ec6f695b6f87296bc095033b4e409119946ea34c83443826155cafb19cfc465c

Analysis

max time kernel
71s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b410c6e36a097b236762409785215700N.exe
Size

78KB
MD5

b410c6e36a097b236762409785215700
SHA1

a188c074c4957aa025f80af9a9a30fa8a8ef2808
SHA256

ec6f695b6f87296bc095033b4e409119946ea34c83443826155cafb19cfc465c
SHA512

4246cf4841152360ac20c98e755bcc8b606f0b78ef67543a9c63e073fb5666b7f6aec7d4c5acaea93720bc0bbc2df2acb24d1da3c7996e0476100e23806219a2
SSDEEP

1536:oyXhnFjryoS0D0f+ybErHhUcIkIggsJVHcbns:oOnJrjhD0pbEicIogsDes

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmjfe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfklepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcdbcloi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeoimeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljcbcngi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggkipci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbniohpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoipnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geaofc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghbhhnhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbibb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljgkom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffeldglk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmefad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloilcci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilmlfcel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbcgeilh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b410c6e36a097b236762409785215700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghbhhnhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhdqma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hginnmml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igpdnlgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmnkglp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbniohpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgbcofn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjmekan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glijnmdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcppgbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igpdnlgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimlqfeq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmmjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hilgfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ialadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmqieh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljgkom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljcbcngi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ialadj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqokgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgdnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgqlc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddeae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpbih32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmqieh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloilcci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdogldmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbcgeilh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgbmco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpcho32.exe

Executes dropped EXE 54 IoCs

pid	Process
320	Efpbih32.exe
2904	Fcdbcloi.exe
2892	Ffeldglk.exe
2996	Fcilnl32.exe
2712	Fbniohpl.exe
2764	Glijnmdj.exe
2452	Geaofc32.exe
2200	Ghbhhnhk.exe
1692	Gieaef32.exe
2992	Hmefad32.exe
1080	Hogcil32.exe
1228	Hilgfe32.exe
2132	Hoipnl32.exe
1888	Holldk32.exe
112	Hhdqma32.exe
900	Hmqieh32.exe
1544	Hginnmml.exe
1784	Igpdnlgd.exe
1988	Ilmlfcel.exe
2724	Iloilcci.exe
668	Ialadj32.exe
2532	Jdmjfe32.exe
1116	Jkgbcofn.exe
2920	Jdogldmo.exe
2812	Jbcgeilh.exe
2964	Jgbmco32.exe
2876	Jnlepioj.exe
2728	Kopnma32.exe
2784	Kqokgd32.exe
2128	Kmfklepl.exe
2480	Kcpcho32.exe
1056	Kimlqfeq.exe
2156	Kpgdnp32.exe
2312	Lgbibb32.exe
540	Lbhmok32.exe
2260	Ljcbcngi.exe
1752	Ljeoimeg.exe
2204	Ljgkom32.exe
2792	Lcppgbjd.exe
1052	Lpgqlc32.exe
1680	Mjlejl32.exe
832	Mbginomj.exe
684	Mmmnkglp.exe
2008	Nkjdcp32.exe
560	Ngqeha32.exe
1928	Nmjmekan.exe
1128	Nddeae32.exe
1468	Nmmjjk32.exe
2188	Ncjbba32.exe
2856	Nmogpj32.exe
2968	Nggkipci.exe
2148	Nmacej32.exe
2780	Oemhjlha.exe
1716	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
584	b410c6e36a097b236762409785215700N.exe
584	b410c6e36a097b236762409785215700N.exe
320	Efpbih32.exe
320	Efpbih32.exe
2904	Fcdbcloi.exe
2904	Fcdbcloi.exe
2892	Ffeldglk.exe
2892	Ffeldglk.exe
2996	Fcilnl32.exe
2996	Fcilnl32.exe
2712	Fbniohpl.exe
2712	Fbniohpl.exe
2764	Glijnmdj.exe
2764	Glijnmdj.exe
2452	Geaofc32.exe
2452	Geaofc32.exe
2200	Ghbhhnhk.exe
2200	Ghbhhnhk.exe
1692	Gieaef32.exe
1692	Gieaef32.exe
2992	Hmefad32.exe
2992	Hmefad32.exe
1080	Hogcil32.exe
1080	Hogcil32.exe
1228	Hilgfe32.exe
1228	Hilgfe32.exe
2132	Hoipnl32.exe
2132	Hoipnl32.exe
1888	Holldk32.exe
1888	Holldk32.exe
112	Hhdqma32.exe
112	Hhdqma32.exe
900	Hmqieh32.exe
900	Hmqieh32.exe
1544	Hginnmml.exe
1544	Hginnmml.exe
1784	Igpdnlgd.exe
1784	Igpdnlgd.exe
1988	Ilmlfcel.exe
1988	Ilmlfcel.exe
2724	Iloilcci.exe
2724	Iloilcci.exe
668	Ialadj32.exe
668	Ialadj32.exe
2532	Jdmjfe32.exe
2532	Jdmjfe32.exe
1116	Jkgbcofn.exe
1116	Jkgbcofn.exe
2920	Jdogldmo.exe
2920	Jdogldmo.exe
2812	Jbcgeilh.exe
2812	Jbcgeilh.exe
2964	Jgbmco32.exe
2964	Jgbmco32.exe
2876	Jnlepioj.exe
2876	Jnlepioj.exe
2728	Kopnma32.exe
2728	Kopnma32.exe
2784	Kqokgd32.exe
2784	Kqokgd32.exe
2128	Kmfklepl.exe
2128	Kmfklepl.exe
2480	Kcpcho32.exe
2480	Kcpcho32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iloilcci.exe	Ilmlfcel.exe
File created	C:\Windows\SysWOW64\Lgbibb32.exe	Kpgdnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ljcbcngi.exe	Lbhmok32.exe
File created	C:\Windows\SysWOW64\Onmfnc32.dll	Holldk32.exe
File created	C:\Windows\SysWOW64\Jejffpah.dll	Hhdqma32.exe
File opened for modification	C:\Windows\SysWOW64\Nddeae32.exe	Nmjmekan.exe
File created	C:\Windows\SysWOW64\Hfndae32.dll	Mbginomj.exe
File created	C:\Windows\SysWOW64\Jgbmco32.exe	Jbcgeilh.exe
File opened for modification	C:\Windows\SysWOW64\Mmmnkglp.exe	Mbginomj.exe
File opened for modification	C:\Windows\SysWOW64\Igpdnlgd.exe	Hginnmml.exe
File created	C:\Windows\SysWOW64\Jdogldmo.exe	Jkgbcofn.exe
File opened for modification	C:\Windows\SysWOW64\Hmefad32.exe	Gieaef32.exe
File created	C:\Windows\SysWOW64\Nhcedjfb.dll	Nmacej32.exe
File created	C:\Windows\SysWOW64\Ikcejc32.dll	Glijnmdj.exe
File created	C:\Windows\SysWOW64\Hmefad32.exe	Gieaef32.exe
File created	C:\Windows\SysWOW64\Hilgfe32.exe	Hogcil32.exe
File created	C:\Windows\SysWOW64\Hhdqma32.exe	Holldk32.exe
File created	C:\Windows\SysWOW64\Blfkol32.dll	Ljgkom32.exe
File created	C:\Windows\SysWOW64\Cpgidb32.dll	Lpgqlc32.exe
File created	C:\Windows\SysWOW64\Dgbddi32.dll	Ncjbba32.exe
File opened for modification	C:\Windows\SysWOW64\Fcdbcloi.exe	Efpbih32.exe
File created	C:\Windows\SysWOW64\Gieaef32.exe	Ghbhhnhk.exe
File opened for modification	C:\Windows\SysWOW64\Oemhjlha.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Oemhjlha.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Oemhjlha.exe
File created	C:\Windows\SysWOW64\Danpld32.dll	Ghbhhnhk.exe
File created	C:\Windows\SysWOW64\Mjlejl32.exe	Lpgqlc32.exe
File opened for modification	C:\Windows\SysWOW64\Kqokgd32.exe	Kopnma32.exe
File created	C:\Windows\SysWOW64\Kimlqfeq.exe	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Nkjdcp32.exe	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Bghemo32.dll	Nkjdcp32.exe
File created	C:\Windows\SysWOW64\Nmjmekan.exe	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Gcnemg32.dll	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Glijnmdj.exe	Fbniohpl.exe
File opened for modification	C:\Windows\SysWOW64\Gieaef32.exe	Ghbhhnhk.exe
File opened for modification	C:\Windows\SysWOW64\Nmogpj32.exe	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Nmacej32.exe	Nggkipci.exe
File created	C:\Windows\SysWOW64\Cnhgnpbp.dll	Ljcbcngi.exe
File created	C:\Windows\SysWOW64\Ncjbba32.exe	Nmmjjk32.exe
File opened for modification	C:\Windows\SysWOW64\Jnlepioj.exe	Jgbmco32.exe
File created	C:\Windows\SysWOW64\Kcpcho32.exe	Kmfklepl.exe
File created	C:\Windows\SysWOW64\Lhkhmj32.dll	Fcilnl32.exe
File opened for modification	C:\Windows\SysWOW64\Hogcil32.exe	Hmefad32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfklepl.exe	Kqokgd32.exe
File created	C:\Windows\SysWOW64\Jjeman32.dll	Jbcgeilh.exe
File created	C:\Windows\SysWOW64\Kopnma32.exe	Jnlepioj.exe
File created	C:\Windows\SysWOW64\Ihggkhle.dll	Nmmjjk32.exe
File created	C:\Windows\SysWOW64\Cadbgifg.dll	Jkgbcofn.exe
File opened for modification	C:\Windows\SysWOW64\Nmjmekan.exe	Ngqeha32.exe
File opened for modification	C:\Windows\SysWOW64\Hhdqma32.exe	Holldk32.exe
File opened for modification	C:\Windows\SysWOW64\Kopnma32.exe	Jnlepioj.exe
File created	C:\Windows\SysWOW64\Mdpnaccc.dll	Kimlqfeq.exe
File created	C:\Windows\SysWOW64\Ljgkom32.exe	Ljeoimeg.exe
File opened for modification	C:\Windows\SysWOW64\Ljgkom32.exe	Ljeoimeg.exe
File opened for modification	C:\Windows\SysWOW64\Efpbih32.exe	b410c6e36a097b236762409785215700N.exe
File created	C:\Windows\SysWOW64\Bghmmo32.dll	Geaofc32.exe
File created	C:\Windows\SysWOW64\Hginnmml.exe	Hmqieh32.exe
File created	C:\Windows\SysWOW64\Qmcelb32.dll	Igpdnlgd.exe
File created	C:\Windows\SysWOW64\Nddeae32.exe	Nmjmekan.exe
File opened for modification	C:\Windows\SysWOW64\Nmacej32.exe	Nggkipci.exe
File created	C:\Windows\SysWOW64\Fbniohpl.exe	Fcilnl32.exe
File created	C:\Windows\SysWOW64\Hmqieh32.exe	Hhdqma32.exe
File created	C:\Windows\SysWOW64\Gjlbhe32.dll	Kqokgd32.exe
File created	C:\Windows\SysWOW64\Caolfcmm.dll	Kmfklepl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	1716	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efpbih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmefad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlepioj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfklepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhmok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcilnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hginnmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgdnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeoimeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgqlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmmjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbniohpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igpdnlgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimlqfeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghbhhnhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hogcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbcgeilh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjmekan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmogpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemhjlha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloilcci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjdcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcdbcloi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hilgfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoipnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljgkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjbba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggkipci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffeldglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nddeae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gieaef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ialadj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b410c6e36a097b236762409785215700N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glijnmdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopnma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Holldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geaofc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmqieh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmjfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbibb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljcbcngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbginomj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhdqma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmlfcel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpcho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgbcofn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdogldmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcppgbjd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloilcci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfklepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcppgbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmhmkfc.dll"	Ffeldglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glijnmdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmefad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hilgfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmqieh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admljpij.dll"	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b410c6e36a097b236762409785215700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Holldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbcgeilh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjkof32.dll"	Fbniohpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glijnmdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geaofc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfebmdnh.dll"	Gieaef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpbih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmeoach.dll"	Fcdbcloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngbdiei.dll"	Hogcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmjmekan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbddi32.dll"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieaef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmfnc32.dll"	Holldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejffpah.dll"	Hhdqma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfohq32.dll"	Ilmlfcel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkgbcofn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpgqlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljkodkb.dll"	b410c6e36a097b236762409785215700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpbih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcilnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picadgfk.dll"	Kopnma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcilnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geaofc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbibb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcdbcloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hginnmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghmmo32.dll"	Geaofc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hilgfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpief32.dll"	Ialadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnlepioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljcbcngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	Nmmjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b410c6e36a097b236762409785215700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danpld32.dll"	Ghbhhnhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oemhjlha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbhmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlnf32.dll"	Lbhmok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljeoimeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoipnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmmhm.dll"	Hoipnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmqieh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilmlfcel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlbhe32.dll"	Kqokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmmjjk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 320	584	b410c6e36a097b236762409785215700N.exe	30
PID 584 wrote to memory of 320	584	b410c6e36a097b236762409785215700N.exe	30
PID 584 wrote to memory of 320	584	b410c6e36a097b236762409785215700N.exe	30
PID 584 wrote to memory of 320	584	b410c6e36a097b236762409785215700N.exe	30
PID 320 wrote to memory of 2904	320	Efpbih32.exe	31
PID 320 wrote to memory of 2904	320	Efpbih32.exe	31
PID 320 wrote to memory of 2904	320	Efpbih32.exe	31
PID 320 wrote to memory of 2904	320	Efpbih32.exe	31
PID 2904 wrote to memory of 2892	2904	Fcdbcloi.exe	32
PID 2904 wrote to memory of 2892	2904	Fcdbcloi.exe	32
PID 2904 wrote to memory of 2892	2904	Fcdbcloi.exe	32
PID 2904 wrote to memory of 2892	2904	Fcdbcloi.exe	32
PID 2892 wrote to memory of 2996	2892	Ffeldglk.exe	33
PID 2892 wrote to memory of 2996	2892	Ffeldglk.exe	33
PID 2892 wrote to memory of 2996	2892	Ffeldglk.exe	33
PID 2892 wrote to memory of 2996	2892	Ffeldglk.exe	33
PID 2996 wrote to memory of 2712	2996	Fcilnl32.exe	34
PID 2996 wrote to memory of 2712	2996	Fcilnl32.exe	34
PID 2996 wrote to memory of 2712	2996	Fcilnl32.exe	34
PID 2996 wrote to memory of 2712	2996	Fcilnl32.exe	34
PID 2712 wrote to memory of 2764	2712	Fbniohpl.exe	35
PID 2712 wrote to memory of 2764	2712	Fbniohpl.exe	35
PID 2712 wrote to memory of 2764	2712	Fbniohpl.exe	35
PID 2712 wrote to memory of 2764	2712	Fbniohpl.exe	35
PID 2764 wrote to memory of 2452	2764	Glijnmdj.exe	36
PID 2764 wrote to memory of 2452	2764	Glijnmdj.exe	36
PID 2764 wrote to memory of 2452	2764	Glijnmdj.exe	36
PID 2764 wrote to memory of 2452	2764	Glijnmdj.exe	36
PID 2452 wrote to memory of 2200	2452	Geaofc32.exe	37
PID 2452 wrote to memory of 2200	2452	Geaofc32.exe	37
PID 2452 wrote to memory of 2200	2452	Geaofc32.exe	37
PID 2452 wrote to memory of 2200	2452	Geaofc32.exe	37
PID 2200 wrote to memory of 1692	2200	Ghbhhnhk.exe	38
PID 2200 wrote to memory of 1692	2200	Ghbhhnhk.exe	38
PID 2200 wrote to memory of 1692	2200	Ghbhhnhk.exe	38
PID 2200 wrote to memory of 1692	2200	Ghbhhnhk.exe	38
PID 1692 wrote to memory of 2992	1692	Gieaef32.exe	39
PID 1692 wrote to memory of 2992	1692	Gieaef32.exe	39
PID 1692 wrote to memory of 2992	1692	Gieaef32.exe	39
PID 1692 wrote to memory of 2992	1692	Gieaef32.exe	39
PID 2992 wrote to memory of 1080	2992	Hmefad32.exe	40
PID 2992 wrote to memory of 1080	2992	Hmefad32.exe	40
PID 2992 wrote to memory of 1080	2992	Hmefad32.exe	40
PID 2992 wrote to memory of 1080	2992	Hmefad32.exe	40
PID 1080 wrote to memory of 1228	1080	Hogcil32.exe	41
PID 1080 wrote to memory of 1228	1080	Hogcil32.exe	41
PID 1080 wrote to memory of 1228	1080	Hogcil32.exe	41
PID 1080 wrote to memory of 1228	1080	Hogcil32.exe	41
PID 1228 wrote to memory of 2132	1228	Hilgfe32.exe	42
PID 1228 wrote to memory of 2132	1228	Hilgfe32.exe	42
PID 1228 wrote to memory of 2132	1228	Hilgfe32.exe	42
PID 1228 wrote to memory of 2132	1228	Hilgfe32.exe	42
PID 2132 wrote to memory of 1888	2132	Hoipnl32.exe	43
PID 2132 wrote to memory of 1888	2132	Hoipnl32.exe	43
PID 2132 wrote to memory of 1888	2132	Hoipnl32.exe	43
PID 2132 wrote to memory of 1888	2132	Hoipnl32.exe	43
PID 1888 wrote to memory of 112	1888	Holldk32.exe	44
PID 1888 wrote to memory of 112	1888	Holldk32.exe	44
PID 1888 wrote to memory of 112	1888	Holldk32.exe	44
PID 1888 wrote to memory of 112	1888	Holldk32.exe	44
PID 112 wrote to memory of 900	112	Hhdqma32.exe	45
PID 112 wrote to memory of 900	112	Hhdqma32.exe	45
PID 112 wrote to memory of 900	112	Hhdqma32.exe	45
PID 112 wrote to memory of 900	112	Hhdqma32.exe	45

C:\Users\Admin\AppData\Local\Temp\b410c6e36a097b236762409785215700N.exe
"C:\Users\Admin\AppData\Local\Temp\b410c6e36a097b236762409785215700N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\Efpbih32.exe
  C:\Windows\system32\Efpbih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\Fcdbcloi.exe
    C:\Windows\system32\Fcdbcloi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\Ffeldglk.exe
      C:\Windows\system32\Ffeldglk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\Fcilnl32.exe
        
        C:\Windows\system32\Fcilnl32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\Fbniohpl.exe
        
        C:\Windows\system32\Fbniohpl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Glijnmdj.exe
        
        C:\Windows\system32\Glijnmdj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Geaofc32.exe
        
        C:\Windows\system32\Geaofc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ghbhhnhk.exe
        
        C:\Windows\system32\Ghbhhnhk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Gieaef32.exe
        
        C:\Windows\system32\Gieaef32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Hmefad32.exe
        
        C:\Windows\system32\Hmefad32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Hogcil32.exe
        
        C:\Windows\system32\Hogcil32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Hilgfe32.exe
        
        C:\Windows\system32\Hilgfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Hoipnl32.exe
        
        C:\Windows\system32\Hoipnl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Holldk32.exe
        
        C:\Windows\system32\Holldk32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hhdqma32.exe
        
        C:\Windows\system32\Hhdqma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Hmqieh32.exe
        
        C:\Windows\system32\Hmqieh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Hginnmml.exe
        
        C:\Windows\system32\Hginnmml.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Igpdnlgd.exe
        
        C:\Windows\system32\Igpdnlgd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Ilmlfcel.exe
        
        C:\Windows\system32\Ilmlfcel.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Iloilcci.exe
        
        C:\Windows\system32\Iloilcci.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Ialadj32.exe
        
        C:\Windows\system32\Ialadj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Jdmjfe32.exe
        
        C:\Windows\system32\Jdmjfe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Jkgbcofn.exe
        
        C:\Windows\system32\Jkgbcofn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Jdogldmo.exe
        
        C:\Windows\system32\Jdogldmo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Jbcgeilh.exe
        
        C:\Windows\system32\Jbcgeilh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Jgbmco32.exe
        
        C:\Windows\system32\Jgbmco32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Jnlepioj.exe
        
        C:\Windows\system32\Jnlepioj.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Kopnma32.exe
        
        C:\Windows\system32\Kopnma32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Kqokgd32.exe
        
        C:\Windows\system32\Kqokgd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Kmfklepl.exe
        
        C:\Windows\system32\Kmfklepl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Kcpcho32.exe
        
        C:\Windows\system32\Kcpcho32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Kimlqfeq.exe
        
        C:\Windows\system32\Kimlqfeq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Kpgdnp32.exe
        
        C:\Windows\system32\Kpgdnp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Lgbibb32.exe
        
        C:\Windows\system32\Lgbibb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Lbhmok32.exe
        
        C:\Windows\system32\Lbhmok32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ljcbcngi.exe
        
        C:\Windows\system32\Ljcbcngi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ljeoimeg.exe
        
        C:\Windows\system32\Ljeoimeg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ljgkom32.exe
        
        C:\Windows\system32\Ljgkom32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Lcppgbjd.exe
        
        C:\Windows\system32\Lcppgbjd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Lpgqlc32.exe
        
        C:\Windows\system32\Lpgqlc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Mjlejl32.exe
        
        C:\Windows\system32\Mjlejl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mbginomj.exe
        
        C:\Windows\system32\Mbginomj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Nkjdcp32.exe
        
        C:\Windows\system32\Nkjdcp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Ngqeha32.exe
        
        C:\Windows\system32\Ngqeha32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Nmjmekan.exe
        
        C:\Windows\system32\Nmjmekan.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Nddeae32.exe
        
        C:\Windows\system32\Nddeae32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Nmmjjk32.exe
        
        C:\Windows\system32\Nmmjjk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Ncjbba32.exe
        
        C:\Windows\system32\Ncjbba32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Nmogpj32.exe
        
        C:\Windows\system32\Nmogpj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Nggkipci.exe
        
        C:\Windows\system32\Nggkipci.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Oemhjlha.exe
        
        C:\Windows\system32\Oemhjlha.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 140
        56⤵
        Program crash
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efpbih32.exe

Filesize
78KB

MD5
13fc1caf705252411f03431b4c0d5f17

SHA1
6dca01e593799ae50ddee36fc1fa39cfd3e92cc4

SHA256
24a7f935ad890f24c358900f810617d22c1e915439670555c2d59644abef3e37

SHA512
80140b4e7f687490f6b382d4aa955b10b3f275c90531a9473c9446e52c90c045a2f8b4c0b65400c288ff12493b7b56478ab007812257db1041bd06b45277edfd

Download Submit
C:\Windows\SysWOW64\Fbniohpl.exe

Filesize
78KB

MD5
743774a34ab3918dd0b47aa6fa817f1d

SHA1
2d885b2ffa6f4892cf66f76bc9886e2c2fdf7e2a

SHA256
23423d3083bd7f4c3110642d15f37f16d1ea6419bf7f32c0419a143af41e89eb

SHA512
06ac0613d3838c19c1fbbac86f3fb459b883f67e82051f8f984f9232b3cfb86c48575cd527dcc893ff8d931d552820c20fa340b5c60c88ecd064ab4a6fe0513c

Download Submit
C:\Windows\SysWOW64\Fcdbcloi.exe

Filesize
78KB

MD5
2b8d8f7a5975d0c9b7da988362fc8a55

SHA1
e235c2ad18723507a5d7b12e2d6132fdcc795e90

SHA256
5cc9ac642e08df8821658b1d1772700f47c3172f0e95ba2e53467b366639a4c1

SHA512
e0d5f497b3a57a4e6fded137d63605b409dd9890fea5748407180b084d7bf718b9ce24924b05bfb85a34845b1be336d4024467835778b53835c7273b8097b6d4

Download Submit
C:\Windows\SysWOW64\Gieaef32.exe

Filesize
78KB

MD5
44689a9332f8a8893421fd5ae0752486

SHA1
dd39c140b7e5a94dca5d53e430ea802015c5d014

SHA256
533315eded7f4f6df42f73e3b42a404a1444649080388f1690778a32644c99ef

SHA512
cd39f8fe8d402d7b40a8ed5622aaf54064c6a67cf1ce254eed626528832f3a59c875968fefd2e19f1fb9bd7ac811aaa44d95792ff21544d8ffedf0a4d165fb66

Download Submit
C:\Windows\SysWOW64\Hginnmml.exe

Filesize
78KB

MD5
5999eb93b9346e725199329c58a4cb72

SHA1
092c9967886b2312a27294b7b2227317bbc5707d

SHA256
0a109e89f6c60227e6aac19dbc2c384d0f301089c27f61dd3ce0f13cad4cbef5

SHA512
44a7b295a5a7f935cab2f828b315338d428532592bf3269d266b8d9835e282c67c9190f2d84cb9dff369e4ab2c1a25fc18e34f15ac48562eac09e76e77fe7a8e

Download Submit
C:\Windows\SysWOW64\Hhdqma32.exe

Filesize
78KB

MD5
23d138a150248a21aabde01c52773417

SHA1
509097d961b802d6924024e7827dac3b8dcf5556

SHA256
99eb10fd93d6b531b34fd02c80179cc695fd0dbeb90ee6e8f271781fdefb6c7f

SHA512
358d443c29b2e3278e6bb3a60726497521dba482e062e8c4d6d0697b0516e9cb6deea3f58c2b803c702dcb4a45293f0f15698385198984932cf8b2af894b731a

Download Submit
C:\Windows\SysWOW64\Hilgfe32.exe

Filesize
78KB

MD5
3723a3d02a4da06f2cd573f06791a142

SHA1
b07fa6bb79b8afb0380cdfb7096e69833e85884f

SHA256
39b2af1b61b50154a25fea9ce0a4920fd567ff6eec76e4bc59bd282f74f6b932

SHA512
955a27ac914b548c1f84db9bc26d9c35bc692659d1e59eb9c86ab55dd1069abc3e6e34eae80fd8173ad3d418aa5549c182001c58a45baeeb77a8ffaa3f24ba71

Download Submit
C:\Windows\SysWOW64\Hmqieh32.exe

Filesize
78KB

MD5
a40765ee6206d72955d33646d7cdea32

SHA1
82227713f32e0de6a4e53a57f1ded6776cee4ed3

SHA256
1dea62251816059f8fce251ba66f8b3397bdb976c01e61edc4190534b0feb527

SHA512
0704863604504bf42c3832f277118a43711711623c7ad0dc580789c3ba3be9124a398a902d0de07c87c8ca231a8d65d4615d4f74f180243b36cf1d24d37ee3eb

Download Submit
C:\Windows\SysWOW64\Holldk32.exe

Filesize
78KB

MD5
1f32ff65c9af0fbd698157e31b7ba97d

SHA1
b6a7a09f37cb9afc63739e107307c71563799766

SHA256
6089ad9be5de43dc3f10cb3db50b58367a6917ad5bc5f44f6b66c02fbc4c828a

SHA512
b825572cae839ddb968de8cfffae6373768513e63f76c50916c227fb3848a52ee81f46ab3e1671c232d3f01b36dfa26ff2a0e4fcc7ffc6503b7faa21ee41a006

Download Submit
C:\Windows\SysWOW64\Ialadj32.exe

Filesize
78KB

MD5
cf0ad1d1e3213addc04260e0b4788a7f

SHA1
948e881bd6141f192537593c1adcd20d0d25fb93

SHA256
a6058d39c3c7adfe33ea208909fea65f8bc52ab2bf5e3d05a7881a70e009189d

SHA512
d17eb3a65b6d2970a6b4c04a8f7e32cc09fc0e3e72f4c644bb478edfc31e7fa52d5ae9f1ba7a3839d9af3a03e0c0c9a19e837216ba6a98b4e4b94466eabaf7b0

Download Submit
C:\Windows\SysWOW64\Igpdnlgd.exe

Filesize
78KB

MD5
4eefe4e1b008dffdc1d0a8fb8beaf80c

SHA1
f76d537f805d0bdd084717aab6ad03b2b79ed69e

SHA256
41dc428613bb13c27d37ee9bef671ca45ba5a6c9f01ae4842d3a01cc995946c9

SHA512
c72de33eaf84fdbeadf5a6a3444a2312165dacc182f6d92da2e275ae7cb08a61b7e865cbf635f7c3f515349d67065ab15280c8ae84ac1f9a856bc56d9386317f

Download Submit
C:\Windows\SysWOW64\Ilmlfcel.exe

Filesize
78KB

MD5
9c306c985e355962ba2000f20e087e20

SHA1
033a707fa56dd4dd70b73685fffc65a2507765da

SHA256
b79d0b37058e72db1834d6bef37e3a9e9daf2ef5321dc39208906643d954d608

SHA512
77d23dc60b36b1a080552c93dba51708a4ca68163e768e045445648beec95bcce8f83db352f720581ddec092678a128bcfe4cb01fa314ab2a0ded39c02d781d0

Download Submit
C:\Windows\SysWOW64\Iloilcci.exe

Filesize
78KB

MD5
1e87eee3e122808aae6d0b16cb847c01

SHA1
83f3a7208d46881cf3a7843d15df9f41d1f4a2cb

SHA256
8c9ca0e72408361292fdae78a646812a23b91a1348be304b86e7729868e3ca1f

SHA512
358e77c47048a269e5a65e30f3dd57beda22ba50ba385fbe283dcdc5ab145641687db6b2059b2433386e93031af2e663d226d4252c9a60fae61f94071fd844f6

Download Submit
C:\Windows\SysWOW64\Jbcgeilh.exe

Filesize
78KB

MD5
0ca81cd009d287bfee270dce754ccb39

SHA1
4bf5952dc38a34d0040e645c655cda390050f077

SHA256
92c5a1459e51d292321fdb420e6e9cd7a441505d7a26b862c52dc9727ea0143f

SHA512
94da8c96674fd6aa87ca9e535fd6ba6510dce2e2674177008c121b7d5f0e6839f1ec8675b940fd6fd0810a6ad00d5e1ef415a2308f22fa7442b2271bab183751

Download Submit
C:\Windows\SysWOW64\Jdmjfe32.exe

Filesize
78KB

MD5
8ca77b21da38d66480d34eded0d1d0b0

SHA1
107f855a3bc155c630403226dbcd96f3669ba757

SHA256
3d41f13250588b38a2646dd77e7ce39e0707bac2ccd19dfb3073b24b1bbf025c

SHA512
6aa968fc5a7a368f5cc6c1ed99456885a5b1a2f197530a9327da165bd11645692f5ec677da3175caf0afc46e5834aee90389e5c81b0ce19de227c9d1f91ea9b7

Download Submit
C:\Windows\SysWOW64\Jdogldmo.exe

Filesize
78KB

MD5
5215882a8617787cdb6b138fa7f7c805

SHA1
d719fa90a757bd1dbd406e4707c3da744f61a662

SHA256
4ee5872d787a9e4566b9ebc58a4b0620e67b3ed1615f6d35df78bb4a0f451011

SHA512
1fb8b28d56f9203d03ba22f95a62bdc50d19b439684acdabc8f035cc3fc55d4c19a1fb231916eba021190294fec12c002ba33ec9e50277db1f0e8a0dd4eb297f

Download Submit
C:\Windows\SysWOW64\Jgbmco32.exe

Filesize
78KB

MD5
783c5cdec66817ad645249be8ae2ac6e

SHA1
6a866bf4e0c4f334a84e88842107f357a34c6ce0

SHA256
ba06984be56fbcd449a583ba90d80fe564221a99a7b547bee512755ce96b354f

SHA512
68b3e89a18a4b12fed674985ffdde02dc8ed9762f03bba2ac2138d7fd11ac7de873aaa95b286eb711fd1f483411844ce78087344c282d979388b558106af7b34

Download Submit
C:\Windows\SysWOW64\Jkgbcofn.exe

Filesize
78KB

MD5
678d96a1af265b8d42c29906303e8497

SHA1
4a1b6af4735a14d644d9af29059b118fafbfdf58

SHA256
b82391df5689960464c1a6d5feaaa5822a4b52e22d8e353b16a272443b336671

SHA512
ef9b464551066481a17712f7e5fa8f98cda4a0f043a95ee01d871d4935d2e5a10a789cec16c7f2077bb20c98cdd78415c771c31446add82a56e837d259d7d4f5

Download Submit
C:\Windows\SysWOW64\Jnlepioj.exe

Filesize
78KB

MD5
87f8dc1c2892c88b31d7ff9ec9abe94d

SHA1
889b5aca491fb610dc633d32355a7fb10a65cf5d

SHA256
106c9db5b9dae36da8584b62623de469b832a0a741e973370fda7e07e0df0497

SHA512
bda1e2618790acbf820342878ce1c5f64ae4154f9dd734ed352e4683de9d62ac7a91a2fc3c4c9c1839d5f523cd4924dd3d11354257943279ecc2fd9931332aac

Download Submit
C:\Windows\SysWOW64\Kcpcho32.exe

Filesize
78KB

MD5
036b98c5d0f828f519f81351d72efcf8

SHA1
4174813484087f4fe1f12fb9a6fa699136f402df

SHA256
cc03eb02a3b59e12bca57217710c6ea6e3d1548b23f22ab7802b1b5210a52332

SHA512
28f06afddf937404cd248111df4e99f1abe2a161cfa13dfe0ded6132f26fd8051e9e8b9fd3aa4c9ebc936afbac25bf8c020183123c3d6052398c8b4101a497e4

Download Submit
C:\Windows\SysWOW64\Kimlqfeq.exe

Filesize
78KB

MD5
ba92fb364ee1a9d612787fb4cdbd8f0c

SHA1
5884bffa0f910df800e8fe12411fd41173f25a91

SHA256
90d8c8f5edb5d69e09ee719f7dfc21411168c49ed3f39bc1f2702f679f7ccb8f

SHA512
69efc849549ca800127d949a0a8faa903da135f4f98e582a399cf52711b0134b37f704c63cfe208e129a60fba4ab40d604d78cca361e7e836a4e63ebcf72e99d

Download Submit
C:\Windows\SysWOW64\Kmfklepl.exe

Filesize
78KB

MD5
6594abda568aca48b00270f2c3a176da

SHA1
a829ec4cc46696591d6ada90d256257aefd3376e

SHA256
378787908f8e3c3be2cbd14ce58893c0c8cb2193f763f09b278b5ebb51ccc6e2

SHA512
77ca4476e3c8f916853d31b431283005f0797acc34acbdf4e8310ef1c438b23e90dd333ff564dda546d1b5bc93c393c51693215aebcfc108f9fbf29948be0707

Download Submit
C:\Windows\SysWOW64\Kopnma32.exe

Filesize
78KB

MD5
e830bd57da1cf08583851d2b13af1b82

SHA1
db931385786d8b18c47ae4ad15755fa27145dd88

SHA256
61bd8f9c4a8026bd10189652331ec2925825c217b25e20b1d3db485df7074a8f

SHA512
ef23138c3556a8ee1d25d6bbf1087083fc01cbe517a1ed4c56526ea02c91b810e62410ce05d06d37437ed6631837970e7488038732d08bc79cb8d687a38e6a0e

Download Submit
C:\Windows\SysWOW64\Kpgdnp32.exe

Filesize
78KB

MD5
b738c8eb56b4e552551b9895f638e405

SHA1
d9cec5ecd73062a85ddafdab97fc2864ff2cb14e

SHA256
aa41eb12c632cbc2ad50018683985d556feec0aac1bddc204b0b1fd5b008a46b

SHA512
54caa6bf8ace2616068fbd564e9019592fceae6610be6c426f98bfa6d1fdbef91d9429cdff97e1d0aad9c75ef3069cd49a89f3cebf54bb70931d5a01a9cfa0cc

Download Submit
C:\Windows\SysWOW64\Kqokgd32.exe

Filesize
78KB

MD5
1bdaceffea1bab982ffbb681ffeb117f

SHA1
b64cdcc0d521a52ac6a46d697995dd5bbc498435

SHA256
d63921864bcd39ae3ed9cd6839b7a17315725e7e192c411a641314f30538f111

SHA512
8f45fdb4c7e88861bb0b688a2e76ac90eb12fe38710d6548cb5e4793b875dffb3e99c8d9452d4bf442d3b636002414364deada28216f759608531d5c05595dce

Download Submit
C:\Windows\SysWOW64\Lbhmok32.exe

Filesize
78KB

MD5
adf6b235560fa2ab7b024e6cb6013dc9

SHA1
175020620b46e5caf5ee5d4dba669c9f8fb37d0b

SHA256
fb877ab13ae9d7d7d1ca1b5188e5159b9b0ebf34582bd8cf972cdb6e7016246b

SHA512
9aa6764871abc6c2fa390e520adb705ac8bf680824d71299b17bddf83ec521daed3c546643b0534dfddf5dd50f67271eae862ac4d8a327e33074036a350a8cc2

Download Submit
C:\Windows\SysWOW64\Lcppgbjd.exe

Filesize
78KB

MD5
91b20fc47d6a9620020a43ac0048ee97

SHA1
a51d6f0863c30a0ea9f27a23c54b1dd14e617d4e

SHA256
41efc6872870d4595151b5e891f2b6191bf1f485b565e6e4a931aba41766ce24

SHA512
49171edc7c96388782d23fc80cc2ed3acc200afb2e7174ac422a4e9c1d1e3fad50bfcca48e6c8a798f9933bceffd6e1650db810e2dc45f55089b1672c7703351

Download Submit
C:\Windows\SysWOW64\Lgbibb32.exe

Filesize
78KB

MD5
b5bf5d71d8f13242c5de02820c62f013

SHA1
8bd53999cf913223cd4b105591230d6051b16bee

SHA256
0a416a090b1796ab0a67e9abf453c119a84b25c595bbf4155deacc8ff846899c

SHA512
d7f067b513e1f716be926a860a4999929d9aeaa1ad25e4e732c837c5e51b0f6523eb6ad6f31cd03f9cd1ce9add7b6e176d78116e929482b54ae71adb26a07652

Download Submit
C:\Windows\SysWOW64\Ljcbcngi.exe

Filesize
78KB

MD5
e24a3576d987f07e0d18552a29855771

SHA1
5b74884b5582d5ed894e3ee19992e5657b6f0d33

SHA256
a9cfcbd63c931c6e771bd7dd3da6fd78d97e1f1b59e59f53cb693015628fb51f

SHA512
991d9e13bc2f72aaf61068a8d3d1536e329cc6895aae34189c5244a85ad701bb8639453f98b21b4b619af1a7810a38f5fee4ddcbd55d1390840e2d343fa4cefe

Download Submit
C:\Windows\SysWOW64\Ljeoimeg.exe

Filesize
78KB

MD5
5d4661520966117450e351c685cab530

SHA1
52d4207fe430869f89620deabde2c240b66157bc

SHA256
36ec88f5344a3c0954d6ced7e18095ec1509b295fa44da8e01bbc321947eb549

SHA512
788034f74aba34a5367bb22317c3dface42ff4b1e9605b7444ae1bf768e2adfb57fef769b09f7ae37ee503c7e26c576e7902473902adab578c63146aa07cb42a

Download Submit
C:\Windows\SysWOW64\Ljgkom32.exe

Filesize
78KB

MD5
9eaed03eb6abff6141aaad31a8426396

SHA1
65a5717d207339af33c4c8f36710d15f058186c8

SHA256
16b278a4b80e9682aab01ea5e017564de9870e6c67a728a249a03637bb7eb32b

SHA512
2278f92974e5f4560fbceea1b00fdd9d0c296d88c4bc9fef55dbc80de30de056431fcec235180049ede833d44eb62754b016305e4174a377ee1b07e5930ad5a8

Download Submit
C:\Windows\SysWOW64\Lpgqlc32.exe

Filesize
78KB

MD5
3e35b4509e409854404eea219bf82255

SHA1
6085b99443a8cbadc1fdf2ffa6fa62d684154e64

SHA256
a85332cff575d2aebeb52358cf3d41eb70b11da78a4735e4872b3e876c2ff9cf

SHA512
9e1b8a83ca6c55662dd1dc090656614ee7cf7981a8667e1489a3cec0b8875fac4086af6ddd0bcd82e990b99430dcd5451a3738598934470dc7d49a6e0f5395d4

Download Submit
C:\Windows\SysWOW64\Mbginomj.exe

Filesize
78KB

MD5
130bdb58e66f1297a6edf25e1938b174

SHA1
a1d9507e63038a14b7e29365540521d4b3e906ef

SHA256
84554d1678c04960ef99e82e21461aefee9a82270b43c7e3956ce5afe1d12c9c

SHA512
b2d1d526084cb5ec2434f88653d54b7a2200b812b75e34d1e213783d50a97fc7fc4157da47fd86df70da9e3d3fedcc7e05e4358dedfd33c684e0e97960d60d38

Download Submit
C:\Windows\SysWOW64\Mjlejl32.exe

Filesize
78KB

MD5
5ba255c8a611c9a8221699337db8cac0

SHA1
81692d259fd1c678e2757662b4dc8de4622ab85c

SHA256
efcbb859aa801590eae9ebd9a66c30fbac0ef31984b516f4886adf32fff8f628

SHA512
f8fd7968a8b7173245839681acc5cca31f3d937d62c3064891d8007cd3bedb7b6d6ddc5feaa8eb73cede7f28ad7c50438799362c98f6fc4ed41da1b30917bdda

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
78KB

MD5
56855d974fe20aed53c26c6861586bcc

SHA1
62fbbed2aa5b133265b21066a52dd68752a3e55e

SHA256
f4be9d6988bba54211ee32f07fb0a8ad5b81fa59c7c6bb56a1701aed2a11854a

SHA512
4d5695cb2ff5bc7d34c94723b1d3aade15f2dc4727fca2a002431d42b945562d0d9393c1fabfb74d30f5d87847b6a6bb1f30cf7c0c20b1c5d9d1bca72c1cde89

Download Submit
C:\Windows\SysWOW64\Ncjbba32.exe

Filesize
78KB

MD5
0e1d0a45941970a351ce3c111fb10a0d

SHA1
435470224f84ff099607cb6ae7150ff547b76485

SHA256
a435174dc7aca620d53b29fbc8b7954df8a9d676db33d56097ec8f08b994ee57

SHA512
d6e358f3e04a698412e8fd9410fd94507d925e9d8bedb5362723315273f5a36b01cf465d756f84e0f93aee89e826f7f61f408bd8d00ee09bbc62f6faa6ea592a

Download Submit
C:\Windows\SysWOW64\Nddeae32.exe

Filesize
78KB

MD5
e7a818c4a830958af4220e6e0ff517e9

SHA1
44471609fd992d310d65fc05119e8ddd3bde6fa7

SHA256
4cd7c11d5cff5218ae3046c22cb3024bf38a3bf1aabd837154da1bebc5466091

SHA512
f9ea57d140f5a041b2d0211486012a631a24ee167a1f27852b4110743e0ef7f937f3baba2b17dc85c3c33bde6e0fd5262587b0cac6431ed6dc2fd66d7512d152

Download Submit
C:\Windows\SysWOW64\Nggkipci.exe

Filesize
78KB

MD5
94cad52cffddee4723f4d9ed3f88f9a1

SHA1
a9f24e7dd43c5b61d27ef5d91b4897af7bb0d8e7

SHA256
f1ed1e1bc351514ada2b2b7c597832a36276d3229df89dc04fc834316748b663

SHA512
7acf2591f0727bca951b474bc85b284d5d459f1bf71e97aa8e7d5da9a553b3ef296264b30a36f9ee6e6b51d8321c79923c59e9746151c2b07bcaac164c45fd02

Download Submit
C:\Windows\SysWOW64\Ngqeha32.exe

Filesize
78KB

MD5
4f166c84ecde689ffe30ad961c643039

SHA1
f611ae9aa7a78fb585aa4f500f4a3ceea27dc1fc

SHA256
60fa14343315c12e325d1d4030e2b7b631634159331b2cffd49637c8b619e0e8

SHA512
82954b361d990bfabc3a006a0f542ea0d0c72fecfb19fb81e8b85f9f6bd62866f5e2805e460e53471aaae0440925431ca08f1053201ba5373fa7620d30ddff13

Download Submit
C:\Windows\SysWOW64\Nkjdcp32.exe

Filesize
78KB

MD5
2a73b3442b2cadfed483a6e8da4c60c5

SHA1
0edf99dc45c9b7014be9f0cb0be36c093aeab986

SHA256
7f729498da08978eb631afcb13cff5f0926a83e60e8f6389b75be93a3115a427

SHA512
da76df335d1c285a3eae5a6837999156d6f2ab3a4a61382fa4b55f211eefd38a7c37798795f9665cfbe4d51b451947c26c6b711050d9c278d18ef4931b16af1b

Download Submit
C:\Windows\SysWOW64\Nmacej32.exe

Filesize
78KB

MD5
c512046eb9bd3875e78c15f5371b9162

SHA1
00d7ff6d5f229e5eb98e00a1b57b773369781c7b

SHA256
042d5b9a6f03f78877015ac3df7792391599a2110efe7af104baf2f35e976a11

SHA512
52392f47dfcf5c3438356c09875ec248a96081f3bec74b7ee9ba8654968f2e0b3fec6bbb0d156e54f6c9753c97e2616c8a4463159554eb7ac915be81d5c3e30d

Download Submit
C:\Windows\SysWOW64\Nmjmekan.exe

Filesize
78KB

MD5
c4498b552be0fb8e608496e99516274b

SHA1
81c4ac9c9d7593d46a063811b6b5f682ffbe9706

SHA256
5c348e9526a0bc671f5b071899abe99bea6f49575a3670c82594baa86349f626

SHA512
b87579f75047dda1e66bc89e21f18ca96d6d5379cc537463719c2bf9bde76782a1adc1b677bc299572fb31b6d591f40bb81721835b0c89aa31725c7752877f06

Download Submit
C:\Windows\SysWOW64\Nmmjjk32.exe

Filesize
78KB

MD5
881e5f032e2e4c36ac5b3bef27d6906a

SHA1
72591d440fce054a2700d927d0675f2096722aef

SHA256
aab1568500841e95b0e04a8904ad4b04633c9c5ed1960c7831a8c9e59f8cf429

SHA512
7af3c8a9ef5f3378dbd2a0bb5340e56f7e3450470e74f6b97ec05fd3a3623d1d15e49323a2d59ebd0defbbaa1421d6d16482352bbad3a1133418b675cfc8aaf6

Download Submit
C:\Windows\SysWOW64\Nmogpj32.exe

Filesize
78KB

MD5
47d5b193346ca0536461902006615d2a

SHA1
0dcd55930aefbc627d9123bf5a372c6b574f1aa0

SHA256
39c78827a41b63ce42a0b8fcf088ada22272c678a8cc46a6274cc88b316f5d7a

SHA512
be805e488872249ecc0dc3ad54804474b810f1fb153c919b54d083e8f9ea061a859a71dd015cbd24c07d539670ef668bde4ca88d4eb3cef25f8038196cddbbe3

Download Submit
C:\Windows\SysWOW64\Oemhjlha.exe

Filesize
78KB

MD5
69ee2b445796c1bfe2051dfe3a4b4f25

SHA1
3a81263c3a0e885eedccc256fd6a87b6d0c81369

SHA256
e2454df24688afa32e3a80ac90e0d96ca2dec0fdd43d4ddbba2036ea8ec527fc

SHA512
7941f2a26729b41f6357b1ad21bda48d299d30f49fdce8e122c60d48503263e7d335be53dfbeb0796149423c38833513ba467b5df7d3d8a04ad79b6ffc66e021

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
78KB

MD5
6996ceaf19f80cd012365d5c4fa33afa

SHA1
019d142c8b5047bd9a6ee756e2659fd9aec80abb

SHA256
121be4924ecb36b9ce5fb05e5fc3730b0531936ba3f3cb0df04b76ddd8bfd84d

SHA512
9fe1932bc5128feb0de28e88e67b6fa5ce557d477cc617e9294cf73ba3582762051a3ad15b993f540f19767271bbe2b9031bf554ed58f5d2b4d86a460fa83db1

Download Submit
\Windows\SysWOW64\Fcilnl32.exe

Filesize
78KB

MD5
55186f83986e30488b4eb3417d3256c2

SHA1
1f193a21146f9e6e659794d38ba45687e9983521

SHA256
9a4fc8f0ac3d12db7b14ee3d10087455460934f28eefce06dc1793b7f0c16909

SHA512
29aa967068fe2692e275a406a2aeec6ad359299b98325178275e1da0b3ab9a18838e43524da44456914cbfe535b0e7005c62c750c1f7b0ce4ab892aad6c7f2c4

Download Submit
\Windows\SysWOW64\Ffeldglk.exe

Filesize
78KB

MD5
f6845e62da7bee0cb291071482e25b20

SHA1
adb23881c61e15dfd6d05892f1e858041f04082e

SHA256
aa0b048cad0896fec93a6964f9dae915314a88a92473d0fd98e0aa14d7298268

SHA512
ff7720b4669860b5f8ca1c76f47e4230615800935837291bfc58ac1f35d9d5acbc90fc004fe21d7b5058d05d1e30f86a9c1d4e19ad0b58768a44b26a0f2ad218

Download Submit
\Windows\SysWOW64\Geaofc32.exe

Filesize
78KB

MD5
7d95ebf81795f4849be83b3c90f0ac06

SHA1
5ad0440fe0340733e5ab2a95ece751952efc101f

SHA256
a08f197201df996683924563cfde42acf445cffb4afb0ccaee086c282a33a551

SHA512
0f86b9887fd96d622526b5acd880d6c1c2b66c64bb865459b21fe6d85cf48faaca3931db5630f5b144a8042a80103113b8576167204ef35245f021d76c2b2307

Download Submit
\Windows\SysWOW64\Ghbhhnhk.exe

Filesize
78KB

MD5
b8daabf0142517bf43a2dbd3e20be479

SHA1
2dd7f2edbb64ed8541e7a8323ec2443e7652e2f8

SHA256
3b5774db4a8447f61a53bd6ef8c16a6a51cf319a29e87492089e0a5806af27c6

SHA512
6375b7cefee42a88048b9b209ec4f972cc6156af8c47a4672553aed5f155c05f6fb339f2f245e2e28e9aaf84b15f724e9d50cff78d94ddef2605958a27ff3e7a

Download Submit
\Windows\SysWOW64\Glijnmdj.exe

Filesize
78KB

MD5
b4b1c7efd2907084719a36cf8fa0a608

SHA1
d696a5d620a23d2fc0bbb6676b19613ad540aa7c

SHA256
368f901fa8e24c746ec10f44c591a4b0e828d9631643b075200de43376882222

SHA512
83804c44e034a81f07d88ed34e281b61ec4cf088b04666bc68e396d5d73b9d64b3c6fe7021500623c018b95763ef2dc5cace4cfac574013158a158ba35b7dffa

Download Submit
\Windows\SysWOW64\Hmefad32.exe

Filesize
78KB

MD5
0b4c1768ada0bc3a17abe74153b6b8b8

SHA1
4f7eeabc15a832cf482eb86bb1b90b884cbbb900

SHA256
7c237cb0a523c506655711b6f1b8b3807bfb7d8a0f5c9a21c80006bed19d0b5d

SHA512
b1363602a89447ad67c31c4b583ae394262df845f5e062d7458a6c944033da0607374f41557d3d53c1924340b41b29d204110e8295b4955ea4aea5febd4af929

Download Submit
\Windows\SysWOW64\Hogcil32.exe

Filesize
78KB

MD5
74703d89b2ba0d6c845293338f8307ed

SHA1
88acee7500b3a4ed153fabb6b1a2afb90ddafbe8

SHA256
0d9829d9c7c3c8dca8b21dc907209239d7da07872f2bb9a6e6741f4e443a0445

SHA512
f814d67de4c60a94366ad2516d1bba2d73e35768eaf7905a6d2acd28182d5d439fb4014a2859990216b21eef09c8478f4fed516995e927b480bbf1b932fea4b6

Download Submit
\Windows\SysWOW64\Hoipnl32.exe

Filesize
78KB

MD5
11f87304467ee53abce3e11faedaa4c7

SHA1
729fe273c20b16933dea5252ad171740d1743fb5

SHA256
f58d03f99ce740786d5d34cd9203e70ae88bb9a8c1c252941542441756a26347

SHA512
6dedf77be74cc992d01c2d70f47c4dca9768906cc63b0eb0ea31fdae6a0e784917495aefabbed65253590ffe58a3229be8305a40e2284d22afeb217a23438799

Download Submit
memory/112-239-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/112-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/112-279-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/112-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/584-13-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/584-12-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/584-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/584-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-352-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/668-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/900-248-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/900-283-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/900-287-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/900-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-246-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1080-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-179-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1116-360-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1116-325-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1116-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1116-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1116-329-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1228-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1228-258-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1228-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-297-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1544-296-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1544-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-259-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1692-210-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1692-139-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1692-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-146-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1784-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-318-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1784-268-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1888-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-113-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2452-182-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2452-101-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-83-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2712-137-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2712-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-145-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2724-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-290-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2728-383-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/2764-99-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2764-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-394-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2812-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-351-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2876-373-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2876-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-49-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2904-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-35-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2904-41-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2904-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-337-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2920-341-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2920-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-377-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2920-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-361-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2964-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-365-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2992-162-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2992-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-161-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2992-222-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2996-70-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2996-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads