68115440abf6004f9ff5d0272299ddc370014335117d6f09fd9943febef22e19

Analysis

max time kernel
34s
max time network
24s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6652cf749a673c5d63a9819f645ba70N.exe
Size

320KB
MD5

c6652cf749a673c5d63a9819f645ba70
SHA1

34298037b3889a3b940355eda619d161941ea582
SHA256

68115440abf6004f9ff5d0272299ddc370014335117d6f09fd9943febef22e19
SHA512

6147c523daea77459027d4596c7c767d6b4b75be38330b149c3bcbe5cce9cc701a9c13cc4845b5d386a8d982b3c4b3acffc22bbd20c16bedeae582be6d645c09
SSDEEP

6144:MyF9BZbbcTUxBehvlxY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:MyfBZb8U3ehvSm05XEvG6IveDVqvQ6In

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcgmfgfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fakdcnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghdiokbq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncnmane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpggei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpidki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c6652cf749a673c5d63a9819f645ba70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghdiokbq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdiqpigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgocmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gehiioaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gncnmane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fakdcnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcgmfgfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjcaha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbnjjkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpggei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikjhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdiqpigl.exe

Executes dropped EXE 56 IoCs

pid	Process
2156	Fkqlgc32.exe
2712	Fakdcnhh.exe
2716	Fdiqpigl.exe
2724	Fpbnjjkm.exe
2628	Fgocmc32.exe
1668	Gpggei32.exe
2224	Gpidki32.exe
316	Ghdiokbq.exe
800	Gehiioaj.exe
588	Gncnmane.exe
2876	Gkgoff32.exe
540	Hgnokgcc.exe
2200	Hklhae32.exe
268	Hcgmfgfd.exe
2064	Hcjilgdb.exe
2068	Hjcaha32.exe
1524	Hmdkjmip.exe
2316	Icncgf32.exe
2524	Ikjhki32.exe
1760	Inhdgdmk.exe
1972	Ikldqile.exe
1960	Injqmdki.exe
1176	Ijaaae32.exe
2480	Iakino32.exe
2804	Imbjcpnn.exe
2788	Iamfdo32.exe
2560	Japciodd.exe
2656	Jcnoejch.exe
2548	Jmfcop32.exe
2208	Jpepkk32.exe
2988	Jpgmpk32.exe
2192	Jfaeme32.exe
2220	Jbhebfck.exe
2444	Jlqjkk32.exe
1832	Kbjbge32.exe
2528	Kidjdpie.exe
1624	Kjeglh32.exe
1360	Kdnkdmec.exe
2952	Kjhcag32.exe
1308	Kablnadm.exe
604	Kmimcbja.exe
1696	Khnapkjg.exe
2960	Kpieengb.exe
2736	Kbhbai32.exe
1436	Lmmfnb32.exe
2920	Ldgnklmi.exe
1076	Lidgcclp.exe
1776	Llbconkd.exe
2272	Lghgmg32.exe
2168	Lifcib32.exe
2588	Llepen32.exe
2668	Lcohahpn.exe
1080	Lemdncoa.exe
2196	Llgljn32.exe
2212	Lcadghnk.exe
840	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2160	c6652cf749a673c5d63a9819f645ba70N.exe
2160	c6652cf749a673c5d63a9819f645ba70N.exe
2156	Fkqlgc32.exe
2156	Fkqlgc32.exe
2712	Fakdcnhh.exe
2712	Fakdcnhh.exe
2716	Fdiqpigl.exe
2716	Fdiqpigl.exe
2724	Fpbnjjkm.exe
2724	Fpbnjjkm.exe
2628	Fgocmc32.exe
2628	Fgocmc32.exe
1668	Gpggei32.exe
1668	Gpggei32.exe
2224	Gpidki32.exe
2224	Gpidki32.exe
316	Ghdiokbq.exe
316	Ghdiokbq.exe
800	Gehiioaj.exe
800	Gehiioaj.exe
588	Gncnmane.exe
588	Gncnmane.exe
2876	Gkgoff32.exe
2876	Gkgoff32.exe
540	Hgnokgcc.exe
540	Hgnokgcc.exe
2200	Hklhae32.exe
2200	Hklhae32.exe
268	Hcgmfgfd.exe
268	Hcgmfgfd.exe
2064	Hcjilgdb.exe
2064	Hcjilgdb.exe
2068	Hjcaha32.exe
2068	Hjcaha32.exe
1524	Hmdkjmip.exe
1524	Hmdkjmip.exe
2316	Icncgf32.exe
2316	Icncgf32.exe
2524	Ikjhki32.exe
2524	Ikjhki32.exe
1760	Inhdgdmk.exe
1760	Inhdgdmk.exe
1972	Ikldqile.exe
1972	Ikldqile.exe
1960	Injqmdki.exe
1960	Injqmdki.exe
1176	Ijaaae32.exe
1176	Ijaaae32.exe
2480	Iakino32.exe
2480	Iakino32.exe
2804	Imbjcpnn.exe
2804	Imbjcpnn.exe
2788	Iamfdo32.exe
2788	Iamfdo32.exe
2560	Japciodd.exe
2560	Japciodd.exe
2656	Jcnoejch.exe
2656	Jcnoejch.exe
2548	Jmfcop32.exe
2548	Jmfcop32.exe
2208	Jpepkk32.exe
2208	Jpepkk32.exe
2988	Jpgmpk32.exe
2988	Jpgmpk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgnokgcc.exe	Gkgoff32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Lifcib32.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Lifcib32.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Gpggei32.exe	Fgocmc32.exe
File created	C:\Windows\SysWOW64\Hellqgnm.dll	Gehiioaj.exe
File created	C:\Windows\SysWOW64\Lpmdgf32.dll	Inhdgdmk.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	Jcnoejch.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Fpbnjjkm.exe	Fdiqpigl.exe
File created	C:\Windows\SysWOW64\Cggioi32.dll	Fdiqpigl.exe
File opened for modification	C:\Windows\SysWOW64\Ijaaae32.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Iakino32.exe
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Keclgbfi.dll	Fgocmc32.exe
File created	C:\Windows\SysWOW64\Efdmgc32.dll	Gpidki32.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdkjmip.exe	Hjcaha32.exe
File created	C:\Windows\SysWOW64\Aqgpml32.dll	Hjcaha32.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Llepen32.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Gicaikhj.dll	Fpbnjjkm.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Llgljn32.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Lifcib32.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Lemdncoa.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Fgocmc32.exe	Fpbnjjkm.exe
File opened for modification	C:\Windows\SysWOW64\Fgocmc32.exe	Fpbnjjkm.exe
File created	C:\Windows\SysWOW64\Ffadkgnl.dll	Gpggei32.exe
File created	C:\Windows\SysWOW64\Lkjcap32.dll	Hcgmfgfd.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	Iakino32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Iakino32.exe	Ijaaae32.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Llgljn32.exe
File opened for modification	C:\Windows\SysWOW64\Fdiqpigl.exe	Fakdcnhh.exe
File created	C:\Windows\SysWOW64\Aonalffc.dll	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Ikjhki32.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaeme32.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Gncnmane.exe	Gehiioaj.exe
File created	C:\Windows\SysWOW64\Aijpfppe.dll	Hgnokgcc.exe
File created	C:\Windows\SysWOW64\Odiaql32.dll	Hklhae32.exe
File opened for modification	C:\Windows\SysWOW64\Inhdgdmk.exe	Ikjhki32.exe
File created	C:\Windows\SysWOW64\Ncbdnb32.dll	Ikjhki32.exe
File created	C:\Windows\SysWOW64\Iamfdo32.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Llbconkd.exe
File created	C:\Windows\SysWOW64\Eogffk32.dll	Hcjilgdb.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Gpggei32.exe	Fgocmc32.exe
File created	C:\Windows\SysWOW64\Gpidki32.exe	Gpggei32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1912	840	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjcaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gncnmane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkqlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikjhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghdiokbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6652cf749a673c5d63a9819f645ba70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gehiioaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hklhae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgocmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjilgdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpidki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnokgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkgoff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcnoejch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpggei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpbnjjkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcgmfgfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fakdcnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdiqpigl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpbnjjkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fakdcnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgocmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkqlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gehiioaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hklhae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c6652cf749a673c5d63a9819f645ba70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkqlgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpidki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll"	Ghdiokbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll"	Hcjilgdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpbnjjkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpggei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll"	Hklhae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll"	Injqmdki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c6652cf749a673c5d63a9819f645ba70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfikc32.dll"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggioi32.dll"	Fdiqpigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdiqpigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll"	Gpidki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghdiokbq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjcaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcjilgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcap32.dll"	Hcgmfgfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icncgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll"	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c6652cf749a673c5d63a9819f645ba70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gncnmane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2156	2160	c6652cf749a673c5d63a9819f645ba70N.exe	30
PID 2160 wrote to memory of 2156	2160	c6652cf749a673c5d63a9819f645ba70N.exe	30
PID 2160 wrote to memory of 2156	2160	c6652cf749a673c5d63a9819f645ba70N.exe	30
PID 2160 wrote to memory of 2156	2160	c6652cf749a673c5d63a9819f645ba70N.exe	30
PID 2156 wrote to memory of 2712	2156	Fkqlgc32.exe	31
PID 2156 wrote to memory of 2712	2156	Fkqlgc32.exe	31
PID 2156 wrote to memory of 2712	2156	Fkqlgc32.exe	31
PID 2156 wrote to memory of 2712	2156	Fkqlgc32.exe	31
PID 2712 wrote to memory of 2716	2712	Fakdcnhh.exe	32
PID 2712 wrote to memory of 2716	2712	Fakdcnhh.exe	32
PID 2712 wrote to memory of 2716	2712	Fakdcnhh.exe	32
PID 2712 wrote to memory of 2716	2712	Fakdcnhh.exe	32
PID 2716 wrote to memory of 2724	2716	Fdiqpigl.exe	33
PID 2716 wrote to memory of 2724	2716	Fdiqpigl.exe	33
PID 2716 wrote to memory of 2724	2716	Fdiqpigl.exe	33
PID 2716 wrote to memory of 2724	2716	Fdiqpigl.exe	33
PID 2724 wrote to memory of 2628	2724	Fpbnjjkm.exe	34
PID 2724 wrote to memory of 2628	2724	Fpbnjjkm.exe	34
PID 2724 wrote to memory of 2628	2724	Fpbnjjkm.exe	34
PID 2724 wrote to memory of 2628	2724	Fpbnjjkm.exe	34
PID 2628 wrote to memory of 1668	2628	Fgocmc32.exe	35
PID 2628 wrote to memory of 1668	2628	Fgocmc32.exe	35
PID 2628 wrote to memory of 1668	2628	Fgocmc32.exe	35
PID 2628 wrote to memory of 1668	2628	Fgocmc32.exe	35
PID 1668 wrote to memory of 2224	1668	Gpggei32.exe	36
PID 1668 wrote to memory of 2224	1668	Gpggei32.exe	36
PID 1668 wrote to memory of 2224	1668	Gpggei32.exe	36
PID 1668 wrote to memory of 2224	1668	Gpggei32.exe	36
PID 2224 wrote to memory of 316	2224	Gpidki32.exe	37
PID 2224 wrote to memory of 316	2224	Gpidki32.exe	37
PID 2224 wrote to memory of 316	2224	Gpidki32.exe	37
PID 2224 wrote to memory of 316	2224	Gpidki32.exe	37
PID 316 wrote to memory of 800	316	Ghdiokbq.exe	38
PID 316 wrote to memory of 800	316	Ghdiokbq.exe	38
PID 316 wrote to memory of 800	316	Ghdiokbq.exe	38
PID 316 wrote to memory of 800	316	Ghdiokbq.exe	38
PID 800 wrote to memory of 588	800	Gehiioaj.exe	39
PID 800 wrote to memory of 588	800	Gehiioaj.exe	39
PID 800 wrote to memory of 588	800	Gehiioaj.exe	39
PID 800 wrote to memory of 588	800	Gehiioaj.exe	39
PID 588 wrote to memory of 2876	588	Gncnmane.exe	40
PID 588 wrote to memory of 2876	588	Gncnmane.exe	40
PID 588 wrote to memory of 2876	588	Gncnmane.exe	40
PID 588 wrote to memory of 2876	588	Gncnmane.exe	40
PID 2876 wrote to memory of 540	2876	Gkgoff32.exe	41
PID 2876 wrote to memory of 540	2876	Gkgoff32.exe	41
PID 2876 wrote to memory of 540	2876	Gkgoff32.exe	41
PID 2876 wrote to memory of 540	2876	Gkgoff32.exe	41
PID 540 wrote to memory of 2200	540	Hgnokgcc.exe	42
PID 540 wrote to memory of 2200	540	Hgnokgcc.exe	42
PID 540 wrote to memory of 2200	540	Hgnokgcc.exe	42
PID 540 wrote to memory of 2200	540	Hgnokgcc.exe	42
PID 2200 wrote to memory of 268	2200	Hklhae32.exe	43
PID 2200 wrote to memory of 268	2200	Hklhae32.exe	43
PID 2200 wrote to memory of 268	2200	Hklhae32.exe	43
PID 2200 wrote to memory of 268	2200	Hklhae32.exe	43
PID 268 wrote to memory of 2064	268	Hcgmfgfd.exe	44
PID 268 wrote to memory of 2064	268	Hcgmfgfd.exe	44
PID 268 wrote to memory of 2064	268	Hcgmfgfd.exe	44
PID 268 wrote to memory of 2064	268	Hcgmfgfd.exe	44
PID 2064 wrote to memory of 2068	2064	Hcjilgdb.exe	45
PID 2064 wrote to memory of 2068	2064	Hcjilgdb.exe	45
PID 2064 wrote to memory of 2068	2064	Hcjilgdb.exe	45
PID 2064 wrote to memory of 2068	2064	Hcjilgdb.exe	45

C:\Users\Admin\AppData\Local\Temp\c6652cf749a673c5d63a9819f645ba70N.exe
"C:\Users\Admin\AppData\Local\Temp\c6652cf749a673c5d63a9819f645ba70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Fkqlgc32.exe
  C:\Windows\system32\Fkqlgc32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Fakdcnhh.exe
    C:\Windows\system32\Fakdcnhh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Fdiqpigl.exe
      C:\Windows\system32\Fdiqpigl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Fpbnjjkm.exe
        
        C:\Windows\system32\Fpbnjjkm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Fgocmc32.exe
        
        C:\Windows\system32\Fgocmc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Gpggei32.exe
        
        C:\Windows\system32\Gpggei32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Gpidki32.exe
        
        C:\Windows\system32\Gpidki32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ghdiokbq.exe
        
        C:\Windows\system32\Ghdiokbq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Gehiioaj.exe
        
        C:\Windows\system32\Gehiioaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Gncnmane.exe
        
        C:\Windows\system32\Gncnmane.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Gkgoff32.exe
        
        C:\Windows\system32\Gkgoff32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Hgnokgcc.exe
        
        C:\Windows\system32\Hgnokgcc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Hklhae32.exe
        
        C:\Windows\system32\Hklhae32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Hcgmfgfd.exe
        
        C:\Windows\system32\Hcgmfgfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Hcjilgdb.exe
        
        C:\Windows\system32\Hcjilgdb.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Hjcaha32.exe
        
        C:\Windows\system32\Hjcaha32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Hmdkjmip.exe
        
        C:\Windows\system32\Hmdkjmip.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ikjhki32.exe
        
        C:\Windows\system32\Ikjhki32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Jcnoejch.exe
        
        C:\Windows\system32\Jcnoejch.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 140
        58⤵
        Program crash
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fakdcnhh.exe

Filesize
320KB

MD5
1ffce4c9222b98068c998e18187df3ed

SHA1
6711a785685400ba82316a0e905c564ff27f5a48

SHA256
bc71a2524e076748f86b57f2f58cfc25ad820290b46f26f6ee7dd230a997f557

SHA512
0763fbd241bc233638407392c966855b1440a1bf38dfb7e4817c9d5725d3e9dfed4445fabb5d6a68d2566d84fca9031e545a05c718738d32bef6624636066b25

Download Submit
C:\Windows\SysWOW64\Gpggei32.exe

Filesize
320KB

MD5
29f31a47d63adb6159272d616b476d4f

SHA1
d5ddb3ff3c5060a9a18118cefb2978e2cb20d536

SHA256
0947ae24ebd6e3ee691d152922b18e59f796c2c4649d09c0876faf561c53966a

SHA512
9b5f17b3b6d9ec0694a219c7a253fb461a0c7df9fea2c94a0f00c38a18376c8f0eeb1eadf90871cc66b02698c41cfeec4126ac8b0d6e0813e772e07bf5bd955b

Download Submit
C:\Windows\SysWOW64\Hgnokgcc.exe

Filesize
320KB

MD5
bada089ff2e236346cf1da9b8fc1e0a3

SHA1
c9b397bbd9bf6b5fb7c3fcde833c8b39f6a3feeb

SHA256
bcdd63a516d14d3598d1b1789ce2a95e83b706e0fd2fa4b69a3ce60a105629ef

SHA512
158fb09196b60a5f54ba4c13ae41e1e1c7819bb55418dba0ce657ec6042476707e98ca20cf2db4c7def394f09c44cfe74f85ca4c4cfd8510a5551a387aeb8d56

Download Submit
C:\Windows\SysWOW64\Hjcaha32.exe

Filesize
320KB

MD5
0bf4ff000f5224a923679ea1269dfe71

SHA1
f84af17425f9f1df02703a66ccc4e761783d6294

SHA256
ab6df954b9b5d8cac2f3aae931ffa14e601f683580027f895cfb10f06bfb31a8

SHA512
b1a19ce07eab49226613d4486226e1c2dbba81f496eea771a44abe777b1937eb316a57bba5c785ebcdbd441ec32c04315871d7d7cacaad387057e4410af6c73f

Download Submit
C:\Windows\SysWOW64\Hmdkjmip.exe

Filesize
320KB

MD5
564ca629dad4622a79273f22f7613211

SHA1
3ae48d6c06dda8d0bb7a5e07772f17aabaf46cc3

SHA256
a8982cb453dfeb3d655f0dfbb4dc75393a8e93a3949001909bac6b31d906a31d

SHA512
93eb6647b7274063fab89f38b8c3679a50404eb0e64eb438e06f7f5f3ca722913540c08478141fe7f82e25ccc6802a9acca4147a6d4fd6e148eb432338ab8b0b

Download Submit
C:\Windows\SysWOW64\Iakino32.exe

Filesize
320KB

MD5
a78ac1c65596509e1b4c69b0b1cd5cd9

SHA1
4f88d50e9c968f91a6198f947f8f4eb9c8e167a5

SHA256
184a9767f0dc6977893a1d5677e0ab1e05f3672e7b29217671b55e36724b7518

SHA512
01f63076312c811f5b7f7935eebe149964b450eeef61086439f4211cdfc9c1b33a3065a6fba23e556fd6299e740a10ead0a478cc68725d0d6b66541bc1f7a36f

Download Submit
C:\Windows\SysWOW64\Iamfdo32.exe

Filesize
320KB

MD5
c52a6d79e304e337cef32eaa0691548d

SHA1
6745ad03027ee16dd7c7d950abf2515d84a5fa5b

SHA256
f233a927e30102dbabeeeb80da7e3281edd6ea5119798bbfdf4fd6749000db39

SHA512
8d737c33c90aefc9e21ae8449cf6bd83e86236a7772c90e81265d3b89982be55e896434b78535574d74b4e0a4190ebacc8887758aec479dda6d151566559925e

Download Submit
C:\Windows\SysWOW64\Icncgf32.exe

Filesize
320KB

MD5
b08964cf8ec870fe1be4adf2d395bc3b

SHA1
f9affd81139ea6138d0efb3c8b569beb27031e24

SHA256
442d3b52a939e312320ae37cd88f577e31bbbb2d0f05cc26e039d2d9841b2d55

SHA512
e131de6e19bc2fb0281f1b2504496a179ae0a170635257869fe9eb2826c4a4afa5701d9ff069b144205c65a2f4280b28548b09e076375d412131d92ad39d53fa

Download Submit
C:\Windows\SysWOW64\Ijaaae32.exe

Filesize
320KB

MD5
7f0732f7289c5cb02183b31cf955385f

SHA1
92010d61a672a833256a2b880f3ea12a8110543b

SHA256
a56057262bea3fcd5d3272e6ed58bae885c9222dd2253c2e59394beaf8abcd15

SHA512
7025a70bbbd3cd5f9718c4422c5171f69111fded707f5fdeac883b8bc3b556dfd37a6a7d7fa9b4c660f179e3de2b38016d93d7e78514950103c037791d43c19a

Download Submit
C:\Windows\SysWOW64\Ikjhki32.exe

Filesize
320KB

MD5
c13c9e0b4e89b8de58b63a3081bc5027

SHA1
349de230b0d6674092e04ef32fe199ab71d6d386

SHA256
46458787765707d92e8e86279a7857a723840d9bb2127cb0eb2ac2c56d90b93d

SHA512
2e274cc4ed5187c54906731c8f33954836f114f5e324321e3af7598000b6ca23cf27b733646cc3156c5da138f147be131e31dd88ceb3cb8950cd1314048a75cd

Download Submit
C:\Windows\SysWOW64\Ikldqile.exe

Filesize
320KB

MD5
e09c96e1db3e5e4e1ce510890a669900

SHA1
008597f8011709e5a7a55575167fb2f65008de46

SHA256
124ae7f81ceb37e13e2569f979d74133152a43a5e369573b6d32308648ad23ab

SHA512
fa2cd887224da90c101a77b47ef79d065df86cfabc868b6cedec5fe4538c080292d8720b7a0979a8047f647fdadc21799b3465ff78824a9b31f5ccc696b821a3

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
320KB

MD5
263f0aa010a6d9cca21a5478dccaa77c

SHA1
d47335afa1db8baa62803ce4cc0ae6f683874430

SHA256
66ae070284afc85048c5246b3d31be68e34a6427469cadbab78a88cbb5d83a53

SHA512
5f35a54f2472879828c58fb6aeaea94c0e35161e17b2304163806f08374d37d947d886814027a3a7d56530a7504af132249063132f741488aebe19d44990d101

Download Submit
C:\Windows\SysWOW64\Inhdgdmk.exe

Filesize
320KB

MD5
bba3d374429d82dc3b5a92a9da9bc410

SHA1
f4010ad1d3d7710befc75bd6760dfa8399605a79

SHA256
7cc692bd3eae4b238260fb3505d0cea0ea13dc3b366f1dddab7f77e0ec8c35b2

SHA512
b7cdd83b610652af09a93957edf4f406d6fa5e837bb02c2a99a7538f53401e0ebf34c0ea12a7e81818f9a4ec41b6a0752f0c329cfd4ffe29e6fea7fd7e6c7379

Download Submit
C:\Windows\SysWOW64\Injqmdki.exe

Filesize
320KB

MD5
c8b2a913266d2cbab3f2b654ae806462

SHA1
548a660317452564662b1a342b33b076db3aa0ad

SHA256
54c5c30dcf882e0a05bb29d4aafa1d43fa085fe830a2576098b86168ae66cd4b

SHA512
ea160a889f2a1c5f04e6a5a9d7697df0f9298db4716e0c5f1806d19c8280eec35763be5674a98cdb0897725f6b52a8c696b950f290a3c4c443610479528203f7

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
320KB

MD5
50465805b69296d8977525c530843265

SHA1
df31dc872480a2023087c34c1057847323dd763e

SHA256
a8edbc4ba191224dbca7ea2c386ae5bce6450ff99ed363a794af10bb0e69472d

SHA512
61318f9442d0b2fdbe9e6d39ccd4c3358ad649874b9317fa7338e3a0eada43a7dadc0084ce2354d7493969ee140ffee6d1574117582c1f9e1f43c795a8c07277

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
320KB

MD5
5214f88ef88a60b4b03a5176d299f48b

SHA1
58956d2d55404c338ef846d49e128d6d6286e77d

SHA256
58eb440f12d5e26b277938309cd808660e96c3366dca4cae10183bfcfc69164a

SHA512
c4f29553641089502d11b7e2d55784fb4dc2ebeaaad480eff7e9356ad7e90e49755725d1c3d873d69bac4d44bc21cadee89d8ca099dbf708730b4694c806554e

Download Submit
C:\Windows\SysWOW64\Jcnoejch.exe

Filesize
320KB

MD5
3d6120f4af80a31b2a5a27c1ccb3cd8c

SHA1
ec73120c968ce8c038aec7b7b285763f6a7f9ad9

SHA256
8dbffffab2ade832cad6e0fe921cd0c1b67da510472b1460e8cb7a7020c5c535

SHA512
461f7dc895e2458d34d9ad5f309e454a820b103093d6c0d838d930cd4abeac5e7224b8ad5997439a17959eab29f4f316407f81249000f3d0b5f251c1368092c8

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
320KB

MD5
58cc3a8e83012fb481ecbca873ddb007

SHA1
15de1f3bd2596744339852426836b158369822bd

SHA256
7dad3656f33120ae80812a58f20122007fd58646f605dc85d235e7971ce4b7ac

SHA512
75c4747b5a0842e6d7676f65eeba4c1dcf5b9c9e5cd3a0fc85260ad8479cdb1dd17554886ff1924187ad05d6a649212fc9feb0ece605054ea866316f9b8e9f3b

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
320KB

MD5
a7399dee4c51fc936fe6c9120e11c2c3

SHA1
e56f76cd0e0914430e6bb1565262ac8fd45462ec

SHA256
527494ecb3c8920c735f0bbf826e2741505f810e3a9d4e127429f2db0679fbbd

SHA512
7ebb364d10bd12bbfc55c9b3010e9e1a112573059ef106bad32bc84b231e7e0342a9b4b5bbeaa31b80ad2183ffbce39a748075c76065d30a83e8d887047904ca

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
320KB

MD5
37db2c36bd3ba07adfbf29c6f86d313e

SHA1
d84b9728dfb2a7b23c1cb7fb4bcb9338aaa653ed

SHA256
3cc84c202940039d7e83a35bfefc90e0aec545df11fb3d589d3a853543b1cb14

SHA512
47b34714916f297b896dcdbf6c07e3ac55b107bbef28aac7d98418697a0724e0193e33b3208e8836f6e1ff9c80ee3366a83ae94297f92075f86e1aa3363232a0

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
320KB

MD5
24c9fcdfb9983679881a829a67be7884

SHA1
fe654441f61c466191f35dc366b65effbed87064

SHA256
e77795e3aa6a98d25ef9a590b2813a22e1ab85934b8b87cfcddd656f49799b21

SHA512
8f8dcdc7f823888590f257e3b15c9280c1514337912a2dd593cdee4286df22a0762e98b81debd4d3eb09a36133418f83ba2e5bd701543f77b0324288056200f5

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
320KB

MD5
ea8d7a06b6a40defb898850d7127eb84

SHA1
2f751ec023c51c546be103476dbf24609a545da7

SHA256
4619f3daece945fc24f52a01b97478c4a87a2750058cc45374e7129533c7356a

SHA512
acab88930b2afc32d99bab1900c9302746c66c50bb9d1514774ac88e16f021e5a69253db02abee088aa9ccd90b286bb579be8a3911c236271590ed0372203184

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
320KB

MD5
ec5d4c9980007aa3cbfd286a267ff93d

SHA1
5c389a1908a70b190c51eb2bebcaea3dfca83787

SHA256
87fe673fb2d38a7a3fba3dbda9e1ac013d11e0d9fc4e6235d73b1ddc99b08128

SHA512
0f339c9d42161e315e36adfd653807610ba5e3c12fbaa8f9b5d647a0d49c73a60eb69b2206307c40e4ebabbd48d03500f648c49713ca47c4fe766d6e24a50170

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
320KB

MD5
64492dd648a8455595e7224f0c4cfdab

SHA1
697413dc37bd1a5bec528abc683c8fb9ded92d28

SHA256
824114ef0bce547a5947d38d4d03048569b9ad3ee25223876fbe278463a12b5e

SHA512
84977a905a0669c4e1aa6811c490709de1a57e3c910bff6ea161377992919022c52ad8e8b119baa3b6044e3d555b4fab08127767a0b8850cfce76a7798771e17

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
320KB

MD5
2fd9acf9f044f5eab29a74eebd746f21

SHA1
5e5f1ac2ce40568290ad6db73d5b0ee1848df624

SHA256
4efd388bf7a59835c17b684c1efee0028cbb39cb1fa903c7a3d823584210ffeb

SHA512
2247ffa8daba475a07d865b0c11075949f1a88d5ee6cca105d73e53dcb1646785bb8acbb6fcae28c3ae4b08c079254902e93df782c20a886f3cb3186271397f1

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
320KB

MD5
2f5ffade6b152c2ab00c563af140ebed

SHA1
2f464adef41674a3fffecac574ade79fea800b23

SHA256
4da4dbb1c1bd32c0caf03319e16e623a83835f0294a97fa429e79c5474b0386d

SHA512
ce90f684f1feaa0e292e176a23d8f019c6649a96f28113b2615336083b0f0a61de5b7527dc36f15e43cad68dd36c624a988cc395ffc8df31a8afccd502f71ec6

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
320KB

MD5
caa858f12523a24f727bed2de4e159e8

SHA1
5f5b552487132d603a6fa1cd3734756dedca2a08

SHA256
474ef0a8c8a7eceec09356db3ed9de096a61282686cbcefe80ad9df038cdaad6

SHA512
6bd1985b38d60fa18d08b3bde7f0f790db0e7f95133db2dd86975d071930b8a9dd952093ba3d402f62e40fb0e93347ee731ec72b8a1355fc6db63f57b68990e6

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
320KB

MD5
aee020f0094171d8c21ef8d8fdb217ae

SHA1
47fad5dac3e31c64eb5cb712200ff9085fc3fcdd

SHA256
4130b12b05b40ad78c07a0ca5a1aa16d45386dab24d990c264874752e6f82f09

SHA512
38de747473aee79294c79ea42b20a28e6c06938fd2419bcd7de50d4070609fdfaeaf49b8569315fccf62bfa0d16e5dd7f3389c92e3290a9ae5be6b2621ac80d4

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
320KB

MD5
0beaf9ffb175f683fe0291e9aa07246e

SHA1
9a005885cff8efe0e3c6d87e2b0c63c0ef45e07f

SHA256
6611f5c850efede12832900a1055de7e675760caf44d7328d17e5ffd141e6a87

SHA512
4c07b7898429a629dc06dcd5ca219ae9e06b87b7b301fbd19401a65e52c9528e4b12d41daace22f741101ff526a8d553520a0df8f0b2d50e18caadee42c7f41e

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
320KB

MD5
c415e99b49166d04f9749a060b559778

SHA1
0dcafaf3ddfe56be72ab874448be116e6a146dea

SHA256
ceb5828610f36f5b36929a7e31c3642e12ecd67f20a81551b057e67890de254f

SHA512
a987566e46334025d0ad5a6081adaf0e4a4742c06a9d035feb4ca088a6f1974d4c0b42bddac312e1a6b64cf61c961ff21b6be1ef02a46d7f444adc86cfe3710b

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
320KB

MD5
560ded54e595a729e22b74017310f957

SHA1
8127215864bbfbfb0e9125cf5cf5b5992d3854bf

SHA256
dc3564d95d9dc9075cf715e23053d3da1bdc25c6ece1ff2d88f756efe25bd58f

SHA512
58d873de53bc19c6f7dd60561f2082c7d60691266e0b09fdd631bcf8933a62ebd567bf7fa41e95f81a3fb936369fc67a201d403fe5e4c88533986eaac0354a58

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
320KB

MD5
8242bb2518c4be51bdcea7165db4abb6

SHA1
037e7b41416bfb326baadd3c17e2d70cd7483ab6

SHA256
dfb96f9e1471c550d904121c185286ff304783d48d78a5a8cfb04902170ff5d8

SHA512
69b40f6085d8934d19cc0766eb7216b7ad5d0dbe75534762ceb5a47b5d527078dd2427ad205369a36f9306f682bf82ee1f8960cf3df869e04aa283bd04387f4a

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
320KB

MD5
48ade459e70cbd230d42acabaf5dea9b

SHA1
1926b5893478c18c085a3c060ccc6720baec308d

SHA256
26602f39903eff08dd6a2923a9820279eed61838b47f55f529a32be67b4d5404

SHA512
ef885b02a5d9c69ef9d7c7afc5075708e30399005b67731bd34c0f1b276e5f6f58944c435900baf683f9722873b1984b6ae2f82ecea0ffd8f76cd6430c7690fc

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
320KB

MD5
57315b7ea3ba4a4fae943696db965c33

SHA1
529d5a2380729e1e02e4f93cc6b286c6265f1ae5

SHA256
ca12728a3cf6d54b6a8858ab552e6f7d09dd6f991bd9d1f57291eb8b2484431f

SHA512
5ed8ae65a419e6ac962b1da0781cb5d92fd7afde7cce8432673d224bd2f568493390cbb49c96ab5ab6954ad65df302be4ae8ca8ae6a6c1301e87a62f310f53bb

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
320KB

MD5
e06362fe1ca719fbbba8bb123a8fb4c1

SHA1
d6f4db636ca8aa697e2ca6281834700293e97097

SHA256
a594f4da4a1aefa92890c7c6f79fea614e221e52970847c775d0caac64e942c7

SHA512
837ce2df8a283f54d640bc82ee82a26580dfc26fa1f0d9b92362f16f06d1c980a876e48b3ff16dc8e9826e0644fd23591f422171d12212c15ff0103f39c3acb3

Download Submit
C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
320KB

MD5
b10f5adfbd544f02ed134274041f2f53

SHA1
48fadd060c26604ceb8283f3a7e22b08994c6b49

SHA256
67400c2c78eb89ac8c4ce042e18d0a38702bf3a81b08939dfdf5fe8b0d6243fd

SHA512
420b02ba07c9f490b716981f1c65cf4a51d7a021e67641f78aeb074c527680eb9028e5fa2aa9683eeee579f3212d52797639d6036205aecba3240d67307bc3eb

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
320KB

MD5
6c63da2fc07246e0f97a6945a884ae11

SHA1
b2892fddba8590a0ad68fbb30c1f8ce313a013dd

SHA256
49061724b6a24e73a69706541db2adaede8f077a66a63bddd128a5e4d1dca93e

SHA512
89d03262825dd70aaad71cfb9d61e711f205f4bf054813c6cf50ca6583d88407ddaaef1d2e7979733fff9d826b6fa018773e8b4d612a1bbed09dcfbd6a84b6ab

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
320KB

MD5
4a17796a5cb9a2134a0466adeeaf6f7b

SHA1
c75c3a5f8b4f733cc5110271691d76ccad76318c

SHA256
6e0ffc60c1bc7f1d8549e2e48fa2adc9e74ef0ec68382618f7e473bb962a4f2a

SHA512
4d488e6cf4a8501d923e00af1f585591398f8d3be0391e8d6d4436192b5e5224184be67af4b9fd60f9ef591bd1672acdd38a271113fe5b19112e6f6d8dd659b4

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
320KB

MD5
e204a0a27988b8e00dc31e02ea6dded2

SHA1
0e4874a0a4e6795350a2f066c968c2776511846b

SHA256
ab5de53355572d03d7d82a831e766bbb62121b3802816cdaf99d3f75a35a5dfd

SHA512
82bf1e00d314fc128c15ef684af5383d4423a271db918fcb3e34362d143ce6e67d7ba744bec7cce5d12a40f15fdb5d9be6a9d22713ce31b43b563a1575356d0b

Download Submit
C:\Windows\SysWOW64\Lifcib32.exe

Filesize
320KB

MD5
cb68000a3622284ef713218aa9857038

SHA1
1932cccf4354e7ea5d2368a0b453da2db2503ee8

SHA256
b2533a3ca472674dc7cb4c18479fc6b74063b5ef52e2976317e38aa982cc2c5b

SHA512
9936e7d18f3e574713aa7be40232c1f9d1f5b6be7b233f80730d6ffc1d6271fab2651ec7eb14d3e23caa202de57a5c844065f7fdff019c4bea73b194acda8af2

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
320KB

MD5
4aee6d1d14606e172afdfcf9c9648692

SHA1
77e85d742014a5c52863b0962fb4f84705c20823

SHA256
99137a0b75f2c1141bb08a1307f9fa02ee145ab85dc65ba49a92aaea4f3356e2

SHA512
ba7ef3aa7428e02793fb5519dfcb9965e8ca0261dcb91d13b21085d3e18525b926dcea348c488426c6d4044576b6adeb7f560c7909af3683bd79c9e046e53b87

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
320KB

MD5
6af28eed10491322c5a00247437b0186

SHA1
53239d46f73d76e638c672708bee53620f13e4e1

SHA256
af95db0cd39aa80df032e4dd8ca27a580791f16b4acf01555ae9b3cf5fb3438a

SHA512
f3ff8c6eb350396413fc50b28415dd9603860ae6d47f717b5360cb0ca322926d7ad74d6e39b22082526ddc56f5232b48ca0e9a10360a652471615657a4552b01

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
320KB

MD5
44b1b6945fc780728782474532e0f18f

SHA1
76e6e8c036f5c316e223381df1aee3a16e7de50c

SHA256
4bb4f779f6fdd34601907580b52a4f231d0b8fd3523a704ffeb1b499191f4dd0

SHA512
42bc410c5de43148be6ab94a731eaa2d878dc8cc0d774fc01d1e474de372d0959634e2d7492793c045da3b7f42949e7d251d7d289589528401eaed70a78ec2a5

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
320KB

MD5
4702596615bf6c99013db7812690e5a7

SHA1
6aa1f3b12370e11c57af68473f825af54b1e79b0

SHA256
fe0b628faaf777a768d7cb4da458da072012f649339b2d13daf0c00d89c88277

SHA512
66d6673f3f08bef7f8a23d30b3e0a30fc2e07bebdee825dd7b4e176c6b41b4eb53f1f178f7dd0a699868073a2f75539e4563aab6c7ac3c49bcfe550a3f739c06

Download Submit
\Windows\SysWOW64\Fdiqpigl.exe

Filesize
320KB

MD5
44bbd1aa17c9428c32bdf3bfee246bad

SHA1
9cb2510513352969207c6ee1168fea462f8a5319

SHA256
5f2409e2b685a0cba58d2a7eebd2bcb3f98f20c9a9bf1b9c693e416aa21a0c79

SHA512
6b9b307e3977c0d4a5642714c57ea7c6d91b9d982b378ba6098b9a3193fcbe5e26efc55663bb6910cab3ff54d9bd1b1c45675e9bfa97bdc1365314bbd9ea7774

Download Submit
\Windows\SysWOW64\Fgocmc32.exe

Filesize
320KB

MD5
2135991da51174cbda2c6f93e3f4df04

SHA1
7d69d8501051184e30a2d281df9b8f5027b508cf

SHA256
dfe64c0945c55867dbd37e56d42a1f67a7557a9c457616a9d9491bec7c54fb20

SHA512
c8ff137428da835e255e3c00bd9670c4392be0d8a89f95b7c86c346b68060368fd0e132b0cfd7cdd28ed5df0b537180fcb31eae00f1d34bdc56dbdc24a6be25a

Download Submit
\Windows\SysWOW64\Fkqlgc32.exe

Filesize
320KB

MD5
ddf9f2f6cfc765f9cadff29903b3c3a1

SHA1
c03fb17e57c918ed5964fcc7a443bf5df16191c4

SHA256
6daeb1f6333f6172f21103a62339da8f41d1d6cb12969a4590f6f4f69517c6e5

SHA512
950740c42021fa48cfcc03b51c50e72111a4f64e79e971f094d8195b00a6e542e97c07cebf8f4485cc6730f81259a923dd6a1b19ee5f53d1fad34fb21e2953b5

Download Submit
\Windows\SysWOW64\Fpbnjjkm.exe

Filesize
320KB

MD5
23650ed7a6675aeaf3f830ce2eb9445c

SHA1
70e249d0a007ab939c906347d06884046eecf8a7

SHA256
407e71884ccf8ac3420de30492bb66fd7dac4671c45153a1b78a170e6b2c09f9

SHA512
481535ae55abc5eff682f3507b672aee086bd7235a3de3a71e115f1ee6839ee60ad832c4fa69cf003646a134aec126026e63e78fac6756cf7142989fe10a98aa

Download Submit
\Windows\SysWOW64\Gehiioaj.exe

Filesize
320KB

MD5
2b4bb8968d5872cf3b2b1aaeecbb4ce8

SHA1
87890ab36771cb0d460ced5ace9d5a0d3e614e63

SHA256
c5a790a1d84b7f643c435e2260f4ead0b8813c0d55c5b0d84745844b2785d96c

SHA512
5ed7114df4db7806176ac1d945b12e074c07cf8300605bceecfb753076cc5f3b0163a51ebc6f8a5188e2a9e0b96016ab53547046839126b4ab8024fbbe9dbdbd

Download Submit
\Windows\SysWOW64\Ghdiokbq.exe

Filesize
320KB

MD5
b10241b2c743ed64f318e9149bf5bd16

SHA1
96fdb0c252ea3e18428e32502567cf780eb83173

SHA256
ec0bb6c4777c19e0a25531b9c6b782b62ee6c285fa7cc3af5528a98826c1e0bd

SHA512
b61cd6e710a785e26108af2d41db3d944246fe8016df8d6f08009f90def7e550ecc2b6348a61151a3813ab469493c3748abc46309f0ca89a28c43d655e12a995

Download Submit
\Windows\SysWOW64\Gkgoff32.exe

Filesize
320KB

MD5
fcec059abd8ef00983388414caf34072

SHA1
5f20c604ea1c996846be763a761f6a9e1fc9e52e

SHA256
db83c4ba315144c3f48ac8c769c584699f4179ee4361b64ed18f47e634c112c0

SHA512
1d4a18f6d4a984d8118aa80310111ade606a0bacec68bb4d4d0c544b00f7a0796f889e25e2c7904557a0d4df1d6a5b2bf04951a6b3c195eef5d139a9aca27448

Download Submit
\Windows\SysWOW64\Gncnmane.exe

Filesize
320KB

MD5
78125fe6c36d79257aacc18df2721c61

SHA1
45c468b96eef2f7f19bcb5fc2127bebd39ba5d71

SHA256
ee79d5060b239bebd1f4b3f44e92904f7508bf6f0facf94b78c10163d967342d

SHA512
693c0f14e0f813bdab8d1fae722727729ad93e809c3b4a6b39610757532e23aba7184f4f3d1af572d2cc455010db056c4aace2d8238b9abb008801a4f6453b0a

Download Submit
\Windows\SysWOW64\Gpidki32.exe

Filesize
320KB

MD5
1314f3a7af6856fa0f6e14cbdd4ef2e9

SHA1
8bca90864a09ab48784e57e6c167ccc73fbdf523

SHA256
233c92b83af2e3cd0a8bd5a7f4199fc5ae5cf9635702e2839369f6e699f9ba54

SHA512
9b1632daeb78fa6b985b8f769231f24243dbcb9154a85aa14d24cd489e56988bb630931779de4e3c8f60558aa7c9841c37fc4c290aa35c54475f9aea2c4ffc57

Download Submit
\Windows\SysWOW64\Hcgmfgfd.exe

Filesize
320KB

MD5
b9fce4627d0b7ba87839c09ea686d202

SHA1
44b8dc78903d5cd4f150364532a2bb10c84a5175

SHA256
9116055ee34ae299948ef01c71d1d11d1c5078902e46251220c32361b3ce0c94

SHA512
0147a438ea68a1204cf7b0c25191134cece3fa9827ed0a28e2f1a8dd58c2969d0c3cbb5c0002302380fb0f76fbb8953acea715cda4745ad0849b0f19afcb3735

Download Submit
\Windows\SysWOW64\Hcjilgdb.exe

Filesize
320KB

MD5
05656b02e86f1a5e60f1048966ec6b4e

SHA1
195d20da616a3230aa10f60cdc98fa94818616d3

SHA256
920a62f7b61bd2043224a2fa350781aa3f709fda66f90c74c13e9fe18ac5f479

SHA512
eda04ca1dcfa4181db07ffff8258e6270e0b640c97c0515745ad5ee9763f1b22466fcd8f03fda75b76968bc780304dacf373beb579418195b54a79998f53fa0c

Download Submit
\Windows\SysWOW64\Hklhae32.exe

Filesize
320KB

MD5
fa0c60c81e10fb8444f469677d873103

SHA1
9abb8f7954c3a475853b008b1708fd4946a48d73

SHA256
97c71f2f41dada0bb44a156428da3177dd96ad0a2158405baf7543d04bd54387

SHA512
dda9d1c18f2fa3754f6a314d974c33e4c287a0711a14603d27718d459f370294f138d5ee799adc573d88ab7008cc396493c89db0d105acbd0cc2f1e420b38635

Download Submit
memory/268-205-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/268-204-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/268-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-116-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/540-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-172-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/588-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/588-143-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/800-135-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1176-300-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1176-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-301-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1308-487-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1308-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1360-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1360-465-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1360-466-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1524-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-455-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1624-454-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1668-90-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1668-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-266-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1832-432-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1832-433-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1832-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-290-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1960-289-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1972-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-279-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2064-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-234-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2068-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-233-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2156-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-17-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2160-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-400-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2192-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-399-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2200-184-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2208-377-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2208-378-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2208-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-407-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2220-411-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2224-103-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2316-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-249-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2444-426-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2444-425-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2444-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-315-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2480-316-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2480-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-259-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2528-443-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2528-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-444-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2548-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-367-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2548-366-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2560-344-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2560-345-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2560-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-81-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2656-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-360-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2656-359-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2712-46-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2712-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-33-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2716-53-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2716-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-61-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2788-338-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2788-339-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2788-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-323-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2804-322-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2804-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-163-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/2952-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-476-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2952-477-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2988-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-389-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2988-388-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads