6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
Size

95KB
MD5

d99441def7cf77633f7a19d063f8c4c0
SHA1

2019a0372d8f2bfa8ef573e6ff4a1f10914e2964
SHA256

6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8
SHA512

5134c902b601427cd24622531abc4c4d155953877252d01286a8f3ea536752fef9b99fbca17aa848090473747239fcc81f0a2053fa5fa8373a9fff0ea984042f
SSDEEP

1536:64KrzSbXbCJL5mGjPCXsOW2pyORw7NZ7N9goBqEfnyC+91qOM6bOLXi8PmCofGV:6DzSTSL5mGjqXsJBZ7N9go9fyC+DqDr/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adcobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnbbjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgdbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emqaaabg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqjfgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkconepp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbfcoedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aekelo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emqaaabg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eelfedpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbgdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkconepp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dicmlpje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcdmikma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkkepio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcohh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgdbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjifpdib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Happkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifgooikk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcifdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiglfm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnbbjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flhkhnel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcfioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Happkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dippfplg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnbgdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blcmbmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blcmbmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aekelo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhjcing.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhljlnma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eelfedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngoinfao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apeflmjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkpjd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpgee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgooikk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pikaqppk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alncgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alncgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbblpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eccdmmpk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eagdgaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpagbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppcmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aefhpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkhhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cqlhlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjifpdib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccdmmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eagdgaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flhkhnel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngoinfao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcohh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbhpddbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apeflmjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efdmohmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhnjclg.exe

Executes dropped EXE 54 IoCs

pid	Process
2220	Mbkkepio.exe
1480	Mkconepp.exe
2764	Nkhhie32.exe
2724	Ngoinfao.exe
2660	Njobpa32.exe
2636	Oiglfm32.exe
1236	Oiiilm32.exe
2940	Onhnjclg.exe
2488	Ohcohh32.exe
896	Phelnhnb.exe
2964	Pdllci32.exe
1368	Ppcmhj32.exe
1496	Pikaqppk.exe
3020	Pbfcoedi.exe
2404	Qbhpddbf.exe
2148	Ahgdbk32.exe
744	Aekelo32.exe
2476	Apeflmjc.exe
1664	Adcobk32.exe
2248	Alncgn32.exe
1008	Aefhpc32.exe
848	Blcmbmip.exe
2372	Bkhjcing.exe
1484	Bhljlnma.exe
2084	Bnkpjd32.exe
1728	Cqlhlo32.exe
888	Cjifpdib.exe
2980	Cfpgee32.exe
2292	Dippfplg.exe
2256	Dicmlpje.exe
2744	Dnbbjf32.exe
2736	Dndoof32.exe
2624	Eccdmmpk.exe
2696	Eagdgaoe.exe
2328	Efdmohmm.exe
1576	Emqaaabg.exe
2688	Eelfedpa.exe
2896	Flhkhnel.exe
2464	Fokaoh32.exe
1796	Gpagbp32.exe
1640	Gcapckod.exe
2380	Gcdmikma.exe
580	Gcfioj32.exe
820	Gcifdj32.exe
1960	Hnbgdh32.exe
2384	Happkf32.exe
2472	Hgmhcm32.exe
1772	Hbblpf32.exe
1984	Hkkaik32.exe
852	Hqhiab32.exe
2072	Hfdbji32.exe
2360	Hqjfgb32.exe
2700	Ifgooikk.exe
2448	Iqmcmaja.exe

Loads dropped DLL 64 IoCs

pid	Process
2376	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
2376	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
2220	Mbkkepio.exe
2220	Mbkkepio.exe
1480	Mkconepp.exe
1480	Mkconepp.exe
2764	Nkhhie32.exe
2764	Nkhhie32.exe
2724	Ngoinfao.exe
2724	Ngoinfao.exe
2660	Njobpa32.exe
2660	Njobpa32.exe
2636	Oiglfm32.exe
2636	Oiglfm32.exe
1236	Oiiilm32.exe
1236	Oiiilm32.exe
2940	Onhnjclg.exe
2940	Onhnjclg.exe
2488	Ohcohh32.exe
2488	Ohcohh32.exe
896	Phelnhnb.exe
896	Phelnhnb.exe
2964	Pdllci32.exe
2964	Pdllci32.exe
1368	Ppcmhj32.exe
1368	Ppcmhj32.exe
1496	Pikaqppk.exe
1496	Pikaqppk.exe
3020	Pbfcoedi.exe
3020	Pbfcoedi.exe
2404	Qbhpddbf.exe
2404	Qbhpddbf.exe
2148	Ahgdbk32.exe
2148	Ahgdbk32.exe
744	Aekelo32.exe
744	Aekelo32.exe
2476	Apeflmjc.exe
2476	Apeflmjc.exe
1664	Adcobk32.exe
1664	Adcobk32.exe
2248	Alncgn32.exe
2248	Alncgn32.exe
1008	Aefhpc32.exe
1008	Aefhpc32.exe
848	Blcmbmip.exe
848	Blcmbmip.exe
2372	Bkhjcing.exe
2372	Bkhjcing.exe
1484	Bhljlnma.exe
1484	Bhljlnma.exe
2084	Bnkpjd32.exe
2084	Bnkpjd32.exe
1728	Cqlhlo32.exe
1728	Cqlhlo32.exe
888	Cjifpdib.exe
888	Cjifpdib.exe
2980	Cfpgee32.exe
2980	Cfpgee32.exe
2292	Dippfplg.exe
2292	Dippfplg.exe
2256	Dicmlpje.exe
2256	Dicmlpje.exe
2744	Dnbbjf32.exe
2744	Dnbbjf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkicij32.dll	Pdllci32.exe
File created	C:\Windows\SysWOW64\Kcghhg32.dll	Ppcmhj32.exe
File created	C:\Windows\SysWOW64\Flhkhnel.exe	Eelfedpa.exe
File created	C:\Windows\SysWOW64\Caqoan32.dll	Gpagbp32.exe
File created	C:\Windows\SysWOW64\Hqjfgb32.exe	Hfdbji32.exe
File created	C:\Windows\SysWOW64\Ifgooikk.exe	Hqjfgb32.exe
File opened for modification	C:\Windows\SysWOW64\Mkconepp.exe	Mbkkepio.exe
File created	C:\Windows\SysWOW64\Oiiilm32.exe	Oiglfm32.exe
File opened for modification	C:\Windows\SysWOW64\Onhnjclg.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Cfpgee32.exe	Cjifpdib.exe
File opened for modification	C:\Windows\SysWOW64\Hbblpf32.exe	Hgmhcm32.exe
File opened for modification	C:\Windows\SysWOW64\Mbkkepio.exe	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
File created	C:\Windows\SysWOW64\Hgmhcm32.exe	Happkf32.exe
File created	C:\Windows\SysWOW64\Bnkpjd32.exe	Bhljlnma.exe
File opened for modification	C:\Windows\SysWOW64\Efdmohmm.exe	Eagdgaoe.exe
File created	C:\Windows\SysWOW64\Happkf32.exe	Hnbgdh32.exe
File created	C:\Windows\SysWOW64\Kljhak32.dll	Onhnjclg.exe
File created	C:\Windows\SysWOW64\Phelnhnb.exe	Ohcohh32.exe
File created	C:\Windows\SysWOW64\Pbfcoedi.exe	Pikaqppk.exe
File created	C:\Windows\SysWOW64\Mhgkde32.dll	Pbfcoedi.exe
File created	C:\Windows\SysWOW64\Dcecef32.dll	Apeflmjc.exe
File created	C:\Windows\SysWOW64\Jelcgfbk.dll	Gcapckod.exe
File opened for modification	C:\Windows\SysWOW64\Gcfioj32.exe	Gcdmikma.exe
File opened for modification	C:\Windows\SysWOW64\Hfdbji32.exe	Hqhiab32.exe
File created	C:\Windows\SysWOW64\Ldcenn32.dll	Mbkkepio.exe
File opened for modification	C:\Windows\SysWOW64\Pbfcoedi.exe	Pikaqppk.exe
File created	C:\Windows\SysWOW64\Fdbpahek.dll	Bnkpjd32.exe
File created	C:\Windows\SysWOW64\Bdieho32.dll	Cjifpdib.exe
File opened for modification	C:\Windows\SysWOW64\Dicmlpje.exe	Dippfplg.exe
File created	C:\Windows\SysWOW64\Dndoof32.exe	Dnbbjf32.exe
File opened for modification	C:\Windows\SysWOW64\Emqaaabg.exe	Efdmohmm.exe
File created	C:\Windows\SysWOW64\Hkkaik32.exe	Hbblpf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdllci32.exe	Phelnhnb.exe
File created	C:\Windows\SysWOW64\Pikaqppk.exe	Ppcmhj32.exe
File opened for modification	C:\Windows\SysWOW64\Fokaoh32.exe	Flhkhnel.exe
File opened for modification	C:\Windows\SysWOW64\Gpagbp32.exe	Fokaoh32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkaik32.exe	Hbblpf32.exe
File created	C:\Windows\SysWOW64\Bgdalf32.dll	Phelnhnb.exe
File created	C:\Windows\SysWOW64\Feeipfhl.dll	Ahgdbk32.exe
File opened for modification	C:\Windows\SysWOW64\Blcmbmip.exe	Aefhpc32.exe
File created	C:\Windows\SysWOW64\Dnbbjf32.exe	Dicmlpje.exe
File created	C:\Windows\SysWOW64\Eagdgaoe.exe	Eccdmmpk.exe
File opened for modification	C:\Windows\SysWOW64\Hqhiab32.exe	Hkkaik32.exe
File opened for modification	C:\Windows\SysWOW64\Aekelo32.exe	Ahgdbk32.exe
File opened for modification	C:\Windows\SysWOW64\Alncgn32.exe	Adcobk32.exe
File created	C:\Windows\SysWOW64\Gdpene32.dll	Dippfplg.exe
File opened for modification	C:\Windows\SysWOW64\Iqmcmaja.exe	Ifgooikk.exe
File opened for modification	C:\Windows\SysWOW64\Phelnhnb.exe	Ohcohh32.exe
File created	C:\Windows\SysWOW64\Fdkqbd32.dll	Aekelo32.exe
File created	C:\Windows\SysWOW64\Cjifpdib.exe	Cqlhlo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpgee32.exe	Cjifpdib.exe
File created	C:\Windows\SysWOW64\Ecbjdbcp.dll	Hkkaik32.exe
File opened for modification	C:\Windows\SysWOW64\Adcobk32.exe	Apeflmjc.exe
File created	C:\Windows\SysWOW64\Alncgn32.exe	Adcobk32.exe
File created	C:\Windows\SysWOW64\Iggkphll.dll	Alncgn32.exe
File created	C:\Windows\SysWOW64\Eccdmmpk.exe	Dndoof32.exe
File created	C:\Windows\SysWOW64\Gcdmikma.exe	Gcapckod.exe
File created	C:\Windows\SysWOW64\Idkkjpdd.dll	Blcmbmip.exe
File opened for modification	C:\Windows\SysWOW64\Dippfplg.exe	Cfpgee32.exe
File opened for modification	C:\Windows\SysWOW64\Ifgooikk.exe	Hqjfgb32.exe
File created	C:\Windows\SysWOW64\Iqmcmaja.exe	Ifgooikk.exe
File created	C:\Windows\SysWOW64\Coaipi32.dll	Efdmohmm.exe
File created	C:\Windows\SysWOW64\Lkajof32.dll	Gcifdj32.exe
File created	C:\Windows\SysWOW64\Hbblpf32.exe	Hgmhcm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	2448	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdllci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefhpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flhkhnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngoinfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjifpdib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkpjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqjfgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiglfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhnjclg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcdmikma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhhie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbfcoedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbhpddbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhljlnma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dippfplg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcohh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpagbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blcmbmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eelfedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnbgdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgooikk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhjcing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbblpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqhiab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phelnhnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aekelo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apeflmjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alncgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfdbji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppcmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dicmlpje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbbjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emqaaabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgmhcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pikaqppk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fokaoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcfioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkkaik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkconepp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiiilm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eagdgaoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcapckod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndoof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eccdmmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efdmohmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgdbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpgee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcifdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkkepio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqlhlo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Happkf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppcmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbhpddbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdieho32.dll"	Cjifpdib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohcohh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqgpadi.dll"	Fokaoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcifdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgmhcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hqhiab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofpmj32.dll"	Mkconepp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcdmikma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcfioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll"	Ifgooikk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbkkepio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgkde32.dll"	Pbfcoedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alncgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjcfdm32.dll"	Dnbbjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eagdgaoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcapckod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhjcing.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkpjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cqlhlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqjfgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiglfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhbihid.dll"	Ohcohh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pikaqppk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apeflmjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkhhie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alncgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cqlhlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgmhcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aefhpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eccdmmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbjdbcp.dll"	Hkkaik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbkkepio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldijj32.dll"	Pikaqppk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fokaoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofeeflg.dll"	Emqaaabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdjke32.dll"	Eelfedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Happkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkkejhl.dll"	Hbblpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkqbd32.dll"	Aekelo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aefhpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eagdgaoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emqaaabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebdo32.dll"	Hqhiab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkficd32.dll"	Hfdbji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkpjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efdmohmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blcmbmip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkhjcing.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfdbji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agednnhp.dll"	Hqjfgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgdkphm.dll"	Eagdgaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efdmohmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emqaaabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbblpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpgee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caqoan32.dll"	Gpagbp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2220	2376	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe	29
PID 2376 wrote to memory of 2220	2376	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe	29
PID 2376 wrote to memory of 2220	2376	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe	29
PID 2376 wrote to memory of 2220	2376	6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe	29
PID 2220 wrote to memory of 1480	2220	Mbkkepio.exe	30
PID 2220 wrote to memory of 1480	2220	Mbkkepio.exe	30
PID 2220 wrote to memory of 1480	2220	Mbkkepio.exe	30
PID 2220 wrote to memory of 1480	2220	Mbkkepio.exe	30
PID 1480 wrote to memory of 2764	1480	Mkconepp.exe	31
PID 1480 wrote to memory of 2764	1480	Mkconepp.exe	31
PID 1480 wrote to memory of 2764	1480	Mkconepp.exe	31
PID 1480 wrote to memory of 2764	1480	Mkconepp.exe	31
PID 2764 wrote to memory of 2724	2764	Nkhhie32.exe	32
PID 2764 wrote to memory of 2724	2764	Nkhhie32.exe	32
PID 2764 wrote to memory of 2724	2764	Nkhhie32.exe	32
PID 2764 wrote to memory of 2724	2764	Nkhhie32.exe	32
PID 2724 wrote to memory of 2660	2724	Ngoinfao.exe	33
PID 2724 wrote to memory of 2660	2724	Ngoinfao.exe	33
PID 2724 wrote to memory of 2660	2724	Ngoinfao.exe	33
PID 2724 wrote to memory of 2660	2724	Ngoinfao.exe	33
PID 2660 wrote to memory of 2636	2660	Njobpa32.exe	34
PID 2660 wrote to memory of 2636	2660	Njobpa32.exe	34
PID 2660 wrote to memory of 2636	2660	Njobpa32.exe	34
PID 2660 wrote to memory of 2636	2660	Njobpa32.exe	34
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 1236 wrote to memory of 2940	1236	Oiiilm32.exe	36
PID 1236 wrote to memory of 2940	1236	Oiiilm32.exe	36
PID 1236 wrote to memory of 2940	1236	Oiiilm32.exe	36
PID 1236 wrote to memory of 2940	1236	Oiiilm32.exe	36
PID 2940 wrote to memory of 2488	2940	Onhnjclg.exe	37
PID 2940 wrote to memory of 2488	2940	Onhnjclg.exe	37
PID 2940 wrote to memory of 2488	2940	Onhnjclg.exe	37
PID 2940 wrote to memory of 2488	2940	Onhnjclg.exe	37
PID 2488 wrote to memory of 896	2488	Ohcohh32.exe	38
PID 2488 wrote to memory of 896	2488	Ohcohh32.exe	38
PID 2488 wrote to memory of 896	2488	Ohcohh32.exe	38
PID 2488 wrote to memory of 896	2488	Ohcohh32.exe	38
PID 896 wrote to memory of 2964	896	Phelnhnb.exe	39
PID 896 wrote to memory of 2964	896	Phelnhnb.exe	39
PID 896 wrote to memory of 2964	896	Phelnhnb.exe	39
PID 896 wrote to memory of 2964	896	Phelnhnb.exe	39
PID 2964 wrote to memory of 1368	2964	Pdllci32.exe	40
PID 2964 wrote to memory of 1368	2964	Pdllci32.exe	40
PID 2964 wrote to memory of 1368	2964	Pdllci32.exe	40
PID 2964 wrote to memory of 1368	2964	Pdllci32.exe	40
PID 1368 wrote to memory of 1496	1368	Ppcmhj32.exe	41
PID 1368 wrote to memory of 1496	1368	Ppcmhj32.exe	41
PID 1368 wrote to memory of 1496	1368	Ppcmhj32.exe	41
PID 1368 wrote to memory of 1496	1368	Ppcmhj32.exe	41
PID 1496 wrote to memory of 3020	1496	Pikaqppk.exe	42
PID 1496 wrote to memory of 3020	1496	Pikaqppk.exe	42
PID 1496 wrote to memory of 3020	1496	Pikaqppk.exe	42
PID 1496 wrote to memory of 3020	1496	Pikaqppk.exe	42
PID 3020 wrote to memory of 2404	3020	Pbfcoedi.exe	43
PID 3020 wrote to memory of 2404	3020	Pbfcoedi.exe	43
PID 3020 wrote to memory of 2404	3020	Pbfcoedi.exe	43
PID 3020 wrote to memory of 2404	3020	Pbfcoedi.exe	43
PID 2404 wrote to memory of 2148	2404	Qbhpddbf.exe	44
PID 2404 wrote to memory of 2148	2404	Qbhpddbf.exe	44
PID 2404 wrote to memory of 2148	2404	Qbhpddbf.exe	44
PID 2404 wrote to memory of 2148	2404	Qbhpddbf.exe	44

C:\Users\Admin\AppData\Local\Temp\6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe
"C:\Users\Admin\AppData\Local\Temp\6c12835d377b71959b0b0547b8fb41b8d832dad125d52b93494ed75f4fb51de8N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\Mbkkepio.exe
  C:\Windows\system32\Mbkkepio.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Mkconepp.exe
    C:\Windows\system32\Mkconepp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\Nkhhie32.exe
      C:\Windows\system32\Nkhhie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\Ngoinfao.exe
        
        C:\Windows\system32\Ngoinfao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Oiglfm32.exe
        
        C:\Windows\system32\Oiglfm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Oiiilm32.exe
        
        C:\Windows\system32\Oiiilm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Onhnjclg.exe
        
        C:\Windows\system32\Onhnjclg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ohcohh32.exe
        
        C:\Windows\system32\Ohcohh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Phelnhnb.exe
        
        C:\Windows\system32\Phelnhnb.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Pdllci32.exe
        
        C:\Windows\system32\Pdllci32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ppcmhj32.exe
        
        C:\Windows\system32\Ppcmhj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Pikaqppk.exe
        
        C:\Windows\system32\Pikaqppk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Pbfcoedi.exe
        
        C:\Windows\system32\Pbfcoedi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Qbhpddbf.exe
        
        C:\Windows\system32\Qbhpddbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ahgdbk32.exe
        
        C:\Windows\system32\Ahgdbk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Aekelo32.exe
        
        C:\Windows\system32\Aekelo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Apeflmjc.exe
        
        C:\Windows\system32\Apeflmjc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Adcobk32.exe
        
        C:\Windows\system32\Adcobk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Alncgn32.exe
        
        C:\Windows\system32\Alncgn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Aefhpc32.exe
        
        C:\Windows\system32\Aefhpc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Blcmbmip.exe
        
        C:\Windows\system32\Blcmbmip.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bkhjcing.exe
        
        C:\Windows\system32\Bkhjcing.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bhljlnma.exe
        
        C:\Windows\system32\Bhljlnma.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Bnkpjd32.exe
        
        C:\Windows\system32\Bnkpjd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Cqlhlo32.exe
        
        C:\Windows\system32\Cqlhlo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Cjifpdib.exe
        
        C:\Windows\system32\Cjifpdib.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Cfpgee32.exe
        
        C:\Windows\system32\Cfpgee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Dippfplg.exe
        
        C:\Windows\system32\Dippfplg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Dicmlpje.exe
        
        C:\Windows\system32\Dicmlpje.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Dnbbjf32.exe
        
        C:\Windows\system32\Dnbbjf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Dndoof32.exe
        
        C:\Windows\system32\Dndoof32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Eccdmmpk.exe
        
        C:\Windows\system32\Eccdmmpk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Eagdgaoe.exe
        
        C:\Windows\system32\Eagdgaoe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Efdmohmm.exe
        
        C:\Windows\system32\Efdmohmm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Emqaaabg.exe
        
        C:\Windows\system32\Emqaaabg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Eelfedpa.exe
        
        C:\Windows\system32\Eelfedpa.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Flhkhnel.exe
        
        C:\Windows\system32\Flhkhnel.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Fokaoh32.exe
        
        C:\Windows\system32\Fokaoh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Gpagbp32.exe
        
        C:\Windows\system32\Gpagbp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Gcapckod.exe
        
        C:\Windows\system32\Gcapckod.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Gcdmikma.exe
        
        C:\Windows\system32\Gcdmikma.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Gcfioj32.exe
        
        C:\Windows\system32\Gcfioj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Gcifdj32.exe
        
        C:\Windows\system32\Gcifdj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Hnbgdh32.exe
        
        C:\Windows\system32\Hnbgdh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Happkf32.exe
        
        C:\Windows\system32\Happkf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Hgmhcm32.exe
        
        C:\Windows\system32\Hgmhcm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Hbblpf32.exe
        
        C:\Windows\system32\Hbblpf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Hkkaik32.exe
        
        C:\Windows\system32\Hkkaik32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Hqhiab32.exe
        
        C:\Windows\system32\Hqhiab32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Hfdbji32.exe
        
        C:\Windows\system32\Hfdbji32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Hqjfgb32.exe
        
        C:\Windows\system32\Hqjfgb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Ifgooikk.exe
        
        C:\Windows\system32\Ifgooikk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 140
        56⤵
        Program crash
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcobk32.exe

Filesize
95KB

MD5
3450f06e30cc25e22076d563077f58eb

SHA1
a7e0957870b86e41315e3e9e63f6088f693b08a2

SHA256
b8dc3c6b0d0cc8a079aed1b2b2999e46934525ec6b18aa971f0bb96dc3c9552e

SHA512
a2b751b8fd31d9f3e40031946386143ea7c2c86fd10168121d7826b83099e6430a754abef77a60574f4c465717a9f146eaeb0770f1dea87dd5d4a50d15bcad23

Download Submit
C:\Windows\SysWOW64\Aefhpc32.exe

Filesize
95KB

MD5
860973dd5ea6755faf16d1a69742ec4f

SHA1
57a9623c8d32f8c0e9c71881d818df88d9590ea8

SHA256
1a3a211147795bb148dccbeedb5a493608c62f41624fd1b6603fa323394e3231

SHA512
9edbc380ac016da5ea738f7b3c85ebf5086f7ae880d4ed53aa8448b4b9291e412316948c41802b1e070d93aba679b628be6bda81a70cc4387df4bcfd0936b024

Download Submit
C:\Windows\SysWOW64\Aekelo32.exe

Filesize
95KB

MD5
8e19249a9adbf35ced7e7006afc8d1eb

SHA1
7e95c5319a463e3edc45d086d450f5463e57c8a7

SHA256
b949a50e51c14c8fdcc618abea3b40544e2cd57288400ba0ed69ca8a20d3fa6e

SHA512
4da81882dc1c5c83684fcfd2a659946a5ce7da5ea42ce1471e30539852b01426a54ae19a5677c2c66e7386b5d5be91c233b9410e11328d934771b56caf822082

Download Submit
C:\Windows\SysWOW64\Alncgn32.exe

Filesize
95KB

MD5
664c78514dd23bc026c8febbc7422a1b

SHA1
58e67744fd0282f1c49e27a2d2592116cf9dc55e

SHA256
1ad966017c5d59820eaca00b502362e596b25823408f423bfd81e52f8c946176

SHA512
4e119b2d6eeedaf925fadbe892bb78cdb2495dc34406f295bda1900bba4df35c45983142e6bc1bd424a9de722455ef4bc43d428f20eadb68f681757c10221a6f

Download Submit
C:\Windows\SysWOW64\Apeflmjc.exe

Filesize
95KB

MD5
942fe374a3d2f97bcd259fbff551d7ef

SHA1
a4eb99f7d85f4440f3c77a9d2f963604856140db

SHA256
8eb441984b359f3eb5ea67699717a92a04683e9b91a2711cca07cea1e8463419

SHA512
13ed212d427b6b05e35ad37031cb2dd702cb091056ab4bd6da3f178f56845f44747104d1f5219e7ed1ab4f9c15cb8df68a174f12ab7894330af804784486f545

Download Submit
C:\Windows\SysWOW64\Bhljlnma.exe

Filesize
95KB

MD5
c3c9113ad9f191d9108186136a450887

SHA1
8b686379d99f474e9ad0730abc5df2d069b3e05c

SHA256
00394ee6164b00e2816e3bf4fc497f8aed6b0dc8181e2675c356846792b911bc

SHA512
6355847de3b3dc42cabbecb390d0e3cbf67b7c7d7cf8003d181efa055b63abb1862159fcb49b5d77591ee77e7c687cdc41f7cb61c4459b392d403458e1fd3635

Download Submit
C:\Windows\SysWOW64\Bkhjcing.exe

Filesize
95KB

MD5
1ffe192b1742e2b06670caac6a349f1c

SHA1
df09ab48c1a62cfeef6736274008656036f7bf62

SHA256
10589f10517e95a583535522b8fa160c986d9476569fae7d51d88e2f33982250

SHA512
b8689ed6f32442969b1cd43d5e98a6de8c44da60d49ec7ae1bf563fe870d08cd492211ed781b44806ba00c29ed0841d40e5861751be65d499db270faa7d8eb36

Download Submit
C:\Windows\SysWOW64\Blcmbmip.exe

Filesize
95KB

MD5
2f411543e66cb8d645a4f4d84d882349

SHA1
f6e5390109dacddc4ea89f604533358a4c12dbf1

SHA256
0e6ab6eed63750d622a55989d3c3c2e8e4e45792267a2cdddfb4e23e53bbdf06

SHA512
821f7dc818464464689af6fce5766d4185e31f2cafea5710cbb8b3faa367eda44defa710997b66a7c3752aac928e14c3c195536079fcb736d9a922c16ad8fb9b

Download Submit
C:\Windows\SysWOW64\Bnkpjd32.exe

Filesize
95KB

MD5
22cdf417c2cfaada068cbf0dc4d83d36

SHA1
d86201d313358ec94df260b95915e4bf2cc41e1d

SHA256
a2c483c2503faf9b871f6adc4429ec5cbfc466976cdd4af349fa3da306f7379f

SHA512
43bee0795a8d6426ea83c22944fa8ddc9bbf23049aa2253ddc1d905afc8664f7aad97d9a645648f3043a281c0ee4d09ab6aeac3b2a961768a15557acb44fd98f

Download Submit
C:\Windows\SysWOW64\Cfpgee32.exe

Filesize
95KB

MD5
27458a60a5c6c76e5a293b939384f733

SHA1
6a213e47a8ded134c3e09dbacd8ff59d7656fb12

SHA256
d4212bbd172287e767963cda3640b782ffbfbb0c0daf627e1404af999f3609ba

SHA512
d7a2d8d17d318b664356b39ab6a854a1b08b31f2f0dd9c3b07f39bddab37f61b069c68c888ba78ea603195f4b8a278e853ba0a3a23c70a051b64ffed77f16c8a

Download Submit
C:\Windows\SysWOW64\Cjifpdib.exe

Filesize
95KB

MD5
23d4a5db9ead74aa66b96e09e7f3e257

SHA1
4ec5d722b94cd48ca64fcda8d2fc950914c19501

SHA256
03166e33261a8c5eacc45e06512731a98996756b42621b9cdc3423bd2608a429

SHA512
4b6d65f0231347a36a3c6cacddf279e3dba8c3d2fab6ad1e5e73e11a8b5a73698ed42f0a562a190db2cbeae770c296996d398a7d19cc416fb71662f0c8d6ed89

Download Submit
C:\Windows\SysWOW64\Cqlhlo32.exe

Filesize
95KB

MD5
d614e2e51156f5689e40b3af03a7fe55

SHA1
583e23c1d3b3fb91abd9f8ac90bf5bb85a6c1ad2

SHA256
15f738f57b5cdcb6b87568c3d16273a282311334f8f2d0c6439c3bd5c1b00678

SHA512
a3d7ede2de0737c9b9d759ef6f479357428d81769c410d3adb5b231648a2d87667d4faadf9038c14088398b6920a5cd6cc24f07d833c509076dcb7a8c37aaf1d

Download Submit
C:\Windows\SysWOW64\Dicmlpje.exe

Filesize
95KB

MD5
cc58a2937ef6255cc466915e0a3eed63

SHA1
de77be05e68da93e8f1db7320ee73ab8d2122dac

SHA256
662d8758a19077cc75cb610b86f9ff34be39b85833027d1b6a0f4ffa9ac1bdf6

SHA512
09b49676907c28e0dd21cec8fad2b9e3c107cf068a9d4dc19521e61e6190812609d68915fb962b1ec1056a2e6bba406a40a9c44eabc81589edbe5f64fb5fad17

Download Submit
C:\Windows\SysWOW64\Dippfplg.exe

Filesize
95KB

MD5
ba68cfff74abb14075fe8b65342ca3a6

SHA1
dae5d896fed4fa1f5daf0916a60bc158022ac44f

SHA256
0785b5c92d7bf7bde5bfc467f74f44c81d83451e55fa503be12274ba32190c94

SHA512
445f50da049a8ce3afe5f2e7d1e8440132ec8046012be82282f63aaf409dc3a61c94d744503a93ccfc58cfbc0611d7140d42dd8398494e58249860be1277a365

Download Submit
C:\Windows\SysWOW64\Dnbbjf32.exe

Filesize
95KB

MD5
1b5ed3ef2bea24613addb62a03bcbd1b

SHA1
3bdd099fd9c727cfe914de3b2f6d4beae281e9c7

SHA256
54b8fb0e9832792afa76f9a72db1ab7584541a29a7c0f807bde718313d381e1a

SHA512
388d93ee1fbf8ddfa5d9ba02aee1e25789d6ed250a8f20ee00f2ea200d0ef04aa820735defe3c306bb1be1283cc4d3f2c0f625a2bd28ef9f89d091db571000b1

Download Submit
C:\Windows\SysWOW64\Dndoof32.exe

Filesize
95KB

MD5
c89d196df2a914c3db1e1bd5e96fd998

SHA1
fac9667fa6c2be396b0a219f5846fb1e3ff39f48

SHA256
adf9ddd7cdb025c62b7e834aa8cab57033f63b25f10767c016b6bab68ed0c30a

SHA512
933e062e782d9eb0a6a8f9173cfd7cab6d0caeb97fbeaec22e345aa0d5dc8d02d3484c9d368cdb8c48b0ef5f465c0241f85f11a0c9e27ab48671e0800c007a8d

Download Submit
C:\Windows\SysWOW64\Eagdgaoe.exe

Filesize
95KB

MD5
10a0a6d1963abb6391ca8a4d5e7dd3b5

SHA1
6f56e620d8a2b5af0f70636d8eebce00dabee458

SHA256
0713e7d9466c0b93b071c5b57addb8d8e698df4538ff0771fda3591f7fb93fbd

SHA512
d068b0ff45a442f9853d5f384b23db51dc32e42d5c5df3c09c90c8dbd9fdcb7d6f9485e1cf35a2a72fcc2dc5f25fcfc0d6239f8f85a2137f41f90e156c1e48b2

Download Submit
C:\Windows\SysWOW64\Eccdmmpk.exe

Filesize
95KB

MD5
e5dc5a979dff3b800ecc8bdd27fad546

SHA1
f5d69fe6f68bcce2ab2d9f2b7f637b7e28dcd936

SHA256
89c4311942c5ed29789e64baae449d0c6ee3cc37cd934a121ef4065391da32c3

SHA512
c744774467e020a7af8fe22b9b15d141f212033258f104f148b04de975bc4015adc5c60daa899dbfd2bddc57f655d3fc3194a2f98a7a306e9cef1b4183a57c53

Download Submit
C:\Windows\SysWOW64\Eelfedpa.exe

Filesize
95KB

MD5
de5c06e93984ff88b6851cf284e3be02

SHA1
a910c11f2c4288b9a5f6f8bfa39778487604049a

SHA256
779af431a7c8cdebc950ad5973b3c3985ecd8bb037e5660b432381a8c600bc68

SHA512
9cb4119d40ab4f991e89df26e315f3696c381ade9513fb8031a8ba5cc9f4b0ccd7ea1b9934316b2f28e7c4c17aceec548574d295057218a963d45ff11cb1644d

Download Submit
C:\Windows\SysWOW64\Efdmohmm.exe

Filesize
95KB

MD5
8dadc41c4994790101323026ff4bc532

SHA1
432988d6d918fc8ab9501d4882ef8288067c7acb

SHA256
733c1cc93f6cef5a8327d34aca58649a71d71440dee25eb15ea2bf7afe459411

SHA512
4d1a0f6e69576292a34c9c63ddc5f279e7a5ad23b5f52a8de211bcfc5624c6f123240c7bbe0137963a9b9852e47210cb9a0a9878edc5701893a39708088c609c

Download Submit
C:\Windows\SysWOW64\Emqaaabg.exe

Filesize
95KB

MD5
104a6398bb50f5546e01f7b34ebd0a71

SHA1
3aea67a83dd9668ad4dc21eeb72ddc0bb6f2f6b4

SHA256
60e2db449e2299a2b91bc009dbbf781f04d44768843f24aad10e0408a0671ce6

SHA512
52f0738b7f40e6aa51500639ba338c9af3affd3f51b7bb988fb85f1130693266d638f2605e2f4ed7ea68dcf7ebe10628016a57693c45536faafc973b19c12764

Download Submit
C:\Windows\SysWOW64\Flhkhnel.exe

Filesize
95KB

MD5
659e671ba02d2c53a222ca7473b2ffcc

SHA1
bd3a77eb5abb847a50ff409862417474978062e4

SHA256
f6b602561574243fc00e24ac7febf2e30f7631c025591a02c15c2a11320a17b4

SHA512
366768a150b816f45ee74160209945073afc6ab1c0886422dbf4c0659dc8e6bca2977b52eeb9fe12bcc93bceeac4c16fb74d26793ba70e6fc416792bbe08efce

Download Submit
C:\Windows\SysWOW64\Fokaoh32.exe

Filesize
95KB

MD5
b6456da17ad5d0cb2b3ba0f49c60085d

SHA1
d2da41f5a4ed3c913de5385e99dfbc8f92ee7260

SHA256
c601dbe7d9c49bb823f994f9aeb7f09116a1155f3120934b0acddab2c3da9e17

SHA512
75dc40b6ed1c111e2e1c693459b4a1adeaf57b63f2b4cb334d1f436f77d2494d46340f99c76a9561eb0f0dd1db2d7ce748289c5a403e5a612fa152fe6f0e3604

Download Submit
C:\Windows\SysWOW64\Gcapckod.exe

Filesize
95KB

MD5
9ae7258d19206380971f186a4e22cac2

SHA1
a94309c24a17a14c7d955b810654e67078ef89f4

SHA256
3a6f9831bad163e36668c149670cd1344ca12a0c701c77787a58fd13f5dabe57

SHA512
85ab59650df39a0a725b30b91600c9b6c727c7afc777ae067282e3653443289d412dd6c1961fd2dfb597449aa6dbd5075f4aa16131ea21d5eb2c1db55825a22e

Download Submit
C:\Windows\SysWOW64\Gcdmikma.exe

Filesize
95KB

MD5
d3a0b9bc053a1503488a5d6d0b6f5804

SHA1
166bc6125694ad4f06de7dba0b034123863dc22e

SHA256
c2ade81eec4809f9f1c59b6ad2ffbc08a11959436242cd28fa1a8d7d8daaa4ad

SHA512
92f6d3fe3cd6ec04d8a41f4f050a2e8e075d47c4a1fefac3c9ab02db5e89e2343ddc3ae3e75d22c851002e9bd240644eedafe8992ef04ee055f54e2c675cad9a

Download Submit
C:\Windows\SysWOW64\Gcfioj32.exe

Filesize
95KB

MD5
6077f6608a19f77737b38276852d367a

SHA1
8c2f6a2259740c6ebe97b52c22456c8abcd2d724

SHA256
5d1e2ff2c3106d1d056a8417e3ea61bf93a9e590f5e49928f16ddfe00eb8311e

SHA512
c3dda4476dafa239c98119ea4085990fa19cfe78779f75a6fed39b779771aa47abfd965daa47685f6d5948a9a4747ab47fb478a4baa3888a756899a7330eca4a

Download Submit
C:\Windows\SysWOW64\Gcifdj32.exe

Filesize
95KB

MD5
b4fe15f8400e1b65eb15da02342aba54

SHA1
7680bd8c881a07237db60405bc0a126a89ead681

SHA256
f0112995020ee338cf6eb24618eb73bea1f3ebbdbb825751ec306afb2e1b0dac

SHA512
8a9fb2325fd7c1da6cdfda56b388c81280573e1012add2ff97534f6a31c34f9b91156437f472318fb9dd100836914f6eaa12d27ea709c54e0ac4c7247d4a9503

Download Submit
C:\Windows\SysWOW64\Gpagbp32.exe

Filesize
95KB

MD5
5e8d066e0dcbb2d730142a1682119c1b

SHA1
11d9fefb0722eb76b21f57ed084cd3ad2847cfc5

SHA256
c9ccad3e66d6b21abb8b7ecb6f01500241a837892b20f8bd4c9c3ba79f0f55fc

SHA512
f5e6ec7ddf63ec8dbf043b66c6afeb51de290a9088b8deb779b4647ce35a9034917fc621548b4e8ae38b8b93626be9cf18d7617a2b303e288210e2deff20e9d4

Download Submit
C:\Windows\SysWOW64\Happkf32.exe

Filesize
95KB

MD5
4ed7e8a1dee701647d9a812e3baba640

SHA1
beaa669e9b2b786d80da402fc8b75e778dea8598

SHA256
78184a5ee9745a69406e854b844d4b6bc703e2a2be08dcf1dc1d2aed6ea5f3ad

SHA512
0c8374a9482c3bbd2618c9d71dbeb66b0e06cbdca108e7e2ef5bbeb18592237b5d0a931fa11b1df40d91d5941a1ffd12a0b1e3a249ba9fa0dcf26ec61d4a160e

Download Submit
C:\Windows\SysWOW64\Hbblpf32.exe

Filesize
95KB

MD5
d6a42e0583e212bedeed558347dd55ec

SHA1
86693952d14302773a2184cf8b727120ae5236bb

SHA256
79f460731cbeece8605c95acad42beb102b8b13746f1c6d91987dee0b3891517

SHA512
3bb6ff14dad1aa9a89dcf99692ba3c37e2ca5e4f052fcc54f90f31b9958ec2483a8a066a0616d4c06e9dc489a633729a45b1bd85afe80bd2e11af0ca57eb1321

Download Submit
C:\Windows\SysWOW64\Hfdbji32.exe

Filesize
95KB

MD5
bb26d9394648cf8c001e078f941abe45

SHA1
eddcb0b8bd3b1230b7da25acb0c271b311dfa19f

SHA256
fa5e67368cb57b45eb6e1271cfc742fc0afe9f32dff1503437aa6fd95a3630d1

SHA512
f000bcd72250bada15a982b6caa5b54474e681e97af26e8b7f7d12b5861d585058c794ff0a3a4da67d81666634229db85fba3d33fd626f7c4eaac8836c6fcde9

Download Submit
C:\Windows\SysWOW64\Hgmhcm32.exe

Filesize
95KB

MD5
88e44ea4a5dca1c9c24b668b1f449f9b

SHA1
12e79d226b70d056ad1f6d14e881b224f526822f

SHA256
db332a5b14fc67464c0b7e547b9b7fff36802dbce836d6a98a5ada4f1125f13e

SHA512
06b013d567965ceb18908ccb1bbd53eac226d27d86446f330eda6bf3f59716726d71874e3e5bf94ed1f137b9ddbdaaa20313c622f3873a97dbfdd4b9c0d73184

Download Submit
C:\Windows\SysWOW64\Hkkaik32.exe

Filesize
95KB

MD5
abfb6d267bc80ab23a3842e4045fe7f2

SHA1
427d0c28901a84de02aec5fe41e71e54c17b6ae4

SHA256
6dfe1f66a439a8581b3c0cc939652bb6ec6173f70008fa98703852c2c47955b1

SHA512
d0e46347845cd51dcde38c09350913e51f98a9bb0214b9a6e14ea753798884a39ca36547bd5e2f87f97b6fea364fe49654f9ae626f8c7a85f23686bf1e1b6759

Download Submit
C:\Windows\SysWOW64\Hnbgdh32.exe

Filesize
95KB

MD5
24ed732c816c3ea6fc0bcfa8d18aa72f

SHA1
beabc3d74d13ae1f3498f5d7ff19678e6ce24aae

SHA256
79124108758f00b74321ad3f1ae582180c8328bdb223bfabed9444d5f267f555

SHA512
2ccb62e1eb06415be64a03c0039a947a28762350a3e1827bc71ed2aabf43d7dba2655f0ffc332835590c024ff9723c1905eb99d25525888e6a54369fef9e85f5

Download Submit
C:\Windows\SysWOW64\Hqhiab32.exe

Filesize
95KB

MD5
af0038740d1576895e873f7a1e376f65

SHA1
fcf5dc7b486565c96f34e68958ac26b6c1b491ae

SHA256
c37bb2269d8b4026b91dfb3447004a15b81f57864b9662673d6f011acb6b640f

SHA512
f06a6aa48477f20764f2c143467bc96b2655a16d283416d059ef0bc9c5a07f0d9610a2b23b818dac453dbd963df9174d1117d84e2284d499b3050ec758e10975

Download Submit
C:\Windows\SysWOW64\Hqjfgb32.exe

Filesize
95KB

MD5
270d7e729e208d4025acd250bdaafbfd

SHA1
d97b2c4bde3a64bc5dd6cb210edf3967f9b047c6

SHA256
ecd31f7a149294850617250e4b7bf4749d3431c0dcf4372393293ec03746574d

SHA512
341ea2e60868eef9e662204f4867cd66b5ce2a92a4a9530c064988d6df5c1c4c72d3e27cfca0a37973a14beb6a68489482df55946ea8b912a4271960c6e34fa5

Download Submit
C:\Windows\SysWOW64\Ifgooikk.exe

Filesize
95KB

MD5
687f61b22376c1f760dd5c9d03ef329b

SHA1
ae12a9946636a3ff35420669a687bd1d13fcbb86

SHA256
d9114fda06c43fcbd2b9af2bcc340defb94acae6b8c0c0fb1f9687a936f409bb

SHA512
86ce8ad95635289293c49a60d4fa3e32e3635a011be0d1fce0f44517bb2fcdcbb4d17db10e16a3e89b5703a19ca212667ad759fdcd71e381db8c859f64475f86

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
95KB

MD5
69d2dbfdc40c1dda1a5a5392c4087e5b

SHA1
f07156b61dcb24e41a266aac7307f11ab19910c1

SHA256
c76a14e8871bed36d2f33d974c912f8374019752c5aceb8f0972740bface5b5d

SHA512
420cd07404fe2f1360b1aad4c869327ce19b50ba217e183359986bcb82bf5b8981dbca5b9a049d345469103355534318d407bf1c3cff8fac1a98e8731225c3d2

Download Submit
C:\Windows\SysWOW64\Jceahq32.dll

Filesize
7KB

MD5
9c36b8b53434e4921003a95ec11c965b

SHA1
2d83bc48982ca40ec90ec9fc9e7c3ac0d6afba9b

SHA256
a214b8612619c29d900c376a106f1ddba6a2e60ac3dbd0156bbdf3b1f88ca4fe

SHA512
ddbca7e994f3d7c77e86083ed40b40ca1b7e785b3f6e23645971a633edbec168a1cbd83ed0286da84d46450fa371f32f9164a8d5c2ff882603fb270184184137

Download Submit
C:\Windows\SysWOW64\Mbkkepio.exe

Filesize
95KB

MD5
0e019b9018a353e40a10fd8307449633

SHA1
01cdf6e06836b07fe5998a83558560ac23738405

SHA256
2fd97ca52cbf538b2e8e65c8b93ddd6643548334cc00edecc67ce35303bba2b5

SHA512
7eba90a7aebe618a7b41f0934e72e5b3405ec73ea96bbce97809824c7471fa8be3d8327f6e105e5cb87259b7e31ac7e6b6b0227cf72bdf36fab14b7d85979081

Download Submit
C:\Windows\SysWOW64\Mkconepp.exe

Filesize
95KB

MD5
01738184c301dc0f25c3bb70d3e12ed2

SHA1
3965ea6433ad9b3fe78075093149c324c3044832

SHA256
7d234e0c5529d84443e0dc2931044bcf771ce0267c1e233a8aa6867fed222fbb

SHA512
b1720bb2eeba261821ad9439ab3ccee570ffd2a4c031c2ce164c7d521caf664681e60824887ab1a9ad8dd6494b2a6498953673ce51d0f27ab21cd2e95216ed5f

Download Submit
C:\Windows\SysWOW64\Ngoinfao.exe

Filesize
95KB

MD5
39280af9f33174b405f7797e82901b22

SHA1
c6abbf56a6c12fb9c3e8f61806c3a7170fb0bf25

SHA256
29eaf71ac205146c176de55b6c6298db52d46af5a81554ac1b53978c76594615

SHA512
36d26f18cc4474231ad8f5bed1a2912ec2b879b501f7f7b694bfd39e87075415d71cd73d7cee77dc6c043492588d5b510b31952761bd38bae1decc9e82ce955a

Download Submit
C:\Windows\SysWOW64\Pbfcoedi.exe

Filesize
95KB

MD5
da468aa45b86fb2f96d0f917fa93dddb

SHA1
753615cae4b4f7712af72f3a24da44bcde4010ab

SHA256
787e9c04beaf8b0009439ab71f35b7575449bf2b45cbb8f2fc7b919c17dd7538

SHA512
55c160c09bba4b0c3c49684e2c84b106f09552eb1eb86b1c4fb742e8fb47b7e83dd02b8d7aeae5cdc39335baef82571ae0b8f22c380fd520d3e3846040619e62

Download Submit
C:\Windows\SysWOW64\Ppcmhj32.exe

Filesize
95KB

MD5
bf6fcea7f7f77132699c98a6be30559d

SHA1
97d6451c0cd811ea72bb942fb1993f947ca18904

SHA256
a6bfe8866480caa501155a94c4a5e383b471c299b3b853fbfeb0fb40f19a5369

SHA512
37c5b07e25a711c63a43505ebfb4a733ab2eb9cc3632dc1a6512eb1e0691a53a3f6233f230edbbeb3bc9c10221b481cf570a63bd5b365a5e1284f657e359e866

Download Submit
\Windows\SysWOW64\Ahgdbk32.exe

Filesize
95KB

MD5
6da1da4e21f978e07d460780382e40f7

SHA1
4d7446012fb214404f46d663072d825c943ebe91

SHA256
a478f460bea2596c0ddc847da7d09b4edf6e982e9366c83abb0a49142bab9ca8

SHA512
5d61d4d7f92397a756e3a0fffa43bc2b7e14a49fe569c158f615ab18b611442c8962e0f956feede26e7ee4c3e7395f3397fab4079f03a7d9564d725c50a10a7e

Download Submit
\Windows\SysWOW64\Njobpa32.exe

Filesize
95KB

MD5
c654991f66aef2c9ef3b2d9cbb347007

SHA1
4f5c45cd0cc837cc3dcbad4596f7abc54cbde86c

SHA256
924aa2e6a97d9586600650bbd076711dd900ebbb5e341fa2107dfae78551706a

SHA512
003cf9e57b8427c454e6cfdfb9a5bfa299be743de44a0bad1eb7ac05b4d8716759349f32eeb740da514439eb9e0172b9a64a1546a7ad9e5906831da336c3cdbd

Download Submit
\Windows\SysWOW64\Nkhhie32.exe

Filesize
95KB

MD5
fedecf64f4be851d47ca8dd24acb5dfc

SHA1
5de166e4084400bfbbec49c5a9f77ad493264559

SHA256
f558d3459b04bcf30ee9a833a8598f564f7016afa1a5c38a50dd2c2046a1ced6

SHA512
823a6a5dcec221270bc1a8c95780f5cee5eece3100080ff5cd4d641e4ced0c9872ef65c737a0076b1b0806bd76c9a2e002795415fb27ad0589dda90c2248e98e

Download Submit
\Windows\SysWOW64\Ohcohh32.exe

Filesize
95KB

MD5
c718f5c5f4049f5534f13def0a4a495a

SHA1
6c52c410003d52aec9286d9665125307397695e2

SHA256
e0c695c43a22354dfb34c1c9af12b9953cafb825d5c51ab925e32c68155a6d96

SHA512
53df81cc7182e8325e631c0cc155dfba43409ed5e566c56bc08ba9ea7bbb5305f627b59d6c617dddb01472d1d6cde5798a1334f4367105916c81036103aa6685

Download Submit
\Windows\SysWOW64\Oiglfm32.exe

Filesize
95KB

MD5
ab53fcca0a7ba3ca198431ed9bee5c70

SHA1
f6e3229a824ed031991f0ef067be4dbeb86a97ec

SHA256
af39410cce94546b3b186ef9de2b62c208248e0229e2003758a23ac79b79729a

SHA512
61591e369feb68a22dc9ef262924dadb6a43854694fa1b606f71154b6b2a390665938c48530d6eccd5229cebe470adac89517efff9c8a7f5c7491a917e7134d9

Download Submit
\Windows\SysWOW64\Oiiilm32.exe

Filesize
95KB

MD5
a9f060ca48867deefe574b96e120282a

SHA1
028aa4a9ceec45da0498ab3858c1a267a8fc7312

SHA256
b349e34826dd520fae2ceaf6af188a0a6da8509e4d91b54d7025d4472490a6db

SHA512
631256d5e43b9afb1c5671510764b7c435f6355cb99f2c2a1ec1821fae85f25f5404cbb77de7d6f6de090c720b5a1aee0eeac0954ef603c32056e6be6e78be83

Download Submit
\Windows\SysWOW64\Onhnjclg.exe

Filesize
95KB

MD5
da4e38a1acc398850ed24ec9506755b8

SHA1
45c1d541eb94c64541dbd08ffef6f3957360ef11

SHA256
40278e8283f4558111e5c5b1d3380bbae0bc20ce5afaf84be15d2bfa8d5f65f9

SHA512
0a54eb751583eaac3287cfb6fb05e5f9e81ca5a3da34cb7ed665c2199e866aa6467db5bd4b4c1e89d73079f32a50e97a2bf6c8f1ce021b734f7ccbbf9ba00b01

Download Submit
\Windows\SysWOW64\Pdllci32.exe

Filesize
95KB

MD5
7c6e323acd6f9cbf52c15e07e41745bf

SHA1
03e5e1e3c59654555aebafe2eb568cc04bab45f4

SHA256
cb22235135f1b058abd60441af1aa665b587f720950027feb4f08f90f70e75ef

SHA512
38bc05aa8f9c9451d383110dfc3f019f537faf3452f4750fd13a8ca883690e0dfd5d75ee8924439aed5d86e4106fd6c00cdd12762ff0ba38b760803a5fce0fae

Download Submit
\Windows\SysWOW64\Phelnhnb.exe

Filesize
95KB

MD5
0edc26bffcc22ef1586fa89499475825

SHA1
7ee1938ac13cf567f3b84b3a8a9044354f5336cc

SHA256
3dea6f76592d993d74392d56c090ef1e35e72ddb6051d46f1f7e86086fd268d4

SHA512
46d418ce671e818b7fe690f073ef8f206ca8ded5b8c3d0365aa473f9ba50a49867058cd87b6b734b748180acd222f0e63b4a7651438ed1c071e895c356cfd50b

Download Submit
\Windows\SysWOW64\Pikaqppk.exe

Filesize
95KB

MD5
cfe5d361a34f14d8390d6b06596bbc91

SHA1
3867f377a0b2e74b5797bcd14b19c8df38d8d291

SHA256
12041da56facbf3077855b0454ec13b2713880e1dc77a40de812f15e9b80786f

SHA512
91f9a270f96142278bf1a7b2c36b0de67fcf1afb0244638ebaac6905c3dae92349eec8d7ab6cf3cd6507767b77bac33c63d0388536a7bdf1a8939bac239cc133

Download Submit
\Windows\SysWOW64\Qbhpddbf.exe

Filesize
95KB

MD5
2a9ccfb3a03524f0cc31ca5e9f231ad4

SHA1
45181be4c6034acfcc6d973c08ecaa1cf4dfe641

SHA256
7985a96cba3ce035007bc265b8a6424a548eae8557b984f3d03a66261163d02a

SHA512
bf1c6bab049d3c1f252d3a8d0a05814cedd26b251af7ec1b5fc6364a197fe02d930dd31c9e01f2f02218e9edeab9d092ec8604c0cdc58d2ae2721af793b581b1

Download Submit
memory/580-504-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/580-506-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/744-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/744-227-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/820-511-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/848-283-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/848-282-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/888-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/888-337-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/896-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/896-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-269-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1008-273-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1236-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-432-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1236-103-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1368-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-487-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-488-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1368-167-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1480-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-37-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1480-377-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1484-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-304-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1484-305-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1496-498-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-433-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/1576-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-483-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-251-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1664-250-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1728-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-323-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1728-327-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1796-477-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1796-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-315-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2084-316-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2084-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-259-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2248-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-258-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2256-373-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2256-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-421-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2372-293-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2372-294-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2372-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-23-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2376-25-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2376-348-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2376-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-510-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-457-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-240-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2488-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-450-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-420-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2636-88-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2636-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-444-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2696-409-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2696-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-60-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2724-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-65-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2736-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-452-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2896-456-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2940-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-476-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-193-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3020-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-499-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads