12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe
Size

67KB
MD5

d84d15314bd0d2093c13d76e69ee3131
SHA1

cdc6b84da16016e29e1daa92786580106373dbb6
SHA256

12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b
SHA512

4013a053a28c4d392563b750ca22234f6050a88e583890742b97b1f4b43e4f6d6ab124571ebc91676f255c9b324a18692b6138d3b5d88aecaacba1df5eaa1927
SSDEEP

1536:reNnMIHWlcf+hPuW9PIjsJifTduD4oTxw:re9wC+hGW6jsJibdMTxw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqbneq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgapmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Infhebbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggepalof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqpapacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djegekil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe

Executes dropped EXE 64 IoCs

pid	Process
1376	Bpjmph32.exe
4476	Bgdemb32.exe
3836	Cmnnimak.exe
428	Cdhffg32.exe
3504	Cgfbbb32.exe
1920	Cmpjoloh.exe
3076	Cdjblf32.exe
840	Cigkdmel.exe
3376	Cdmoafdb.exe
2776	Ciihjmcj.exe
1768	Caqpkjcl.exe
1820	Cildom32.exe
3444	Cpfmlghd.exe
1932	Ccdihbgg.exe
3224	Ddcebe32.exe
3624	Dgbanq32.exe
5040	Dahfkimd.exe
4056	Dkpjdo32.exe
1624	Dnngpj32.exe
1396	Dkbgjo32.exe
224	Djegekil.exe
5044	Djgdkk32.exe
4168	Ddmhhd32.exe
2440	Ejjaqk32.exe
5112	Ecbeip32.exe
3992	Ekimjn32.exe
2960	Ejlnfjbd.exe
2264	Epffbd32.exe
1356	Ecdbop32.exe
1004	Egpnooan.exe
2208	Ecgodpgb.exe
3304	Egbken32.exe
4740	Ekngemhd.exe
4396	Ecikjoep.exe
3888	Ejccgi32.exe
4748	Eajlhg32.exe
2988	Fggdpnkf.exe
184	Fkcpql32.exe
3088	Fdkdibjp.exe
2852	Fgiaemic.exe
3464	Fboecfii.exe
5100	Fglnkm32.exe
1132	Fnffhgon.exe
4288	Fcbnpnme.exe
2356	Fnhbmgmk.exe
4148	Fcekfnkb.exe
4324	Fjocbhbo.exe
4440	Fbfkceca.exe
3832	Gbhhieao.exe
1380	Ggepalof.exe
4012	Gclafmej.exe
1176	Gqpapacd.exe
632	Gqbneq32.exe
4656	Gkhbbi32.exe
948	Hqdkkp32.exe
3712	Hkjohi32.exe
1652	Hebcao32.exe
4828	Hgapmj32.exe
4036	Hjolie32.exe
208	Hbfdjc32.exe
396	Hchqbkkm.exe
1580	Hjaioe32.exe
1180	Hjdedepg.exe
3884	Hannao32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eemeqinf.dll	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Ejjaqk32.exe	Ddmhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Dahfkimd.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Gfbhcl32.dll	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Ejahec32.dll	Hannao32.exe
File created	C:\Windows\SysWOW64\Ilkhog32.exe	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Jlkklm32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Iapjgo32.exe	Hjfbjdnd.exe
File opened for modification	C:\Windows\SysWOW64\Iajmmm32.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Hqdkkp32.exe	Gkhbbi32.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Djgdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Fnffhgon.exe	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpjdo32.exe	Dahfkimd.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Dadeofnh.dll	Hbfdjc32.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Fdaleh32.dll	Epffbd32.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Iccpniqp.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkbgjo32.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Ecdbop32.exe	Epffbd32.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Keceoj32.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Kqcdne32.dll	Hqdkkp32.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hjolie32.exe
File created	C:\Windows\SysWOW64\Qfmjjmdm.dll	Hchqbkkm.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jeolckne.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lkqgno32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Jdinng32.dll	Gclafmej.exe
File created	C:\Windows\SysWOW64\Jopaaj32.dll	Iapjgo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5476	5352	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqpapacd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqbneq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqdkkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hebcao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaioe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkhbbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbjdnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjolie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgapmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqpapacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll"	12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqdkkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahec32.dll"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqbneq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkhbbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedgjno.dll"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll"	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfbjdnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djegekil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghiiea.dll"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcdne32.dll"	Hqdkkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadeofnh.dll"	Hbfdjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1376	1320	12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe	90
PID 1320 wrote to memory of 1376	1320	12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe	90
PID 1320 wrote to memory of 1376	1320	12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe	90
PID 1376 wrote to memory of 4476	1376	Bpjmph32.exe	91
PID 1376 wrote to memory of 4476	1376	Bpjmph32.exe	91
PID 1376 wrote to memory of 4476	1376	Bpjmph32.exe	91
PID 4476 wrote to memory of 3836	4476	Bgdemb32.exe	92
PID 4476 wrote to memory of 3836	4476	Bgdemb32.exe	92
PID 4476 wrote to memory of 3836	4476	Bgdemb32.exe	92
PID 3836 wrote to memory of 428	3836	Cmnnimak.exe	93
PID 3836 wrote to memory of 428	3836	Cmnnimak.exe	93
PID 3836 wrote to memory of 428	3836	Cmnnimak.exe	93
PID 428 wrote to memory of 3504	428	Cdhffg32.exe	94
PID 428 wrote to memory of 3504	428	Cdhffg32.exe	94
PID 428 wrote to memory of 3504	428	Cdhffg32.exe	94
PID 3504 wrote to memory of 1920	3504	Cgfbbb32.exe	96
PID 3504 wrote to memory of 1920	3504	Cgfbbb32.exe	96
PID 3504 wrote to memory of 1920	3504	Cgfbbb32.exe	96
PID 1920 wrote to memory of 3076	1920	Cmpjoloh.exe	97
PID 1920 wrote to memory of 3076	1920	Cmpjoloh.exe	97
PID 1920 wrote to memory of 3076	1920	Cmpjoloh.exe	97
PID 3076 wrote to memory of 840	3076	Cdjblf32.exe	98
PID 3076 wrote to memory of 840	3076	Cdjblf32.exe	98
PID 3076 wrote to memory of 840	3076	Cdjblf32.exe	98
PID 840 wrote to memory of 3376	840	Cigkdmel.exe	100
PID 840 wrote to memory of 3376	840	Cigkdmel.exe	100
PID 840 wrote to memory of 3376	840	Cigkdmel.exe	100
PID 3376 wrote to memory of 2776	3376	Cdmoafdb.exe	101
PID 3376 wrote to memory of 2776	3376	Cdmoafdb.exe	101
PID 3376 wrote to memory of 2776	3376	Cdmoafdb.exe	101
PID 2776 wrote to memory of 1768	2776	Ciihjmcj.exe	102
PID 2776 wrote to memory of 1768	2776	Ciihjmcj.exe	102
PID 2776 wrote to memory of 1768	2776	Ciihjmcj.exe	102
PID 1768 wrote to memory of 1820	1768	Caqpkjcl.exe	103
PID 1768 wrote to memory of 1820	1768	Caqpkjcl.exe	103
PID 1768 wrote to memory of 1820	1768	Caqpkjcl.exe	103
PID 1820 wrote to memory of 3444	1820	Cildom32.exe	104
PID 1820 wrote to memory of 3444	1820	Cildom32.exe	104
PID 1820 wrote to memory of 3444	1820	Cildom32.exe	104
PID 3444 wrote to memory of 1932	3444	Cpfmlghd.exe	106
PID 3444 wrote to memory of 1932	3444	Cpfmlghd.exe	106
PID 3444 wrote to memory of 1932	3444	Cpfmlghd.exe	106
PID 1932 wrote to memory of 3224	1932	Ccdihbgg.exe	107
PID 1932 wrote to memory of 3224	1932	Ccdihbgg.exe	107
PID 1932 wrote to memory of 3224	1932	Ccdihbgg.exe	107
PID 3224 wrote to memory of 3624	3224	Ddcebe32.exe	108
PID 3224 wrote to memory of 3624	3224	Ddcebe32.exe	108
PID 3224 wrote to memory of 3624	3224	Ddcebe32.exe	108
PID 3624 wrote to memory of 5040	3624	Dgbanq32.exe	109
PID 3624 wrote to memory of 5040	3624	Dgbanq32.exe	109
PID 3624 wrote to memory of 5040	3624	Dgbanq32.exe	109
PID 5040 wrote to memory of 4056	5040	Dahfkimd.exe	110
PID 5040 wrote to memory of 4056	5040	Dahfkimd.exe	110
PID 5040 wrote to memory of 4056	5040	Dahfkimd.exe	110
PID 4056 wrote to memory of 1624	4056	Dkpjdo32.exe	111
PID 4056 wrote to memory of 1624	4056	Dkpjdo32.exe	111
PID 4056 wrote to memory of 1624	4056	Dkpjdo32.exe	111
PID 1624 wrote to memory of 1396	1624	Dnngpj32.exe	112
PID 1624 wrote to memory of 1396	1624	Dnngpj32.exe	112
PID 1624 wrote to memory of 1396	1624	Dnngpj32.exe	112
PID 1396 wrote to memory of 224	1396	Dkbgjo32.exe	113
PID 1396 wrote to memory of 224	1396	Dkbgjo32.exe	113
PID 1396 wrote to memory of 224	1396	Dkbgjo32.exe	113
PID 224 wrote to memory of 5044	224	Djegekil.exe	114

C:\Users\Admin\AppData\Local\Temp\12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe
"C:\Users\Admin\AppData\Local\Temp\12da461d51b430870995f114df882ac61115186915bd47673f94f7cc12e26a6b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\Bpjmph32.exe
  C:\Windows\system32\Bpjmph32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\Bgdemb32.exe
    C:\Windows\system32\Bgdemb32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\Cmnnimak.exe
      C:\Windows\system32\Cmnnimak.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        39⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        67⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        75⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        88⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        92⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 400
        99⤵
        Program crash
        
        PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5352 -ip 5352
1⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:5632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
67KB

MD5
e24b5b6005e25a94bbba2371dbb8e511

SHA1
03711a93a63534b6479f3ea34aa39f7a545fc300

SHA256
ce9988028227d48dd350902c6e33f144e5d670725b9572d5ddb79de312e2078b

SHA512
d2bedea4e8bb00b9658742693667bd96092d389b5deb4b35a1634ce94a58378591d6e9f3d847b2d399695a578e0e72f611bb5be82f356a01c4a0321f86b0dac8

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
67KB

MD5
ad7ffdd14d4f0c3b1934e83d58189c86

SHA1
8196979b2fec7abe48682104a28c02b04b957bf2

SHA256
34a39168ae1ba3aa7ae8135f37b22227e318a76d89166a016347973bfc3c36ff

SHA512
e632ac27ad0dca00f02a08e1f1fff390269e86e64e2932a6ac9de2b8aa6294b5f60143aba0d6f41721837871dfcd46107f674027f072305fcccceaad2b0d8871

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
67KB

MD5
199a13f1d41d90c205a313f53b3c702d

SHA1
43394b622a3937dd6491e84f5c5e0fa2abdaf566

SHA256
87f7d340308951edcb1003c65074b58c105827c60d2284d0d2d3fe3eda7ba678

SHA512
dc7a19673db32e96733d7a0bd1949a0e24d9cbb244177e6ae19d7b2e37697fff46ae17d80318259834c8dc27e96514f15fd4821e6f3eb0c0513a57b43f9c34c3

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
67KB

MD5
83fd5727bad038c8a47039238901650a

SHA1
804c2ef0941652936e414ffd53bb05e17f94e83b

SHA256
deec48d9b50cd41b190d93ea54805f1cbe4c5ff305916f144184d51b2e3d61eb

SHA512
aaab9abf3e427d374609a2498e890e9a33cae38d8a1e90f1151e7ec52f7289726fbce14c0d179f2917a628ee24b7f1eb2d9fad6f2983f23cc25ca9077b437d69

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
67KB

MD5
aa2cc05dcb84c7ba9afe34ce4ab86ab9

SHA1
2301af3843fd2db1ade0cc0f434f2d54ffbeeafb

SHA256
803c1e7c8919941d3e276a4d8d0db999382cca5e323212e63c3866688dc13492

SHA512
f521e3b150e7748e087ac57a70df07e61d330ad9bdedafaf6da867225a54b8e8c249587ff63af7c352439010c9d441995e3d6e2b1a09d478f56425d5785ff404

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
67KB

MD5
3ca09284ea2a57f9d1ad1d7cb2d01772

SHA1
2f8795f11593cfff4e1f55901dc357bd1ca2b696

SHA256
9383b55d542493e49420d57e065607e31dd278fe3e0100f71dc9a01bbcffe50c

SHA512
f3ba8b850ec197718ec843efdbb3e794191f5a56ef7c1b61eb03c4bfb12e67cc2c4cee052d8b0f986ff6585f5082aee1c71cdcd7c6a0a08cf5f6779eacfca64b

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
67KB

MD5
9dfe7d07e2b4b2f01738f24597d5cfdf

SHA1
ae814cc79d99cb053f987dc74f05397fcaa05b32

SHA256
125989b5a8db5ee93ee6a4a40f2b62a77dc90b94e300f9db0e78fc34e6289823

SHA512
5b48221bd2c6616770f289de9beab3ff93210fe7c133cee871185b3c2fd8cfd98a55b1b2009d8e751a0ae2b084fa6a8d0f1764bb3019e129ae511a7f64a44de8

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
67KB

MD5
08a2946a1258a158e10969533353d3a6

SHA1
21fc3d8396678cdca9e4b0232b3224fc10620afa

SHA256
fc132ccf4af6e8072ac36420bf7a8ec0ae515bdb171cf0ba102329977122f2b3

SHA512
e2dcfff04e66582c57b27d626d2ed30e208d712d311037103736cefd4a1912e7797b2070ee58aa2a2ec79a1c8ca3e22f1067ce227867ccd3071d31dd94eed647

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
67KB

MD5
21ca825e15078bea62d1d8904cf85954

SHA1
b3e1d2e2ea2547313e7f38207540e79abd68ae09

SHA256
186dab19004950e4394280bf2ad128e0196def06163a9c733426fffd7617c825

SHA512
7aee395896b02a4f6316033ef2ee840b932b9ec65f10b766babf0af3e0443843ae55990ce375c209dbeae842bbc4898db12a09753a0cb64a5d3ac629c1f1323e

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
67KB

MD5
086efab2cc58ff4d846f077365b635ea

SHA1
46453876234ccfcdb5258a605a975e76e794bb23

SHA256
bbeb971a6a407ea75c4f29d7f85becdf25c013207ae3fc744e3c27d3294f5ac9

SHA512
86ff54c538460ce8fe1ddc4ba32132798b5dc1725bd79d259c9bfda13b1a703c5d66e9ded753a88a6a7f876dded5295aaf90203ab131c61c3c77ce90acc5bee9

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
67KB

MD5
38d3da604920a45ce106ab564b0baa73

SHA1
70a8e5b1216800dd51b3ae9f4a86ee3ea41c338d

SHA256
e6d175b411a1cb37d2494f422d7a235e92d30a5bf1d329b3032f63fdb1fb4ce1

SHA512
ef35561c67d7ec1d2591621cc52a5d08be98006e8838b8fd4f12090607afffa16523e5bf7fddcdbcc1b24e0a2a0fa169669af3e0e32467b909023551fe3aa0db

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
67KB

MD5
fe5d46a52e8ca5c95e37b9eb9f9862d8

SHA1
4558d98a91ff25141659c2edff13f7a28b09831e

SHA256
3d4f7c9532c007c7275c1c236e23d2697baa2e650aa7ed89e0b0d3cec6e5cd8f

SHA512
6be5e5f5705a1e8688f2abcd8597e9f5e6a0f03753cebed87162128f07f358ed3dbb0323d959d505bf6240fdc0abe3557fc8f6d96fbdc7295a8643c4f1d89ece

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
67KB

MD5
0f74114fe6d139d8f4672bed818246be

SHA1
bf232f3ddcda720b4203adab97b75b4932a1138c

SHA256
85d75813a1f52bc7c4abead9b9421d4eb05b05ad7162f8b76c9b10e6822b6664

SHA512
c5dfd16ccda95ecb11bb9afd1e9260e682dba0715691865412202f6cba2242eba512fd423308aaa0e2668301755b674a5831eef5a1bf186f740921a8e8bb7914

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
67KB

MD5
5e7f073178cd779296eddd14a2bbd9ad

SHA1
9d0260a9f27b92fc699b2507459dd3a8b175803c

SHA256
2899e928e811954c31ed3f03c640c75c2f0e6e4815b727851d913c8505bc6a0b

SHA512
0a8a5ac5c9cc9b44b307f6d39fec2f1c57f2e10220b33e94375b086924c233f291a059af22b6a559f0d8e41dde4dddda758ebd79c12b2f14f9d5aa7fe72a0189

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
67KB

MD5
7cdbf92d1aaa853c21aa5c082e007bda

SHA1
fc84b73d3260e1becf73fb147ea1e5d388dbf3e8

SHA256
aa276434038e4f9b2050d7febcad76135ade36bf2164da0e5d7e722d7a54e303

SHA512
b867713463626a1195d21b09b9dc95b5d70d81fb56642523b48d396c367fdf6bba08f860fdf706c4b2e1b5c14043bf0e9f823d5f0dc53143e08095e490c59869

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
67KB

MD5
2b1e470c5e70ffcaf300f2d1e6968d94

SHA1
76576da80a9ac1f0a9eac08d6d45117e6fb009cc

SHA256
ddd29ca7ecafa7a1f805d5de251d7686cba3d072c4fd937c2bf8f3a520aeaa1f

SHA512
f7ada7c05c996c486484766c12f87a9c1cc7c93c0182b43b32b41b032b88788da249f7a65acb020ec154c989093fe26ac454d8089329cface2464c2a837ee5f6

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
67KB

MD5
188e9d4a94c74e2d747c4e6d2bb191df

SHA1
2f8a5ae5343fc864c93869a2cc1e39958c0a5e33

SHA256
f7be81da97c2f7218a88ccfd132687d0540d09f330f572b3c7daba0cf77a5b5a

SHA512
97924f3909f31e450c2487678d56af028fe85c4077b9867b1738314164f13247a71f9aa21570a2c9ea4cd5384663f11cbb8943d58eb81f705f6207ba82a47fc1

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
67KB

MD5
5b9be861f6ebf932b96f8dce239c8c64

SHA1
6aedbfb0154a02f77a050572698155aa9746c592

SHA256
f79a1d12c4a3d01664f1a836905de52c39d932205b3f82456d99d71d4fa069dd

SHA512
144288eb28c02afab9ab5977b32eb3821818516450d47325d12d192ba430b6ff370452ce6b45a1fef4c49f6d909084d687bb977b3455a06b8525132c103c5b8b

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
67KB

MD5
e5332d193aed8345daa9264e80937945

SHA1
861a8ea8dd15b31d5927f4aa1ffc9fc083f324fc

SHA256
42d0b12147304381d5726f79bfa09d198dbbbe19ce79456b166ea9f45e17f185

SHA512
c9062f33bd3ed192552534678cfe171447443b2045c92fefa0d71959aeb50c2f86b5c3db3d0a2480256fd028d4aee71d2ab150fce1085a6f4323b641b189b294

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
67KB

MD5
402ac67d55425a9949f79b09d2774e4b

SHA1
9c0f48e4d1f4629aac9411496fbe381173765ec0

SHA256
561e4ecc0217478861c5ad981f373cf7eed03ce3733b24c6c411f9f259aea933

SHA512
893eede7e4ba8d805b6264eeb845065cb67d5664a66498b0dfeaaaf92095eed3283bbdae1ccea2cc712c687525527417fde76041e482481824a6de81c8c3d64c

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
67KB

MD5
df81e6594411ad7f5e65ef6d35777d83

SHA1
a9aefd2604b345efe7104cbfc9c668e7eaa354ae

SHA256
831da4e9b2b509051f8a414403b6c8af0856e0d65854291ac9139b119e72f96b

SHA512
1a6dfc380aec228a4ed0735f54190104cc3a977a1ab6753ea1517cb902cb739fdd3b688ac9f80fbba5cd784436f3cd0a53d533cbd81ee8935aab0fd047243f26

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
67KB

MD5
5572a57eac50ee8d24c766659f1c4c7c

SHA1
c231a88dec8b8078120fbca38f1b97ba40041f35

SHA256
34785ca86c846210152112d4bd080fed67b60fe0bb9f34751d29e32dc9f3db54

SHA512
6c5712d9467fc1132d9a051ddb6b740a2331e77ce39fef0a98c5c420504d9ef151938e2e93579e16b9e67ab2943b46d2b7c88fb5107493f60027ff7aea15533c

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
67KB

MD5
4d704c011f6ee8e0234a3aa1301c2524

SHA1
b05f50b224544e7cb91cb901ad720beac60b6dd2

SHA256
a5984ff53ee4e1d94c93e02e02340a818b8ba45bdb3a75066c379ef4fc2a8540

SHA512
a10dd762e5d14d7c717ae3cc1727ca2a8b36e415c249871fd9ff1a67ddeeaa5426669a95e4e8ba566bd2ff25b499233de57c0cf837c7776a9b5ae3b814d9764d

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
67KB

MD5
75fd6d26c6d0eff48678da01418a4fbf

SHA1
6249a5f4451014ba106cbca2a06ff4c703b332a2

SHA256
f6387e9eb69975adff3560c5bf692f9e5219d81b879e54555d7c6232d7cbcc46

SHA512
0c42de60a6afd3923a49ca1566e91c6a6827c9d8b3c195095802b9848fd0afd753a7e31fd30d9d900584261c17d7c19cba154a5bbed714f9f3bef7ebc902ec8d

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
67KB

MD5
87a66115714736c38dec93f8731cbd4c

SHA1
c0fb4aef7b6c6f45cfb9d58392d72d802b42d1a3

SHA256
a1ddb6b78d28b7dc28828962d8ba7614e6854f1714e4b7878ece0878bcfcccfa

SHA512
94e4ae8ab994af184c990c52e25ae4d0b81fd59734fbf01e62f96f8677b40eeddd34cde2291445bd23e68f1fc6b9a8d0e64f807a5e5c9c0331c2450caec439b9

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
67KB

MD5
35706175e6a280eceaeb096488d5b710

SHA1
3e9fcfbaba3081b51c41930570d389c6cc97415c

SHA256
8ff24c11bf1add81ea3543024d550765ff900674459391bdc455ddb7bcb09f35

SHA512
521666e170a148ac1963e8a85347d97ff92884940831d3102b106e89590667cc90186bff463269a942ef25a1a1262392e9885441607f9465307277eba3eb352a

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
67KB

MD5
45512383fcc0a17d6db5a0665ca3401e

SHA1
58d7d7154a91be2d6a65846537dd33629c6d10d8

SHA256
58f8650b7eaee8d24fdbe41f2c95c418fc90f771f321f1d8a44533cc8f1c6367

SHA512
65d62380aa0f01055eb00639961b5bd203277ba25f2330028334de612709faea024f251761eafe2b45efef07b6fa905ce92b29b4007030f0bf0d378c3cf1a89d

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
67KB

MD5
8bcfdcc81a9025cd63d5a198b5f54a2b

SHA1
4d485609888f85b818f6127fb2d004fce3086157

SHA256
aece85b6d86dca8fea26bfba6d917049145de61a152c0418f2a500eb1a7a5c0e

SHA512
3694156d8bb1b665efa3bd66de92855aefb6e1e12b953c3fd28c167602311d7fbc53e81cbce0ee1d7640abc40d5356deb482681461f3e0b378d7ce0ff678da79

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
67KB

MD5
9f403fa89cb4617810c55eb0207f12cf

SHA1
72bb2c8212f0784ce2c498536209c2bb884f6082

SHA256
d2165b856a8ff868f554d99ff7f87c974e79146bb014f8c454a0e0f7b9159258

SHA512
8ffdf4663ef2a5a66669f8bd88c1b4072f46b5cb96289469c57606bb925b248e56e51dd02757c38a8b401c7aebf51f46ae8673e042c7a4415e9d7e61f87b756f

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
67KB

MD5
baab9098cdd5029fe3aba91ab07fa94c

SHA1
b0e52f4b1482570ef380a4ece87bf4f7f82d3305

SHA256
d5f6b0b24d46e4679eb18aaad08c3a626f31adf2969d206e84acd557b044997d

SHA512
89d31377ac46bc8e4ba8cdfe70ce7a990eff4f87c270e75c88e27e29acfd106051110a0f7cd5cbc1e3c23c311c1b2c936c84987d865659fd7943830a5b0b1eb0

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
67KB

MD5
63fa997fc545e7380bb7975aad077485

SHA1
a61acd4abc1e0955535536cb15637e6e3c5b86c7

SHA256
dcb08b6c835dc9463fb1e3baf532c0ab41a3f8001b38e11895cf046f95f98a4f

SHA512
65c9af16491997ba54bb0221db5a888975559d31cec32fb8c3aecd2a0d889422a7180b1328104de5ad770b6bedccd5daa472433ed7090c0b440627a63e03e312

Download Submit
C:\Windows\SysWOW64\Epffbd32.exe

Filesize
67KB

MD5
fb773978ee627133dcb02313b9aba60d

SHA1
7a49fc55757c5b74f53636bed2b2b6e11c48bef2

SHA256
484d06ddd78a7eea49c50c8e9f44562a68fdf07dfc371359ac9d9e989fe72e16

SHA512
a419d179081346146dec4bbc88bd60a30bddb28a24db69cdb59bee4c1e166e670ed6f52664c078490b928bcfd3d0d3e166c280d31455a599c9d74d56bf9f0bf0

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
67KB

MD5
2c361d92faff787ee1511da147e94f47

SHA1
e5dfae0d5a9ceaead7950a1291fa592f9a3d6465

SHA256
64b9a714fc6794de3c8b549aad2338c7908d4915fad76546f54cc7073eb1e7f1

SHA512
a1ccfe93391e1255275d06e46d79bf844901b91de4f7f549b6b19065c45a174c75f1f18c1cba5ef7b7c60e3074d9bdb20d63064596789f712116bc89fe498402

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
67KB

MD5
a4854768467a73ca6238971255545f24

SHA1
55b8240a9ebfcc0b41d8758c36172c30e0a59450

SHA256
7657b0c7ed6f2fc0904b112bd9b53f6975e39c90b1619f9f094e10da52b61feb

SHA512
5dea84c3b254f9c61d28e1b5c952369e167132d8f496c8ed0fb660f4d22814213332ac3564f6870d9fc7d14f98b1961d4379c7da440b35b44a1c7fa85f37a1ad

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
67KB

MD5
cd770bebb7cb3d5734d931806d3d3e60

SHA1
22be69a424172de94463b64ae629059fb49d425e

SHA256
98be128c7908fcbd7d705c62fd0d647ed51e92611cd2b29d42b82669b6b81664

SHA512
5f5d42db942f4f4c9fbc7a998d50b1f4edf6342d1cbfb74fc1faac9116ac0f2c26c07181338dab9a823ebadb2b5afdcb6cb2f92c15266ca07199b4120269f361

Download Submit
C:\Windows\SysWOW64\Hjaioe32.exe

Filesize
67KB

MD5
ac7cbd121836f9fba934ae2eed7cc075

SHA1
0342f3246e55006146ea3c49e7c16cc370ff3501

SHA256
12df8023afd0313fe52659768a50470113f27d4b397cc5752dd1167d4d328a01

SHA512
6fce11f61785f926e35682b6b2724be096c1aa0a55daa7935d20bf96a0f917048ac145d599777e200e397fa18bc265bfc9719e3625870add86234b1afdffddbf

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
67KB

MD5
2b71fe2fde46c9bf7b322cdc7032e041

SHA1
a1d2bd17be35c4afc5b9b1e8e1b9fd17a4fedfd2

SHA256
ee916cd3d1eb827d601c8f985612a7d9d48338f03614cce6b603ce1f4c2a8252

SHA512
2fc8a6817d224fdc0ae1e8acc8e7fad0808a857f42a64f3313c950e2de71ef79ca6e5a70c595a9aff04818f3c8de5c35e2fa30198ae1efcdeb40b89373c8d240

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
67KB

MD5
d3561e92ca24a38c48396dfe23555da1

SHA1
1328285c29277ac0aaeaf084b3dcfec00fb712a1

SHA256
317c324343b4341d7bee34e36b83c215a04bd9796777b097f4a9ded8a122b643

SHA512
52deb342b5c3fefb4598df77c7d4b675ac2b6f1be25713a419d609e2ab8a8f1710d17f154931939674dbd0849a504631ea55663c6d693f31b4bd866250c508e4

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
67KB

MD5
383ec7996f184194eeabd684ec3f0219

SHA1
2a2d5fd51b27f335c0834b9a05111d20a326219a

SHA256
a1bec63bcb2952fb6b01db3ac8d5b19fdb764dee7e08b54c297a17c0828478f8

SHA512
8646fe374fa049724dffa3b89c9c8da5b7d4153cb034b5d6e7c30b83964c1028773b610dfb54d9845b2e24e2a0e7dc44cf03c2569139c659fa381d6bb9801f01

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
67KB

MD5
add47cff4ecab11347a3d02c0bb89fe3

SHA1
d9c3e263b649e632eb1fc056e74d02004c6aadc1

SHA256
7a3e028b8751d7dc5f2bdec858c8e4e58de963dd0052bd7f2bbee2a0571239a1

SHA512
9b74d237390f8e2c3660dd0e10403b63dc45e9b52eed258d5ce881ced31ef55efd803cbaf852c4a84301e2eb093994b1ee643ec116c42a24063b69dbb040b1f1

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
67KB

MD5
188f55b2bcfe245c3b22524669782e92

SHA1
3b45ee9d438e0946ce5166faca38727e598d155a

SHA256
4e379c5a3809aff20bd63cbf2dedf921dda2ff3c05fddc7f464355607aaf67c7

SHA512
c7e2567f424933af105730af8d2b0156abe7e02551d2dbf9893f40e7efccd8430833232be655d74f17d8aefe5c29fcebb92a02491f99010668013c8f9aff0501

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
67KB

MD5
ea36f6d5bf935c20a2b9229b86fa234d

SHA1
0db5e0874b47b4fa4a7494d1d39e932ac9bfa7a1

SHA256
03c8821b7ee0a661fefd771bc9f7d424ed86bc19080443aa66504ee0ca1f4f05

SHA512
f8804b1ea5201196799cb9dd936e27589095c2d3d9c99e78ee0dd7506346ea28b4686a64a1ea2b5678749088bb3fc6ee552d307c1f578982b3c1c000527c21da

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
67KB

MD5
37a2df9556783ef2518494ebc1c597f1

SHA1
bf96aa3f5c4c2fb3c6b9f336037f4842c04a4387

SHA256
0112fca45dbb905427f6fbbfc5fd1020d3cbb9c5b142d2c6da63994c58b81f33

SHA512
d231f81d328cf175b8347d03a9fe695e1b85d8fbf78e3694db3ac80d47dce71bb8372ac0b5f437aa6760744253cdf57f61aec8d192c695a2e8a0032dec7a88d8

Download Submit
C:\Windows\SysWOW64\Lojfin32.exe

Filesize
67KB

MD5
c600d1f44749234a455e069de3c17915

SHA1
994ccd4d64bcfd0fd59ff37a73aa2709e94f51ec

SHA256
714f3fa3db54f71d4168d5f32e6bce4fe95b1f2bc2c80ea16320ae76dc12b861

SHA512
43bfc54dcdb4d644707a554e37aecbc2e59239210db7582eae23976d2621912f00129813fa4534d9b1e05a15412ecaf0393fa10e2eeca63a39afb0aed5b22d8a

Download Submit
memory/184-322-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/224-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/224-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/428-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/428-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/632-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/840-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/840-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/948-432-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1004-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1004-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1132-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1132-351-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1176-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1356-258-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1376-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1376-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1396-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1396-171-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1768-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1768-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1820-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1820-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1932-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1932-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2208-338-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2208-273-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2264-257-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2356-431-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2356-365-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2440-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2440-308-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2776-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2776-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-332-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-396-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2960-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2960-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2988-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3076-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3076-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3088-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3088-389-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3224-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3224-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3304-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3376-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3376-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3444-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3444-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3464-339-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3464-403-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3504-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3504-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3624-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3624-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3712-439-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3832-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3836-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3836-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3888-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3888-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3992-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4012-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4056-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4056-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4148-438-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4148-371-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-297-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4288-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4288-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4324-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4396-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4396-357-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4440-383-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4656-425-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4740-288-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4748-309-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5040-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5040-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5044-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5044-290-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-410-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5112-315-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5112-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads