb490c3aaab69b652c25af09b5865c808b96985ab4d3849a4ebdacd

SHA512
d7ef0b4d59c25d8b55f1e36e31212b147ca2f63572a68015eecb2e851fefbbee6081ee5e8b69e11d2bd7b648b6c527a763a4af58bd649865ad33f707665027b6

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
73KB

MD5
2ff69bd37e0c27e3e14c7871ba1f96c1

SHA1
bd51aff3cbef51f143152dd87369b044de321f58

SHA256
f436e7051bf6135c2ae29bd660f409d4b2e3fe71bb8eb7fac43266f06ba877e1

SHA512
7cae23438c7894b8fa3d1c4cd62a78288cb43f8dbb4fec434127eaf3d6e720d66db84cff5f0d951b4c8be1573ae7def2f7b0f5e794b9e6344253f1e97082a9bd

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
73KB

MD5
8a403f4eb7200bdefc6e6b8552404217

SHA1
c74348e775afa75db45ceb3cc86fd25b49f8c116

SHA256
2728483d73ad3db3c625c052d6435c0baa16853e1c00e7035b78b864cab87f5f

SHA512
751f765b1a8cf30129fea2115f468aaba0353d8e4d4b9d3a1c6a79a4411497b7fbd3826cfcae1f6a6a6bfe226645472fe7edad9b61bdd40fd77f284d842dfceb

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
73KB

MD5
c088d202bc8958c558061ef918f56a95

SHA1
e66db999b35eab9de97ce02ab736a4fb204f25b4

SHA256
d4177267bbeb39e8ca55678180e9a4ad3f4c368b90a85018dcf1c3c7910d016a

SHA512
2c652a9c40bceb76925859f32cdcc8e49095312087c65ac5d8d53b3f9043b2b428606f4cbf51f383249291a3ee1f59d116814b929d505e0eec818188951f09a9

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
73KB

MD5
2d026eef7858d496a8c61669951d2153

SHA1
57844475ac2737b6db4bdfa9414a7ab956d7f566

SHA256
124b50f96abba88922841c1f6a3ae2f59484ff9a63f39e3a70ab424ebef61639

SHA512
24d820256547ea46c92056415eefd63a9bf05d28f3eb35f8fc3c3b7f8344daa7d216649af41b08fcc6d485271cadee6b8a76d4424e775c37c7dc9adea65d67a2

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
73KB

MD5
e9b95123e1307f23cde0e00000ca8775

SHA1
8f23356afb036024894e1e721a550a793de69009

SHA256
6f77accc168ca418838f757a65c114b289d6072f18f43c213e1a35da0e55fed2

SHA512
64a480b16743c8aeac04a434e1d31f817b8c444bcd8501d803d764e269b20883f883d902288af5996b8892b63ec735e7a381c0cbce45bfe3e69f796e5e3d51e9

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
73KB

MD5
424177d94aa54a7f10fe795ba1d4fb7c

SHA1
a21cf3c62a0e9411b1a216c304787868f6bd7164

SHA256
e3be6e116af5319b5891ef3db678244da21775e85b042a04146b70c3767bab3a

SHA512
646c66d8772cf6814c87aa535d6a6113672e9efc44e1823bf18cd09e9957ddd3f6fbe39d0aacffa01f078ad39a3b5e5d523ffbda7ca6166dbbf148123f93927d

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
73KB

MD5
4e92252b5578f9d37956876a31cd5e8c

SHA1
3b09b638f3142c428a818e48b3fa5c92febcc6e5

SHA256
49d5c29cf331fad6d29f76f66d5a9a2075a453fcff64d7cbf3c6d73dac67834f

SHA512
f12282ce18f54758d0a791cdf654cfe09120ce19fcd8f74b7cab7e49dd1f29ceffe96c397ec0004b649a6df037732f51a1911b5889d46110bf14413592921fe4

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
73KB

MD5
b8d8328a818cc599fffe64cfebd36a2e

SHA1
954fa681d5d8ad25bf5d7222f5d4dd17af81699b

SHA256
21280e6cf826de617d42e1fa2304a65226b8ffaa7c8e251f0616a98b2a3ea43e

SHA512
d071c246b7b61e471e0a48f38ebf2ec77d6de17542932220005f7bdf3db6ad04c6a9ab5b3c32eda3d99cc23c1df7bc5382548445603bd27b575ce57eaa21e8c5

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
73KB

MD5
4fae492fa0bfa63cedf54927d513e4f4

SHA1
67cfae347808730df672827acae0bdb76b069d5d

SHA256
51948ce904a340311bc5c0dbe9beddea0da42650e173de3b974ad3984e0f066b

SHA512
3a2ab4ca92bdf0c1f1cd350e288c64b88c74d56dd8adf4dee40c8be03640322ecbd8527257b3caad0181955e2571676724f5facf0bf13b91e1b9df86d0ac3893

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
73KB

MD5
a3d0374d765f9438549d00941bfc225b

SHA1
3e03ba9288c3b487a77796ed41f0ed4b57c208fb

SHA256
d999210e4da554e8cce4368ec7f295bca61aa52eb8ef051b5c26dd2c687660e7

SHA512
9d5717b3a23720e7cf43697fb8f2754113b4cf9ef2327b17eee6d55684a1cd37ad33ccdb2d445630743041dc6a031398e91e9ec76daad4d38d82b72086a04a00

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
73KB

MD5
35210aca2a1d1af1990f46af5a6a0e5d

SHA1
be4a3eac4c403d5fb4edf46b61210acb91cd72de

SHA256
3224c5899b7005dc1892b4b429b58fe4e59d4df08750a0dc7965d95244809c73

SHA512
4e63de99a37461e4190a76a7ed940da2f51701c92c475601c33d7a75f6031956fd07dff550f53d7ef9b595c1cfc80d147f97e009d09b923af9f0a469ff005ea7

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
73KB

MD5
be26513ac197ef36dac3a9087e36770a

SHA1
4b891fde6ddae3fa7efe5a9507bb4a48f46649e1

SHA256
c3313d119cb5b94c028910df8172fb257f1c2673bf283ed7716ce61d04acc86e

SHA512
1234b3a58ddf2e2f59574c7edd81ca3a4976f893953e2e880ca576591cd93cc6c2f7b34fbc7d200c278295637c3a06300569a2a80e748a208d5872a56f4bcca1

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
73KB

MD5
50103d3c77b316d61428efed70e8fd31

SHA1
3f5891d2683dd18ef0ce1582bcd8e36e0d27ac65

SHA256
4ca867a103b490a4ba3aef23580e52ba448a2ff2274ec9494612171743178329

SHA512
a0e418fb4f39369cb59d08408d3dbe7867970218f145323293a964a9289c06408feded18b4ead09a966449e28f1a0f6454f7e19da7317b5bf79a1150ce6328a2

Download Submit
\Windows\SysWOW64\Kbfhbeek.exe

Filesize
73KB

MD5
54d721518c70cdf4c4bc3d131f03f8c1

SHA1
964904d6c7a17b34c9c7bba1ac230784be0a475c

SHA256
f346fa3c5bcf28bbde58d84a234ce48ea433b533934d216b6ca995f165abc986

SHA512
f79e5baf6ff40f67fb932324bff7b3b8891b7c2c090a32b392405e66ccaaa528fc2b626b91b7f21a8b1ca1a72ff1296cc92553af375c9419521298bb16cec49e

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
73KB

MD5
94f369297889598b6acf5cbe3db65a68

SHA1
454bdb4b81bc24fbe55f9d0407e117ee67489401

SHA256
c88f09d6ee53370bfc72ba4760d2912561cf3860c7790620ef12060eb06e7742

SHA512
b46901a34e95af30b8d75832e652a4bec4645b1da6ab63ab4c780f1efbedb1590ced12ac4fba01f75e150ce98573c0085a9eaaafef53d8bc75dd259e6ade8c23

Download Submit
\Windows\SysWOW64\Kfpgmdog.exe

Filesize
73KB

MD5
0e22dab8340ee051d9ed054b20b20ff2

SHA1
d03c7da10bffad069fa1cdd52a11bfd475bda3a5

SHA256
f0ebdfba8a65e93ef597f226a7bbc3610abe30809844e4c652d156b71f8c9291

SHA512
cfe02c5b6ef71d3ae68b52e3521a2a26dcc2b41fb1bc4da74f984639d667bab9f48be59959109b14a1e5e8e1496d085f77ce14d89a5b3af98a6f32fe1ea20229

Download Submit
\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
73KB

MD5
0f0517b53ccbbed7b466de68bbdccdb6

SHA1
86dca3d45ac28247dcc6d777b3b42f28fbca8975

SHA256
c6ef089e7f5ad6d8f47fc8d7ee23403d8ee32e7f6dab69fe9df59b147d40dc43

SHA512
32368fce53d04960fde984053bf711fdf1510a2ec1710435d644bc6d5cc05da2dba7efff6669da10f2055faaa44bdfd71a43dea3d092c3a4279ca5e9e9b47f8e

Download Submit
\Windows\SysWOW64\Kgemplap.exe

Filesize
73KB

MD5
7e5029abada3dafb3356550613f0d920

SHA1
749580ae08cfadc04279ab4704ff49e9b0f00681

SHA256
7f950f6a9affafa867247d0a598d3bf4ef592483e9ebb66323aeb3b8305aca7e

SHA512
f7b2ad838e27f3b3c80fce0dd1b19d66c6f6b9969ca05f28c063f6ed46a8cafcd6a5b1ee116ec84518c08d16e7b66e5115e35999a69ec120ba519b17e7dbcfce

Download Submit
\Windows\SysWOW64\Kincipnk.exe

Filesize
73KB

MD5
04943d7abd06b1eb9e6049c1d1a783c4

SHA1
65f555d08de14f32a2cc216488c86a6e56550d02

SHA256
7ad019f5a165188b2ff3d9bfbe8599fa62e722d12edd77d569f6c83a521570bc

SHA512
dad0b3a4cf399bfce67578c26e6134a8177c64a97db3533d96708eeda3a5e67b2fa363ce951010a565bec8992ce086185aefcb8c5cb3b845e80bd2af05a8924d

Download Submit
\Windows\SysWOW64\Kjifhc32.exe

Filesize
73KB

MD5
f96a44fbd075fdeb6df78cf5b91c7663

SHA1
7db3c98221e6fc67d9035ab91dc28ba519fa6083

SHA256
15548d5d56d9f00d5479928298423850bdb58c2217c1804bda35409adea2987b

SHA512
604e76f325bcfc2c4f8d114cc3d8f24de47327d719f1847e36a3872d231daec0734e703ca2959109d2b13051d18c1f7f6528385e90287a538806915a9100290d

Download Submit
\Windows\SysWOW64\Knpemf32.exe

Filesize
73KB

MD5
fa77ba199cbb0da44e9bc7221d3b1721

SHA1
d5bda0ac24c14656869647edd24ca58cb110b5b3

SHA256
e5bb32f1a9f102db60ab511f41ec6f9ab9f0994475150fda6be42fa9bf00883b

SHA512
11a6f32917c2051100397c8040636fd933fc50efdb953c1c8590feff4677da2ff8f52f5d9cb143742c9118f92971f33fae012da99997245d9cabea7ecac99152

Download Submit
\Windows\SysWOW64\Lanaiahq.exe

Filesize
73KB

MD5
98d25e78931698cfd93c1f4d251c006a

SHA1
115228fb41cbf1d6538680c7c460f53b0fb9a0d1

SHA256
ec74510f45a4b525233a1520155e5bcb24bdc34af9b4d468fbd92b0dcde6f4bf

SHA512
44300417e42219011346b2f555f138aa74b023ae99fb8dd3847b9b06dcc83b578c04aadd49dbe043f77356f14265e8ba2ded11ec2e14eb2ced7b4aab13a0dad0

Download Submit
\Windows\SysWOW64\Lghjel32.exe

Filesize
73KB

MD5
4ce6420dc737c83efa5f67639f1b1194

SHA1
b432a8134206593ac6e97f426c0b2485868c1a31

SHA256
bcb9763329730e891c5ea1c1e843e58a33fbc0b3853ecfc729ae9e93e15b19bf

SHA512
ea47317764887e9217cd3b3a6d54968fa57f50231a08689b24bbeadf66640630abc1091b96900eddc23628ae8f72ead89d2e4dba1a0c9e64fb4ea366201dbaaf

Download Submit
\Windows\SysWOW64\Ljffag32.exe

Filesize
73KB

MD5
0e8c012fc240a7cad7000fd7d60f4a5c

SHA1
85089c3ee6bf624e96248602cc5d0d19a8aee43e

SHA256
64e69075960468c950ef286defe8be52296a8b48354153fc1a6930adcee22603

SHA512
555f2852cdb80bb8b17ee2794ad48c6df07e0d33ab4f2cba680b3e3cbc1a69f9d288a909e06f8d00c3a8e185ad7b7e99545dc08cfd011a3a83638dcf24642ad0

Download Submit
memory/476-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/476-115-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/476-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-463-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/552-141-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/552-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/604-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/808-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-314-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/868-313-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1076-192-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1076-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-474-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1080-473-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1208-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1208-236-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1228-303-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1228-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-299-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1300-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-281-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1488-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-128-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1604-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-523-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-256-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1704-260-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1752-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-291-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1788-292-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1800-453-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1800-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-325-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1844-320-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1844-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-218-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2016-432-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2016-427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-167-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2036-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-485-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2040-475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-507-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2184-506-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2188-270-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2188-272-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2188-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-518-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-17-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2284-358-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2284-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-18-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2284-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-250-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2484-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-246-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2496-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-412-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2520-92-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2520-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-370-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2524-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-36-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2608-377-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2608-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-75-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2636-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-346-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2648-347-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2648-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-62-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2732-335-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2732-336-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2732-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-366-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2880-33-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2880-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-361-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads