7be09643f68afe5a597ea68bcf1f0ba2e0a85a0b1cb416712316f290705b54f3

Analysis

max time kernel
114s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb0be64e4ce23c4761171ff81f766a80N.exe
Size

96KB
MD5

eb0be64e4ce23c4761171ff81f766a80
SHA1

fa1c81a8ecde7479aab814241661c24cc28d0b85
SHA256

7be09643f68afe5a597ea68bcf1f0ba2e0a85a0b1cb416712316f290705b54f3
SHA512

426c75195c980732387c8a912eb0a3df3f3b94d28b427bc121061c2b98689022cd4b0c2027e92f1612e7280139c9dc42e58f8950d6dcd509ffd9012b05fec285
SSDEEP

1536:xqlHOjqIVkEQodA2LJZS/FCb4noaJSNzJO/:lmmRBJZSs4noakXO/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipkema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmmjjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmnkglp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnlikic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnnndl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbmmbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mifkfhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhfjadim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjqiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbginomj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlbgkgcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jneoojeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbmmbhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgiobadq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncloha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopnma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liaeleak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liaeleak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mehbpjjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eb0be64e4ce23c4761171ff81f766a80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jflgph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jflgph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkilgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Monjcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mifkfhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmmjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcngcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfnlcnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kopnma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcngcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnnndl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mehbpjjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb0be64e4ce23c4761171ff81f766a80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jneoojeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjqiok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgiobadq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfnlcnih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Monjcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maapjjml.exe

Executes dropped EXE 29 IoCs

pid	Process
2116	Ipkema32.exe
2812	Jhfjadim.exe
2564	Jneoojeb.exe
2860	Jflgph32.exe
2556	Jjnlikic.exe
2964	Jjqiok32.exe
2540	Kgdiho32.exe
1752	Kopnma32.exe
2624	Kcngcp32.exe
1656	Kkilgb32.exe
1668	Kpgdnp32.exe
1368	Liaeleak.exe
2176	Lnnndl32.exe
2124	Lgiobadq.exe
1384	Lfnlcnih.exe
336	Mcbmmbhb.exe
1188	Mbginomj.exe
1036	Mmmnkglp.exe
1748	Monjcp32.exe
1732	Mehbpjjk.exe
3004	Mifkfhpa.exe
2204	Maapjjml.exe
1760	Nkjdcp32.exe
2988	Nhnemdbf.exe
1784	Nogmin32.exe
2288	Nmmjjk32.exe
2700	Ncloha32.exe
1568	Oihdjk32.exe
2868	Opblgehg.exe

Loads dropped DLL 62 IoCs

pid	Process
2088	eb0be64e4ce23c4761171ff81f766a80N.exe
2088	eb0be64e4ce23c4761171ff81f766a80N.exe
2116	Ipkema32.exe
2116	Ipkema32.exe
2812	Jhfjadim.exe
2812	Jhfjadim.exe
2564	Jneoojeb.exe
2564	Jneoojeb.exe
2860	Jflgph32.exe
2860	Jflgph32.exe
2556	Jjnlikic.exe
2556	Jjnlikic.exe
2964	Jjqiok32.exe
2964	Jjqiok32.exe
2540	Kgdiho32.exe
2540	Kgdiho32.exe
1752	Kopnma32.exe
1752	Kopnma32.exe
2624	Kcngcp32.exe
2624	Kcngcp32.exe
1656	Kkilgb32.exe
1656	Kkilgb32.exe
1668	Kpgdnp32.exe
1668	Kpgdnp32.exe
1368	Liaeleak.exe
1368	Liaeleak.exe
2176	Lnnndl32.exe
2176	Lnnndl32.exe
2124	Lgiobadq.exe
2124	Lgiobadq.exe
1384	Lfnlcnih.exe
1384	Lfnlcnih.exe
336	Mcbmmbhb.exe
336	Mcbmmbhb.exe
1188	Mbginomj.exe
1188	Mbginomj.exe
1036	Mmmnkglp.exe
1036	Mmmnkglp.exe
1748	Monjcp32.exe
1748	Monjcp32.exe
1732	Mehbpjjk.exe
1732	Mehbpjjk.exe
3004	Mifkfhpa.exe
3004	Mifkfhpa.exe
2204	Maapjjml.exe
2204	Maapjjml.exe
1760	Nkjdcp32.exe
1760	Nkjdcp32.exe
2988	Nhnemdbf.exe
2988	Nhnemdbf.exe
1784	Nogmin32.exe
1784	Nogmin32.exe
2808	Nlbgkgcc.exe
2808	Nlbgkgcc.exe
2700	Ncloha32.exe
2700	Ncloha32.exe
1568	Oihdjk32.exe
1568	Oihdjk32.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lgiobadq.exe	Lnnndl32.exe
File created	C:\Windows\SysWOW64\Mmmnkglp.exe	Mbginomj.exe
File created	C:\Windows\SysWOW64\Nogmin32.exe	Nhnemdbf.exe
File opened for modification	C:\Windows\SysWOW64\Jjnlikic.exe	Jflgph32.exe
File opened for modification	C:\Windows\SysWOW64\Kopnma32.exe	Kgdiho32.exe
File opened for modification	C:\Windows\SysWOW64\Kcngcp32.exe	Kopnma32.exe
File created	C:\Windows\SysWOW64\Dmadmn32.dll	Kopnma32.exe
File created	C:\Windows\SysWOW64\Liaeleak.exe	Kpgdnp32.exe
File opened for modification	C:\Windows\SysWOW64\Nmmjjk32.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Oihdjk32.exe	Ncloha32.exe
File opened for modification	C:\Windows\SysWOW64\Oihdjk32.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Capgei32.dll	Lfnlcnih.exe
File created	C:\Windows\SysWOW64\Monjcp32.exe	Mmmnkglp.exe
File opened for modification	C:\Windows\SysWOW64\Mehbpjjk.exe	Monjcp32.exe
File opened for modification	C:\Windows\SysWOW64\Jneoojeb.exe	Jhfjadim.exe
File created	C:\Windows\SysWOW64\Obdngaom.dll	Jhfjadim.exe
File opened for modification	C:\Windows\SysWOW64\Kgdiho32.exe	Jjqiok32.exe
File created	C:\Windows\SysWOW64\Kcngcp32.exe	Kopnma32.exe
File opened for modification	C:\Windows\SysWOW64\Lfnlcnih.exe	Lgiobadq.exe
File created	C:\Windows\SysWOW64\Ibnjlg32.dll	Mifkfhpa.exe
File created	C:\Windows\SysWOW64\Kopnma32.exe	Kgdiho32.exe
File created	C:\Windows\SysWOW64\Mdpnaccc.dll	Kkilgb32.exe
File created	C:\Windows\SysWOW64\Ahlfoh32.dll	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Mnohgfgb.dll	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Gaiboaic.dll	Liaeleak.exe
File created	C:\Windows\SysWOW64\Mehbpjjk.exe	Monjcp32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Jjqiok32.exe	Jjnlikic.exe
File created	C:\Windows\SysWOW64\Lnnndl32.exe	Liaeleak.exe
File created	C:\Windows\SysWOW64\Ojqeofnd.dll	Nhnemdbf.exe
File created	C:\Windows\SysWOW64\Ipkema32.exe	eb0be64e4ce23c4761171ff81f766a80N.exe
File opened for modification	C:\Windows\SysWOW64\Monjcp32.exe	Mmmnkglp.exe
File opened for modification	C:\Windows\SysWOW64\Ncloha32.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Koqdolib.dll	Maapjjml.exe
File created	C:\Windows\SysWOW64\Mpqaniil.dll	Jneoojeb.exe
File created	C:\Windows\SysWOW64\Hjchkfnl.dll	Jflgph32.exe
File created	C:\Windows\SysWOW64\Kpgdnp32.exe	Kkilgb32.exe
File created	C:\Windows\SysWOW64\Lffojn32.dll	Lnnndl32.exe
File created	C:\Windows\SysWOW64\Qgdecm32.dll	Lgiobadq.exe
File created	C:\Windows\SysWOW64\Nkjdcp32.exe	Maapjjml.exe
File created	C:\Windows\SysWOW64\Kanafj32.dll	Nkjdcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nogmin32.exe	Nhnemdbf.exe
File opened for modification	C:\Windows\SysWOW64\Jhfjadim.exe	Ipkema32.exe
File created	C:\Windows\SysWOW64\Jjnlikic.exe	Jflgph32.exe
File created	C:\Windows\SysWOW64\Eldplnan.dll	Kgdiho32.exe
File opened for modification	C:\Windows\SysWOW64\Liaeleak.exe	Kpgdnp32.exe
File opened for modification	C:\Windows\SysWOW64\Lnnndl32.exe	Liaeleak.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Maapjjml.exe	Mifkfhpa.exe
File opened for modification	C:\Windows\SysWOW64\Ipkema32.exe	eb0be64e4ce23c4761171ff81f766a80N.exe
File opened for modification	C:\Windows\SysWOW64\Jjqiok32.exe	Jjnlikic.exe
File opened for modification	C:\Windows\SysWOW64\Mcbmmbhb.exe	Lfnlcnih.exe
File created	C:\Windows\SysWOW64\Iocpgbkc.dll	Mcbmmbhb.exe
File created	C:\Windows\SysWOW64\Mifkfhpa.exe	Mehbpjjk.exe
File created	C:\Windows\SysWOW64\Jhfjadim.exe	Ipkema32.exe
File created	C:\Windows\SysWOW64\Lfnlcnih.exe	Lgiobadq.exe
File created	C:\Windows\SysWOW64\Mcbmmbhb.exe	Lfnlcnih.exe
File opened for modification	C:\Windows\SysWOW64\Mbginomj.exe	Mcbmmbhb.exe
File created	C:\Windows\SysWOW64\Mgnigi32.dll	Kcngcp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgdnp32.exe	Kkilgb32.exe
File created	C:\Windows\SysWOW64\Moanhnka.dll	Ncloha32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Eljgid32.dll	eb0be64e4ce23c4761171ff81f766a80N.exe
File created	C:\Windows\SysWOW64\Hfndae32.dll	Mbginomj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	2868	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb0be64e4ce23c4761171ff81f766a80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipkema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jflgph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjqiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfjadim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkilgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncloha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhnemdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jneoojeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopnma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnnndl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mehbpjjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mifkfhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liaeleak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgiobadq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbginomj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlbgkgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcngcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfnlcnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcbmmbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnlikic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monjcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maapjjml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjdcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmmjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihdjk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmmjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmmjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahlfoh32.dll"	Mmmnkglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnigi32.dll"	Kcngcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Monjcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcngcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpnaccc.dll"	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baohnn32.dll"	Monjcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmlp32.dll"	Mehbpjjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqaniil.dll"	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjqiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfnlcnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Monjcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mifkfhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljgid32.dll"	eb0be64e4ce23c4761171ff81f766a80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjnlikic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffojn32.dll"	Lnnndl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdecm32.dll"	Lgiobadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanhnka.dll"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jflgph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnjlg32.dll"	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipkema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbmmbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	eb0be64e4ce23c4761171ff81f766a80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebopgbd.dll"	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcngcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncloha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eb0be64e4ce23c4761171ff81f766a80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdngaom.dll"	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkilgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebiiiec.dll"	Jjqiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqfladk.dll"	Kpgdnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiboaic.dll"	Liaeleak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfnlcnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mehbpjjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jneoojeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jflgph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjqiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll"	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capgei32.dll"	Lfnlcnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll"	Mbginomj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liaeleak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnnndl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2116	2088	eb0be64e4ce23c4761171ff81f766a80N.exe	30
PID 2088 wrote to memory of 2116	2088	eb0be64e4ce23c4761171ff81f766a80N.exe	30
PID 2088 wrote to memory of 2116	2088	eb0be64e4ce23c4761171ff81f766a80N.exe	30
PID 2088 wrote to memory of 2116	2088	eb0be64e4ce23c4761171ff81f766a80N.exe	30
PID 2116 wrote to memory of 2812	2116	Ipkema32.exe	31
PID 2116 wrote to memory of 2812	2116	Ipkema32.exe	31
PID 2116 wrote to memory of 2812	2116	Ipkema32.exe	31
PID 2116 wrote to memory of 2812	2116	Ipkema32.exe	31
PID 2812 wrote to memory of 2564	2812	Jhfjadim.exe	32
PID 2812 wrote to memory of 2564	2812	Jhfjadim.exe	32
PID 2812 wrote to memory of 2564	2812	Jhfjadim.exe	32
PID 2812 wrote to memory of 2564	2812	Jhfjadim.exe	32
PID 2564 wrote to memory of 2860	2564	Jneoojeb.exe	33
PID 2564 wrote to memory of 2860	2564	Jneoojeb.exe	33
PID 2564 wrote to memory of 2860	2564	Jneoojeb.exe	33
PID 2564 wrote to memory of 2860	2564	Jneoojeb.exe	33
PID 2860 wrote to memory of 2556	2860	Jflgph32.exe	34
PID 2860 wrote to memory of 2556	2860	Jflgph32.exe	34
PID 2860 wrote to memory of 2556	2860	Jflgph32.exe	34
PID 2860 wrote to memory of 2556	2860	Jflgph32.exe	34
PID 2556 wrote to memory of 2964	2556	Jjnlikic.exe	35
PID 2556 wrote to memory of 2964	2556	Jjnlikic.exe	35
PID 2556 wrote to memory of 2964	2556	Jjnlikic.exe	35
PID 2556 wrote to memory of 2964	2556	Jjnlikic.exe	35
PID 2964 wrote to memory of 2540	2964	Jjqiok32.exe	36
PID 2964 wrote to memory of 2540	2964	Jjqiok32.exe	36
PID 2964 wrote to memory of 2540	2964	Jjqiok32.exe	36
PID 2964 wrote to memory of 2540	2964	Jjqiok32.exe	36
PID 2540 wrote to memory of 1752	2540	Kgdiho32.exe	37
PID 2540 wrote to memory of 1752	2540	Kgdiho32.exe	37
PID 2540 wrote to memory of 1752	2540	Kgdiho32.exe	37
PID 2540 wrote to memory of 1752	2540	Kgdiho32.exe	37
PID 1752 wrote to memory of 2624	1752	Kopnma32.exe	38
PID 1752 wrote to memory of 2624	1752	Kopnma32.exe	38
PID 1752 wrote to memory of 2624	1752	Kopnma32.exe	38
PID 1752 wrote to memory of 2624	1752	Kopnma32.exe	38
PID 2624 wrote to memory of 1656	2624	Kcngcp32.exe	39
PID 2624 wrote to memory of 1656	2624	Kcngcp32.exe	39
PID 2624 wrote to memory of 1656	2624	Kcngcp32.exe	39
PID 2624 wrote to memory of 1656	2624	Kcngcp32.exe	39
PID 1656 wrote to memory of 1668	1656	Kkilgb32.exe	40
PID 1656 wrote to memory of 1668	1656	Kkilgb32.exe	40
PID 1656 wrote to memory of 1668	1656	Kkilgb32.exe	40
PID 1656 wrote to memory of 1668	1656	Kkilgb32.exe	40
PID 1668 wrote to memory of 1368	1668	Kpgdnp32.exe	41
PID 1668 wrote to memory of 1368	1668	Kpgdnp32.exe	41
PID 1668 wrote to memory of 1368	1668	Kpgdnp32.exe	41
PID 1668 wrote to memory of 1368	1668	Kpgdnp32.exe	41
PID 1368 wrote to memory of 2176	1368	Liaeleak.exe	42
PID 1368 wrote to memory of 2176	1368	Liaeleak.exe	42
PID 1368 wrote to memory of 2176	1368	Liaeleak.exe	42
PID 1368 wrote to memory of 2176	1368	Liaeleak.exe	42
PID 2176 wrote to memory of 2124	2176	Lnnndl32.exe	43
PID 2176 wrote to memory of 2124	2176	Lnnndl32.exe	43
PID 2176 wrote to memory of 2124	2176	Lnnndl32.exe	43
PID 2176 wrote to memory of 2124	2176	Lnnndl32.exe	43
PID 2124 wrote to memory of 1384	2124	Lgiobadq.exe	44
PID 2124 wrote to memory of 1384	2124	Lgiobadq.exe	44
PID 2124 wrote to memory of 1384	2124	Lgiobadq.exe	44
PID 2124 wrote to memory of 1384	2124	Lgiobadq.exe	44
PID 1384 wrote to memory of 336	1384	Lfnlcnih.exe	45
PID 1384 wrote to memory of 336	1384	Lfnlcnih.exe	45
PID 1384 wrote to memory of 336	1384	Lfnlcnih.exe	45
PID 1384 wrote to memory of 336	1384	Lfnlcnih.exe	45

C:\Users\Admin\AppData\Local\Temp\eb0be64e4ce23c4761171ff81f766a80N.exe
"C:\Users\Admin\AppData\Local\Temp\eb0be64e4ce23c4761171ff81f766a80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Ipkema32.exe
  C:\Windows\system32\Ipkema32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\Jhfjadim.exe
    C:\Windows\system32\Jhfjadim.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Jneoojeb.exe
      C:\Windows\system32\Jneoojeb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\Jflgph32.exe
        
        C:\Windows\system32\Jflgph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\Jjnlikic.exe
        
        C:\Windows\system32\Jjnlikic.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Jjqiok32.exe
        
        C:\Windows\system32\Jjqiok32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Kgdiho32.exe
        
        C:\Windows\system32\Kgdiho32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Kopnma32.exe
        
        C:\Windows\system32\Kopnma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Kcngcp32.exe
        
        C:\Windows\system32\Kcngcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Kkilgb32.exe
        
        C:\Windows\system32\Kkilgb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Kpgdnp32.exe
        
        C:\Windows\system32\Kpgdnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Liaeleak.exe
        
        C:\Windows\system32\Liaeleak.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Lnnndl32.exe
        
        C:\Windows\system32\Lnnndl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Lgiobadq.exe
        
        C:\Windows\system32\Lgiobadq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Lfnlcnih.exe
        
        C:\Windows\system32\Lfnlcnih.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Mcbmmbhb.exe
        
        C:\Windows\system32\Mcbmmbhb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Mbginomj.exe
        
        C:\Windows\system32\Mbginomj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Monjcp32.exe
        
        C:\Windows\system32\Monjcp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Mehbpjjk.exe
        
        C:\Windows\system32\Mehbpjjk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Mifkfhpa.exe
        
        C:\Windows\system32\Mifkfhpa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Maapjjml.exe
        
        C:\Windows\system32\Maapjjml.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Nkjdcp32.exe
        
        C:\Windows\system32\Nkjdcp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Nhnemdbf.exe
        
        C:\Windows\system32\Nhnemdbf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Nogmin32.exe
        
        C:\Windows\system32\Nogmin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Nmmjjk32.exe
        
        C:\Windows\system32\Nmmjjk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Nlbgkgcc.exe
        
        C:\Windows\system32\Nlbgkgcc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Ncloha32.exe
        
        C:\Windows\system32\Ncloha32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Oihdjk32.exe
        
        C:\Windows\system32\Oihdjk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ipkema32.exe

Filesize
96KB

MD5
d8e1ac071c3f0de4ff548e6f44e1f980

SHA1
db5c5fa54ba2d2074882b6cf2a93550d8588e5ef

SHA256
c4e993091ce23d058cf6cc51921643308aadb1ea65ca5bc906f0455f67f6e846

SHA512
aaaa87e67ce1713c9777a74fe562c24c7a751151523906d1ceed800cb7a0a583d4de20dfbec364195176b9bd0e877e2888b48dbd6debdb42149bb0d00f3213ed

Download Submit
C:\Windows\SysWOW64\Jflgph32.exe

Filesize
96KB

MD5
4e36fb9f2f65d0891f1dd8b0433adcb7

SHA1
80ea331464ce67dff52e522b42172039c233e0aa

SHA256
1a3462d8a361dc22a927fdf0c33e2786dc8861ca11703b872f214e20f9372991

SHA512
f37b00bccfb27b67f8c0d8cd50a87911b53b372dd95afcac0c3f6e5fd638b24f89f887fc7fdb8d00c4f6ceb579dcc9e3aa2021d93dc951253529219370661fa9

Download Submit
C:\Windows\SysWOW64\Jhfjadim.exe

Filesize
96KB

MD5
10ac5710667a4136cd8be7eada60979b

SHA1
e5336956665ce56dcd7aa46215503b23beafa463

SHA256
2a03b1617d86019c2f059e79dcb00b2f1e65b3e5dbe694dbcae8f973a63e6a60

SHA512
c890ee966bab1b19b94af73498ef9847d4088e3201235d60f23b54f23dbc5f9d62025912573816b7e6512f2e2d4605d8a0c7db21e90c5aa9535b188b617f8767

Download Submit
C:\Windows\SysWOW64\Jjnlikic.exe

Filesize
96KB

MD5
4fd6394bb6c139871ce86be3265d199b

SHA1
96d21d8af11f7df75df100de46432efd4d948cce

SHA256
b4710f2f124bd11cfc03888e2bf94b9870b807d0d6a2992c9fbb2708486ae3a7

SHA512
54f56259cb9fdb5cfc9b394eb5af05cf205ba2285cde028e1bbbffb6da0f3961d9edd03202ba06ab712b7a7637d32d1934d8312a2c6abad6ce342bf25c08747f

Download Submit
C:\Windows\SysWOW64\Jjqiok32.exe

Filesize
96KB

MD5
fd2d05fb9901d4c600cf81e728390f01

SHA1
65d808bf717e4e1d8daac67133cdb935973871d8

SHA256
d1dbb1d21e28bf2eb31b5b248e93a4d39cb4e32e243fa39b018ccded4e375c52

SHA512
c10708879cacf32486320ce7d2fba902ab96b6a56788920cdbc61f8c3d781737b48f98a520dabd3de59cb6bc59afc82e79326d05b2fa80527b467b85372e8536

Download Submit
C:\Windows\SysWOW64\Jneoojeb.exe

Filesize
96KB

MD5
27724323ab9b0d155e77f4f9301aaeeb

SHA1
0943171e726b5f12ad31c262bd06e517deba5959

SHA256
dc30e3c5909f1e275bb6b2ba6f09bcadf00e8a52c6564686473986d89ab9594d

SHA512
afdbe1f267ad8f6740d87f62bcd93ba8a16a5e30ddfaf6741c7ed84e28e278cd38b3d5f66597c69a5bb44e1c6a6bda5473e56d67144af83ede3245fd5cfe3fbe

Download Submit
C:\Windows\SysWOW64\Kcngcp32.exe

Filesize
96KB

MD5
7fd66a34f017efcb2ac8c10d2d750918

SHA1
1e007138969118d9106fc5a7344938ed962827b8

SHA256
ee433496623b653fc8de7fd20b26d14ca7d55329179d1cd158f1522eec208834

SHA512
807c3fc9fa5f46e70172759fe2921253180fc36b96649a7a83eda0e2c5acc4fb05b7520730dbc4dd49872ddbdb749ef4840df172fe9f4c0055dcf9296cec0f26

Download Submit
C:\Windows\SysWOW64\Kkilgb32.exe

Filesize
96KB

MD5
eb3f75a726c821e730e575a8e045cccb

SHA1
1b2012b767ce25e5f6a67511a150e8112d6e9fe9

SHA256
1c70ad8f2c4f52ca8e09f458652eaf6d978d3b3a891a773f9b6c6ac32312b1b6

SHA512
aa703ae875788b8f290776e7e058fbd41f090f30ded36cdfd04281b99a715b721802ba17955c1babb025b5dfa084af540709b587d4b7dec378e533e3390ada11

Download Submit
C:\Windows\SysWOW64\Kopnma32.exe

Filesize
96KB

MD5
b05a4080934de10ab7cbc70db4295832

SHA1
219f00e994e19811b9305191fcd9db7e480c559c

SHA256
e47164593a3a89fbe3472b78255b21d5a174f601c8448d8a882665c47d12d803

SHA512
1798693eb36696683fbb283ebcb125246267e03dd8fc43bfb42dd3c7c316cf009b7c9a26424ad510f393f6e9eef9b411ef2760bacb03e64e9ad11c515e4f2740

Download Submit
C:\Windows\SysWOW64\Kpgdnp32.exe

Filesize
96KB

MD5
e9dda12c661d257a21e40b1cdc0ed912

SHA1
3ae983898ccc0ee819439f7c17c83cbca911989d

SHA256
d221b1ec88b953f8048f1f267cd9ea93d31170b973ba45e89eccee7f71eb5357

SHA512
184f91fc7065255a693b2a173d729f928fd50f4e499e0bb1f1d2bdd506fcae6c60d518a2147120ade7ec2973420dcc3fc5263f9b7a8f4a2be274e164046b78d5

Download Submit
C:\Windows\SysWOW64\Lgiobadq.exe

Filesize
96KB

MD5
ffbfc01cb5c0a559f08dcec2f084d78d

SHA1
90f6f426351ab7b0349dbeac6240ea6f10ba57f9

SHA256
d18708a761d4cfc0f2af2430b585fd6246917cb9481f688b02fca6070eb0457e

SHA512
4d10840f6cffa4f970992c70d56215f474eb4624513e9bb37050837fe534d54f5a150c9efb083a2f5de27b2993fa1ad773cd162e7b4a6d3688d4319f84c89a84

Download Submit
C:\Windows\SysWOW64\Liaeleak.exe

Filesize
96KB

MD5
dcbb5823178d8b5de91a5530022c8c55

SHA1
5f40f02ea22cc47498deb033ecb16c176a0252a4

SHA256
f53e042de92a801e91ca9bb2ee01272ad50f2685314415952b6edb7eba9cb4bd

SHA512
dbd84125f0d60a20d33c029883debde8ed73b13ebf185ce955d447adde1dbad942fed68aa9fce5b82102ba8225c6e529647738f7c27dac313387999dd3119fdd

Download Submit
C:\Windows\SysWOW64\Lnnndl32.exe

Filesize
96KB

MD5
637e2d97313cb547ddec933b157496a2

SHA1
400fe9904f11d9a65aa0d17a5ce07d3775926005

SHA256
ccf06c93fdb46c0e5b02f2c5af7be643e6d48c376d9333816caafd0bce93f2aa

SHA512
d84b5dbb16ab30a0b2db29d70255c6b11eaf3bb48171df6cf1f7af1fa55966f78117fb79047abc6757b17a305a05a9b5592513f0a1f87f2120968f004a0aff13

Download Submit
C:\Windows\SysWOW64\Maapjjml.exe

Filesize
96KB

MD5
6c80e7de1e63df36d56c57d39acb9681

SHA1
c5cda27a8d60ec25ecdf03d95dad0236a226d99f

SHA256
621844d3d942e2b3f5f0e47aafd863a293715dfcc1b9a87f9fd4bd8bbd383edf

SHA512
b4610663294c85a2ddf67940696b6d55d5142d1bb36118b32cbf1002c8c8750d4614286fa3189a672042d618041477c60dbab7382c880fab15a3e53a862d4244

Download Submit
C:\Windows\SysWOW64\Mbginomj.exe

Filesize
96KB

MD5
c4d21f88b62247b15b7c4993bb6948a5

SHA1
9661c905c435aba138fe64ef2abecc2f38963eed

SHA256
912d5392bcb4b4500c4bc43fb66684bbcc7a123f41481e97e155725190c09357

SHA512
f932e69392bad99b968e19c051b6370dbec3170c1f81bc0d50fd2b5c80da6ec962d53bbca3b90759d942faefbaf263c61938f9da8cda67d264ddfa40aac4c754

Download Submit
C:\Windows\SysWOW64\Mcbmmbhb.exe

Filesize
96KB

MD5
85d8ede9e3b3cee911655018961a3a94

SHA1
2677a6bf4cf992dd8a90ad933a8e93efabc8a463

SHA256
6923b4dedeb2e79e167783af9bbea5d1b5aa75773c5a2a237e5adde67cbd27c3

SHA512
8d454ce5986c74c1cfe4f431b364070a33bbdf4aacf598b9e7599a4d79c43213e78d81b80d3d1a0646e432b28476fc65ffe72102041d4cd4ef006fedc949b76c

Download Submit
C:\Windows\SysWOW64\Mehbpjjk.exe

Filesize
96KB

MD5
1491aa819d098705c00b735e2d16d97a

SHA1
c5901d6a6168614aa8586f9fd9a963622f3a6b20

SHA256
b18cdd0a8852ebca71fd3e2e736e70de0239c58495dbafd683dd3ba0297bde38

SHA512
48716aaa5b3d46609ab67764c6c889ddae1f421fc168f2b13f0acb996386632ac12f3d3219ebdfa7bb7b238fbacaca82c976410abbbe38d15e432032564639dd

Download Submit
C:\Windows\SysWOW64\Mifkfhpa.exe

Filesize
96KB

MD5
526d5109ef6e918ffad2d208dfed0cae

SHA1
8d9211a1f681a48e065a10d629b6bf0982c3f266

SHA256
31a32c7d58723ee4f2729f2037c8e9133167426ada15b6514ed14b99fcdc8844

SHA512
be73bfafa97832c38107b53952777119d0fbe1efb87a1e9a1407fda0d0031d4a1cfefe98bf68c7a3c492d25e3f8c0f90f0f76cfdf4d90e5048f9ac5df5f10573

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
96KB

MD5
b3cddedc8c11aa43186afee365443f5d

SHA1
fdaf1823f03251ba2da7e2202624f9f8d1ae0a3e

SHA256
88efd66d4a45517a7913444b08dbfd425620000d9eb03a9a8df0535a7e920329

SHA512
cea270946d8eb2efa042f82267935685e2aef6c1508bd50cdff3a06daafe572f2da8d350a600c9333e86411124d0b31c4c9a9230b72cefba38989e8bfcb778b6

Download Submit
C:\Windows\SysWOW64\Monjcp32.exe

Filesize
96KB

MD5
e790124c0b532154bdded25008037f1f

SHA1
b36bb124f808276eb161d4c14363adb8a85cd546

SHA256
3d05ad9336101280c141fefc712744eb2a24e6a0445fed6206df80eed8880592

SHA512
0697c2081d10aa194e9b3b47cf7ea372ea4da4e2cb86a25228ee12738d3e471f4fe47e601216607870d31ca37886e57b6e782cb2d3a82e40397ba429ff987733

Download Submit
C:\Windows\SysWOW64\Ncloha32.exe

Filesize
96KB

MD5
d04f3e45781aaea576f30f474ae4e753

SHA1
8d0858e4cb4e4333e8fc3930d75e22e098f3f9e5

SHA256
15ef26c6f5548657066c74aa75914da0602706975ba56a6489f406b1dc0cdd02

SHA512
e1f9c45a077745e3901e9adbdc0e8ed693bfeb4c8874d796c78a2da05adef4a231b4f8e5ac3cf93b8cd6a9809106e30802102e85dbb9103331e3022c1926c7e5

Download Submit
C:\Windows\SysWOW64\Nhnemdbf.exe

Filesize
96KB

MD5
2046b8c3c6ccd222eb0b96e5670583cf

SHA1
24700b08ed2c8d3bbdaf1ab3d4dcd668f731f315

SHA256
9761f7e260bfce470886a208505d0447b0d4359574b22e01572c579dce410767

SHA512
b3db636e37ca665802e082e1651f9c20e77a7f3a2ad69a221a656b0eb6b3feadb07a89b71b8406c64f36428877c2c71798853e6af1b6b44dd458de38743860fd

Download Submit
C:\Windows\SysWOW64\Nkjdcp32.exe

Filesize
96KB

MD5
b9be1bb9b26d3616395b52fac2a18b24

SHA1
f73d1677b7b19d1148b3beccb41ae9cd5f5c505a

SHA256
362bf38bdcf279a2872a62d79a6edc18e8b5cb475e5de728352ad4178b45ff74

SHA512
a022db1a5d06ee47a48d5ecba6676a26e18e56a93bc1cc64a24d2e7427522d145f397f599c6a0add22e90579b42931fae3d4b5cf2e9a9abfe9ddbe29eca01029

Download Submit
C:\Windows\SysWOW64\Nmmjjk32.exe

Filesize
96KB

MD5
88165193fa797e0e0de86b36661eb511

SHA1
65bc7eb4bf65385a6d7228594aded0923e081474

SHA256
1eea5fd53900805e757ca854072b6d78ad9e7c7f14b172496ea0c6c1811fbaa6

SHA512
ecf3b58c53537aa70a7e5698790f757fb58b37c08d4934462ba3175dc87a870190007c91577130365facda29cc3a1fcedcfdf689e7984006b52bdb73cc92c65f

Download Submit
C:\Windows\SysWOW64\Nogmin32.exe

Filesize
96KB

MD5
8645112ac350befb16266cecce4f87aa

SHA1
6c36809f15c2b8bc6e4793b1f1fa507247677369

SHA256
c302b5118713f17be529b1e844fe02c62b3875f672a48837be6f0ef9e0183158

SHA512
ef9f9688113fc0e1919a05883f49b4b48fc54c100d538351eb485d07f98f590047aa161efd91f5d6f7b4de66a4a60a9af440049a590795bbebb98fae56205ed5

Download Submit
C:\Windows\SysWOW64\Oihdjk32.exe

Filesize
96KB

MD5
f727debb08e43c175135994bd1f9f6ef

SHA1
52faaefd6dc488275178b2baa8b1138669eec854

SHA256
e08ec4d6c3ab1e0b4f46e21fa5af9678ea7696944748072cbb465376e791b020

SHA512
5714a01bc7cc8c72c4a30f2646694e567ddadd9e53e7149d9f4d17a52c8250d3e71f39413c5af240164493a2c1ce314229fb33faa11c8b6f88e0c9fb1687892c

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
96KB

MD5
f61b07767049cda6b36908444e5d05ed

SHA1
65bf0fd79e7445374e2bcd2c7f8f50c5486fd507

SHA256
059eab450432af92616e03f751419435363bafb8b858995589d182347d44de3e

SHA512
25aa8c6e10c2d44ee9d817942d962a7d9052e309203a2fb8fe86317c56ab19966f2eb8ce79ce0bb6ccd1c7a40581b30cbb52b77654064084b03e3a6c607d706a

Download Submit
\Windows\SysWOW64\Kgdiho32.exe

Filesize
96KB

MD5
9160db9262109922ee50b9a7915d87bc

SHA1
ca3cc2b4a3603941663ca05199f410c5abd3e939

SHA256
c5112d96e6d827ff479c56554d6e456c540e6c8c21c4e34ab490b3bd53b89e04

SHA512
6ebea5c629aec5a9b1e90dfe3f8891084d600148c5df25cb81522140de73241a4336983edaa1aca3e51265999d1955cb5d8b5a402558647c58d0e4c1c868127c

Download Submit
\Windows\SysWOW64\Lfnlcnih.exe

Filesize
96KB

MD5
40c235b84d1a8eef5c28132f3e75fe4d

SHA1
43ee3f8564c6cbf7a0fd46db5e72ac74b70e8141

SHA256
2c0203ea986bffb3f9a9b2b35b20ffc315e1a446350bed35a681860e9fb91552

SHA512
8fb41c10f58b997ba87a8b7705adfba5a0f5f70b0ac391a987287677f4f4bc4c62bd673c07765b1a0dcef67d0d33e9ebcaebe2033716b738b454480642a6a796

Download Submit
memory/336-226-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/336-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-245-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1036-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-232-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1188-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-169-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1368-175-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1384-211-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1384-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-141-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1656-147-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1656-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-161-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1668-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-261-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1732-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-254-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1752-113-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1752-118-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1752-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-290-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1760-294-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1784-315-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1784-316-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1784-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-7-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/2088-12-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/2088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-198-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2124-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-188-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2204-283-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2204-279-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2204-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-319-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2288-318-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2540-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-105-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2556-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-132-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2624-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-341-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2700-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-342-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2808-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-330-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2808-326-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2808-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-39-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2812-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-61-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2860-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-87-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2964-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-304-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2988-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-305-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3004-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads