c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0

Analysis

max time kernel
34s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Size

109KB
MD5

78fe32cf4d6577934702361d59982f33
SHA1

c22635082620ee0c20115393b5f6db3461442f9f
SHA256

c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0
SHA512

457767ad800b58c4237b4e3bed0957bccac2795cf03b8934804978c350aab684f6a87a672f2b0ac1f06d6ff085943d21b2ac295cf3d207b40af64f48c1ec1033
SSDEEP

3072:AUnIzujIHsSgPK8fo3PXl9Z7S/yCsKh2EzZA/z:AUnIzbsSQKgo35e/yCthvUz

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpjhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Degqka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Effidg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdjfmolo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkancm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emnelbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effidg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfiofefm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjkdoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efdmohmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dabkla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmecm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdjfmolo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Homfboco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Homfboco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmecm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdmcbojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkancm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjkdoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbmnjenb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efdmohmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnelbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkmhij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkbadifn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnimeg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjhcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbmnjenb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkbadifn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Degqka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efbpihoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmhij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnimeg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabkla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ginefe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfiofefm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efbpihoo.exe

Executes dropped EXE 20 IoCs

pid	Process
2192	Dpjhcj32.exe
1724	Degqka32.exe
2428	Dbmnjenb.exe
2876	Dabkla32.exe
2744	Efbpihoo.exe
2856	Efdmohmm.exe
2648	Emnelbdi.exe
1784	Effidg32.exe
2916	Fkmhij32.exe
2696	Flmecm32.exe
800	Fkbadifn.exe
1844	Fdjfmolo.exe
2200	Gdmcbojl.exe
3032	Ginefe32.exe
1028	Gkancm32.exe
2532	Hfiofefm.exe
236	Hjkdoh32.exe
2412	Hnimeg32.exe
2252	Homfboco.exe
2080	Iqmcmaja.exe

Loads dropped DLL 44 IoCs

pid	Process
2552	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
2552	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
2192	Dpjhcj32.exe
2192	Dpjhcj32.exe
1724	Degqka32.exe
1724	Degqka32.exe
2428	Dbmnjenb.exe
2428	Dbmnjenb.exe
2876	Dabkla32.exe
2876	Dabkla32.exe
2744	Efbpihoo.exe
2744	Efbpihoo.exe
2856	Efdmohmm.exe
2856	Efdmohmm.exe
2648	Emnelbdi.exe
2648	Emnelbdi.exe
1784	Effidg32.exe
1784	Effidg32.exe
2916	Fkmhij32.exe
2916	Fkmhij32.exe
2696	Flmecm32.exe
2696	Flmecm32.exe
800	Fkbadifn.exe
800	Fkbadifn.exe
1844	Fdjfmolo.exe
1844	Fdjfmolo.exe
2200	Gdmcbojl.exe
2200	Gdmcbojl.exe
3032	Ginefe32.exe
3032	Ginefe32.exe
1028	Gkancm32.exe
1028	Gkancm32.exe
2532	Hfiofefm.exe
2532	Hfiofefm.exe
236	Hjkdoh32.exe
236	Hjkdoh32.exe
2412	Hnimeg32.exe
2412	Hnimeg32.exe
2252	Homfboco.exe
2252	Homfboco.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pokjahgh.dll	Hjkdoh32.exe
File created	C:\Windows\SysWOW64\Effidg32.exe	Emnelbdi.exe
File created	C:\Windows\SysWOW64\Fkbadifn.exe	Flmecm32.exe
File opened for modification	C:\Windows\SysWOW64\Gdmcbojl.exe	Fdjfmolo.exe
File created	C:\Windows\SysWOW64\Egkfbg32.dll	Ginefe32.exe
File created	C:\Windows\SysWOW64\Gdmcbojl.exe	Fdjfmolo.exe
File opened for modification	C:\Windows\SysWOW64\Hnimeg32.exe	Hjkdoh32.exe
File created	C:\Windows\SysWOW64\Dbmnjenb.exe	Degqka32.exe
File opened for modification	C:\Windows\SysWOW64\Efbpihoo.exe	Dabkla32.exe
File opened for modification	C:\Windows\SysWOW64\Emnelbdi.exe	Efdmohmm.exe
File created	C:\Windows\SysWOW64\Kqhaap32.dll	Flmecm32.exe
File created	C:\Windows\SysWOW64\Fdjfmolo.exe	Fkbadifn.exe
File created	C:\Windows\SysWOW64\Gkancm32.exe	Ginefe32.exe
File opened for modification	C:\Windows\SysWOW64\Fkbadifn.exe	Flmecm32.exe
File created	C:\Windows\SysWOW64\Clangg32.dll	Fkbadifn.exe
File opened for modification	C:\Windows\SysWOW64\Ginefe32.exe	Gdmcbojl.exe
File created	C:\Windows\SysWOW64\Hjkdoh32.exe	Hfiofefm.exe
File created	C:\Windows\SysWOW64\Degqka32.exe	Dpjhcj32.exe
File created	C:\Windows\SysWOW64\Ajkmmb32.dll	Dpjhcj32.exe
File created	C:\Windows\SysWOW64\Emnelbdi.exe	Efdmohmm.exe
File created	C:\Windows\SysWOW64\Flmecm32.exe	Fkmhij32.exe
File opened for modification	C:\Windows\SysWOW64\Iqmcmaja.exe	Homfboco.exe
File created	C:\Windows\SysWOW64\Eiajmgka.dll	Emnelbdi.exe
File created	C:\Windows\SysWOW64\Ecpebkop.dll	Hfiofefm.exe
File opened for modification	C:\Windows\SysWOW64\Dabkla32.exe	Dbmnjenb.exe
File opened for modification	C:\Windows\SysWOW64\Hfiofefm.exe	Gkancm32.exe
File created	C:\Windows\SysWOW64\Dpgloo32.dll	Gkancm32.exe
File opened for modification	C:\Windows\SysWOW64\Hjkdoh32.exe	Hfiofefm.exe
File opened for modification	C:\Windows\SysWOW64\Efdmohmm.exe	Efbpihoo.exe
File created	C:\Windows\SysWOW64\Hbaeanda.dll	Effidg32.exe
File created	C:\Windows\SysWOW64\Dpjhcj32.exe	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
File created	C:\Windows\SysWOW64\Fkmhij32.exe	Effidg32.exe
File created	C:\Windows\SysWOW64\Hfiofefm.exe	Gkancm32.exe
File opened for modification	C:\Windows\SysWOW64\Gkancm32.exe	Ginefe32.exe
File created	C:\Windows\SysWOW64\Hnimeg32.exe	Hjkdoh32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjhcj32.exe	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
File created	C:\Windows\SysWOW64\Efbpihoo.exe	Dabkla32.exe
File created	C:\Windows\SysWOW64\Mkdfdn32.dll	Dabkla32.exe
File opened for modification	C:\Windows\SysWOW64\Effidg32.exe	Emnelbdi.exe
File opened for modification	C:\Windows\SysWOW64\Fkmhij32.exe	Effidg32.exe
File opened for modification	C:\Windows\SysWOW64\Flmecm32.exe	Fkmhij32.exe
File created	C:\Windows\SysWOW64\Pfenml32.dll	Fdjfmolo.exe
File created	C:\Windows\SysWOW64\Fanhpabf.dll	Degqka32.exe
File created	C:\Windows\SysWOW64\Efdmohmm.exe	Efbpihoo.exe
File created	C:\Windows\SysWOW64\Okgdkphm.dll	Efbpihoo.exe
File created	C:\Windows\SysWOW64\Ngllhqkp.dll	Efdmohmm.exe
File created	C:\Windows\SysWOW64\Hnahndjj.dll	Dbmnjenb.exe
File opened for modification	C:\Windows\SysWOW64\Homfboco.exe	Hnimeg32.exe
File created	C:\Windows\SysWOW64\Maonll32.dll	Homfboco.exe
File created	C:\Windows\SysWOW64\Iqmcmaja.exe	Homfboco.exe
File created	C:\Windows\SysWOW64\Gjgbck32.dll	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
File created	C:\Windows\SysWOW64\Dabkla32.exe	Dbmnjenb.exe
File created	C:\Windows\SysWOW64\Bdgdja32.dll	Fkmhij32.exe
File created	C:\Windows\SysWOW64\Homfboco.exe	Hnimeg32.exe
File opened for modification	C:\Windows\SysWOW64\Degqka32.exe	Dpjhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Fdjfmolo.exe	Fkbadifn.exe
File created	C:\Windows\SysWOW64\Jkocglhl.dll	Gdmcbojl.exe
File opened for modification	C:\Windows\SysWOW64\Dbmnjenb.exe	Degqka32.exe
File created	C:\Windows\SysWOW64\Ajqmqmfm.dll	Hnimeg32.exe
File created	C:\Windows\SysWOW64\Ginefe32.exe	Gdmcbojl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	2080	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dabkla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnelbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkmhij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfiofefm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Homfboco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effidg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdmcbojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjkdoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkancm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnimeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjhcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efbpihoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efdmohmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flmecm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ginefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Degqka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmnjenb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkbadifn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdjfmolo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpjhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efbpihoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkbadifn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfiofefm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkmmb32.dll"	Dpjhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpebkop.dll"	Hfiofefm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjkdoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnimeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Homfboco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkmhij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkmhij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfiofefm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Degqka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbmnjenb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkfbg32.dll"	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkancm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdfdn32.dll"	Dabkla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efdmohmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emnelbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flmecm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkancm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokjahgh.dll"	Hjkdoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Degqka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efdmohmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiajmgka.dll"	Emnelbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgloo32.dll"	Gkancm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajqmqmfm.dll"	Hnimeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnimeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanhpabf.dll"	Degqka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdjfmolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdjfmolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dabkla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbmnjenb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flmecm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngllhqkp.dll"	Efdmohmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkocglhl.dll"	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgbck32.dll"	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efbpihoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqhaap32.dll"	Flmecm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clangg32.dll"	Fkbadifn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dabkla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Homfboco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkbadifn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjkdoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgdja32.dll"	Fkmhij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfenml32.dll"	Fdjfmolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emnelbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Effidg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Effidg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbaeanda.dll"	Effidg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll"	Homfboco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgdkphm.dll"	Efbpihoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnahndjj.dll"	Dbmnjenb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2192	2552	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe	29
PID 2552 wrote to memory of 2192	2552	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe	29
PID 2552 wrote to memory of 2192	2552	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe	29
PID 2552 wrote to memory of 2192	2552	c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe	29
PID 2192 wrote to memory of 1724	2192	Dpjhcj32.exe	30
PID 2192 wrote to memory of 1724	2192	Dpjhcj32.exe	30
PID 2192 wrote to memory of 1724	2192	Dpjhcj32.exe	30
PID 2192 wrote to memory of 1724	2192	Dpjhcj32.exe	30
PID 1724 wrote to memory of 2428	1724	Degqka32.exe	31
PID 1724 wrote to memory of 2428	1724	Degqka32.exe	31
PID 1724 wrote to memory of 2428	1724	Degqka32.exe	31
PID 1724 wrote to memory of 2428	1724	Degqka32.exe	31
PID 2428 wrote to memory of 2876	2428	Dbmnjenb.exe	32
PID 2428 wrote to memory of 2876	2428	Dbmnjenb.exe	32
PID 2428 wrote to memory of 2876	2428	Dbmnjenb.exe	32
PID 2428 wrote to memory of 2876	2428	Dbmnjenb.exe	32
PID 2876 wrote to memory of 2744	2876	Dabkla32.exe	33
PID 2876 wrote to memory of 2744	2876	Dabkla32.exe	33
PID 2876 wrote to memory of 2744	2876	Dabkla32.exe	33
PID 2876 wrote to memory of 2744	2876	Dabkla32.exe	33
PID 2744 wrote to memory of 2856	2744	Efbpihoo.exe	34
PID 2744 wrote to memory of 2856	2744	Efbpihoo.exe	34
PID 2744 wrote to memory of 2856	2744	Efbpihoo.exe	34
PID 2744 wrote to memory of 2856	2744	Efbpihoo.exe	34
PID 2856 wrote to memory of 2648	2856	Efdmohmm.exe	35
PID 2856 wrote to memory of 2648	2856	Efdmohmm.exe	35
PID 2856 wrote to memory of 2648	2856	Efdmohmm.exe	35
PID 2856 wrote to memory of 2648	2856	Efdmohmm.exe	35
PID 2648 wrote to memory of 1784	2648	Emnelbdi.exe	36
PID 2648 wrote to memory of 1784	2648	Emnelbdi.exe	36
PID 2648 wrote to memory of 1784	2648	Emnelbdi.exe	36
PID 2648 wrote to memory of 1784	2648	Emnelbdi.exe	36
PID 1784 wrote to memory of 2916	1784	Effidg32.exe	37
PID 1784 wrote to memory of 2916	1784	Effidg32.exe	37
PID 1784 wrote to memory of 2916	1784	Effidg32.exe	37
PID 1784 wrote to memory of 2916	1784	Effidg32.exe	37
PID 2916 wrote to memory of 2696	2916	Fkmhij32.exe	38
PID 2916 wrote to memory of 2696	2916	Fkmhij32.exe	38
PID 2916 wrote to memory of 2696	2916	Fkmhij32.exe	38
PID 2916 wrote to memory of 2696	2916	Fkmhij32.exe	38
PID 2696 wrote to memory of 800	2696	Flmecm32.exe	39
PID 2696 wrote to memory of 800	2696	Flmecm32.exe	39
PID 2696 wrote to memory of 800	2696	Flmecm32.exe	39
PID 2696 wrote to memory of 800	2696	Flmecm32.exe	39
PID 800 wrote to memory of 1844	800	Fkbadifn.exe	40
PID 800 wrote to memory of 1844	800	Fkbadifn.exe	40
PID 800 wrote to memory of 1844	800	Fkbadifn.exe	40
PID 800 wrote to memory of 1844	800	Fkbadifn.exe	40
PID 1844 wrote to memory of 2200	1844	Fdjfmolo.exe	41
PID 1844 wrote to memory of 2200	1844	Fdjfmolo.exe	41
PID 1844 wrote to memory of 2200	1844	Fdjfmolo.exe	41
PID 1844 wrote to memory of 2200	1844	Fdjfmolo.exe	41
PID 2200 wrote to memory of 3032	2200	Gdmcbojl.exe	42
PID 2200 wrote to memory of 3032	2200	Gdmcbojl.exe	42
PID 2200 wrote to memory of 3032	2200	Gdmcbojl.exe	42
PID 2200 wrote to memory of 3032	2200	Gdmcbojl.exe	42
PID 3032 wrote to memory of 1028	3032	Ginefe32.exe	43
PID 3032 wrote to memory of 1028	3032	Ginefe32.exe	43
PID 3032 wrote to memory of 1028	3032	Ginefe32.exe	43
PID 3032 wrote to memory of 1028	3032	Ginefe32.exe	43
PID 1028 wrote to memory of 2532	1028	Gkancm32.exe	44
PID 1028 wrote to memory of 2532	1028	Gkancm32.exe	44
PID 1028 wrote to memory of 2532	1028	Gkancm32.exe	44
PID 1028 wrote to memory of 2532	1028	Gkancm32.exe	44

C:\Users\Admin\AppData\Local\Temp\c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe
"C:\Users\Admin\AppData\Local\Temp\c874169c38211e5d729836a85346dea3afc584fac77815d359ba972a02c19cf0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Dpjhcj32.exe
  C:\Windows\system32\Dpjhcj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Degqka32.exe
    C:\Windows\system32\Degqka32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\Dbmnjenb.exe
      C:\Windows\system32\Dbmnjenb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\Dabkla32.exe
        
        C:\Windows\system32\Dabkla32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\Efbpihoo.exe
        
        C:\Windows\system32\Efbpihoo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Efdmohmm.exe
        
        C:\Windows\system32\Efdmohmm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Emnelbdi.exe
        
        C:\Windows\system32\Emnelbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Effidg32.exe
        
        C:\Windows\system32\Effidg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Fkmhij32.exe
        
        C:\Windows\system32\Fkmhij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Flmecm32.exe
        
        C:\Windows\system32\Flmecm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Fkbadifn.exe
        
        C:\Windows\system32\Fkbadifn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Fdjfmolo.exe
        
        C:\Windows\system32\Fdjfmolo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Gdmcbojl.exe
        
        C:\Windows\system32\Gdmcbojl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ginefe32.exe
        
        C:\Windows\system32\Ginefe32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Gkancm32.exe
        
        C:\Windows\system32\Gkancm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Hfiofefm.exe
        
        C:\Windows\system32\Hfiofefm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Hjkdoh32.exe
        
        C:\Windows\system32\Hjkdoh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\Hnimeg32.exe
        
        C:\Windows\system32\Hnimeg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Homfboco.exe
        
        C:\Windows\system32\Homfboco.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Degqka32.exe

Filesize
109KB

MD5
269fce42fe5fd036401b2e1f493a9503

SHA1
d7143a2b0f05a8767f303c5f51c862e714334cde

SHA256
079d02f879cd5c95da0c675fedda33f54a0f7fad58500dedb0713acf8ea0eb6f

SHA512
8072d853b9fd9b71fcb0ca51e1ab0628cbe6a4bf371ac4aa96a4b0e3f95ea0721cda0339ff21efab98971b2a9dc9b979c0e31957a567effbce645a7988ac6f99

Download Submit
C:\Windows\SysWOW64\Efdmohmm.exe

Filesize
109KB

MD5
63a8b6a4b2ed84d902c3556877a003a0

SHA1
01584af72b940e1438f1b2ad75a962420562c9d1

SHA256
5ba5366994a0ea4d3162bb742d2206f67b4cd449d9cc631ab3504ad6e80f82a3

SHA512
7a296702d0830050b8f38d477038e0efd3aaba0a23dae4df8646135268528040668c58d4daeeb3bafdd3af4a456ddef6208cd5ef7aa84d6be9140fc742b800d5

Download Submit
C:\Windows\SysWOW64\Effidg32.exe

Filesize
109KB

MD5
d7d2db591fc6be502ad013f838aa434f

SHA1
d4cb61d813c7131f2d399a8f72603969e6869f17

SHA256
f97e703458f569eaf10bb425524e7b13563c6afd09ecac98f23d526f7e4265f5

SHA512
dfa45bd6d8f816fd63befbedd42e366e32b5c1e893c569975128a1a03f17b6cb7d24b56334d7442c81f53dc7e13603dd478b35b31a4aa31c76c1b5cf4ff29620

Download Submit
C:\Windows\SysWOW64\Fdjfmolo.exe

Filesize
109KB

MD5
8f85fb564a6455cc380718d2ca469725

SHA1
81ff88aeea54764800f1fc9696dd885dbb388819

SHA256
f4bfd4f9fa10a88cb1cedbe2bbff60c79ad37a396a7ebcae086df74bd9fab85e

SHA512
a2e96a9c28554c5796f9e53f364efc1fb33ea57867af29cd7e4b533875dbda090ba60ffce034619077f346e8b935c191434aa91c3e5fb398350cd7b0cc6fa8ef

Download Submit
C:\Windows\SysWOW64\Ginefe32.exe

Filesize
109KB

MD5
d93f77465be14bd918139a5badeb71ba

SHA1
077a895a2b4bcccc61ef4db8844d16da137a71be

SHA256
ff55365bd52535915280a9e50a05b8c2b6f96015124e2bb80e8c696c58c9f995

SHA512
d26e61e40781f101649ff44ea2098d708a2a597f6cfc8f5508ba3ab2d9bbf622abc9d14db1142958b4431c0e2a860c1fe89a8531988616fecdc5d82042c17590

Download Submit
C:\Windows\SysWOW64\Hjkdoh32.exe

Filesize
109KB

MD5
5bdbb3f5648b5fb866bfd74d694a3b41

SHA1
ced5f5ff0c30fa02df2f09e49593549a272ab13c

SHA256
b0c7fb7b74f97c1a4a190668378729bf46b95cc6e03b04762fe77680d5caf8fb

SHA512
89c4be96432bfdc4134bde1e3e300fca972a46aa8e3b70cb1b4bb219b3dfdd89d984dab1eef2885e0646b632c1d381285712ce619a05ed8f8ec7c45b71e1d4aa

Download Submit
C:\Windows\SysWOW64\Hnimeg32.exe

Filesize
109KB

MD5
310a202a2d5175fcd66c968d46abfc0d

SHA1
a6bd2f4d2e6f43515cec4afdbb140c1fb3db67e7

SHA256
ed20c71074241f26a203256b8b07689503fd55f6cd91ece8d56f01f896bb0a7b

SHA512
a22f14fa741e1665f08cf338dd90cf3e644a9697b6fd0d2efda3f47a29a8a4d837955a581b55864cf52ee2f0edb072a306bcfffc20b266375a70bbb93ffcc8e6

Download Submit
C:\Windows\SysWOW64\Homfboco.exe

Filesize
109KB

MD5
fbd6ae7ceac4d14b57b100b74bba664b

SHA1
1241f544c6aebff4fa9cdf399d55f9bd0e8ff18f

SHA256
4771dcb6230c253ee2d7186085ead8abf0c654e19ac19df4e6e8da30e75ec06d

SHA512
9d9594cd052f8506c238af61a28277c00e6348424bab2f3d78b53ec288cc44536c7456c3bcd26f11c137251600d8a73ec9151c1ee0ec2e1f5675dd1cc624bca3

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
109KB

MD5
565d7ae86076d9c58776279d0fc8af95

SHA1
037d75709c60cfca45ac81608342c00b4beadc58

SHA256
72670ea87ce514f068045d3c3e2305b07d823eb3a10598c59e80e0ce8e4e4640

SHA512
d9645e7a30f16dc22738af7a708186aa92f2e0a67d39c9fe852ae3440e4f165c5c2f77be29cc7fac5c1cc7d9c4ff71c8493bdabd4ee1205203d52444b6935827

Download Submit
C:\Windows\SysWOW64\Mkdfdn32.dll

Filesize
7KB

MD5
e11cd5ea3ea54b802a04a0ab229366bf

SHA1
081a8c98ad71779c7759d8a74ccf61fa9b7c2a63

SHA256
ea975599187b1bc07cae9d00bfc338a5ffee329c2099b7baf320ea71090dc34d

SHA512
f1c768816bdf922ddd77506d781b2d61f2f51efd4cfbfbb741b35371135463fc46a0db8bc72800dc6b68ffe841fa14794e4b3f50edab2d326c08ca230bfee12d

Download Submit
\Windows\SysWOW64\Dabkla32.exe

Filesize
109KB

MD5
cc5254d736139eeac751eb44a136aa04

SHA1
1d2f6bef1e15781e6195b4a42091c77626c0a700

SHA256
dce33a9f1a063c05877764251665fa51baece9c1e39c0c8a90325e0151e7822a

SHA512
971b91e30610e7880f6b538db7b60da9eff0b1ddb1100de1ece36af828f28e4aeaef4b8c12a366407fbbb0b1dd649f9c583a87ec1e9489a29f927a0b31156e71

Download Submit
\Windows\SysWOW64\Dbmnjenb.exe

Filesize
109KB

MD5
245036c0914bf09325baed8a4fecb34c

SHA1
6841328fed89fb388cc80c8ba195c1a9157d6041

SHA256
d022afa3a1e66927c073c198f89a0d3770fe6418539834e34d92215e97e0dfc4

SHA512
220027ce162eea29bea546824626f682cf2b42cfee2e3a16da80db23f1b8a9730e2b8cd9a048f8c8c2d7a12ca65f72dbf9dc311c9b2ed77d2d5ca525857a57c2

Download Submit
\Windows\SysWOW64\Dpjhcj32.exe

Filesize
109KB

MD5
fcbcc2ba9643fa3b8cbac8183cfdcfb1

SHA1
cc037632d261c75404c40e466040f75df5b1fe59

SHA256
840cc469b9032e3ee428324aafbec4eb5cf611474bb3c058ff2ac107f3731a1e

SHA512
afb8f7b5100020085ed8cfc57751d7716388b9a58e3fe19c568485b2c7c7b1795b8e894563a1389a139b1497950529d79e5fe7f1906c5dd46be05f35364ba07f

Download Submit
\Windows\SysWOW64\Efbpihoo.exe

Filesize
109KB

MD5
dc69137def40ef1deecb2856d2587217

SHA1
39a4a82402ad92cb6fb2e2f3cb254b8037ed3d9d

SHA256
c4a71dd7e69df5852af9688212d7acb338dfa0a5b8335e89a06256789fa569df

SHA512
52896bf986b637a84c81fea6d964b16b0c8dea9cb781fe51f62089a8fcf6882369bb417ea0459809249b4372de2028db3dcae15e7c8a62915031e1b9eb1e72a5

Download Submit
\Windows\SysWOW64\Emnelbdi.exe

Filesize
109KB

MD5
e0c8ba5081a24233e162a0dc9521770f

SHA1
260427f3cc2af47573e5c18c8c5230a38a60e962

SHA256
90023bf0ed8acc00d9213c8c0492fd44967c4fa909617fee6d72d93d6cecea90

SHA512
738208d0129ccb9f93d250fba0acad8b1acdcc571b5af3b68860035b48f8510430b0b7a54ecc57ecf51c45d8aa42dee499f00d86ffff5665fdcc55ce072963da

Download Submit
\Windows\SysWOW64\Fkbadifn.exe

Filesize
109KB

MD5
d6cd4b6968971767f87b97d494c776a9

SHA1
fcc5eceef419df3ba077448a08ca62a66fc49552

SHA256
4acd712b889bc593d70f0cd67c96832ed724ea5ca526766837ec3e1b64f5c758

SHA512
4078982c5c6a95e81a0be2194aa109616b96b58ce14761b5a748394bf3a72926b97ddc8917d64119a789905f3bb1ae932c880e2dcd562379d1a59cb1d2c6cf1d

Download Submit
\Windows\SysWOW64\Fkmhij32.exe

Filesize
109KB

MD5
3cf2c7d49d734967203fe5ae0f26c843

SHA1
26c8b8fe9cd92c78bda267c824e581025ce48941

SHA256
9ac45b5549f18994802fc16ea24c8a0677b7716532b1fbfd7d3822947740934d

SHA512
21b52c02bdca1cd718bd2907fd02b4593612c5e4b287a24b5317f6bc99cbdbed5bcb349f84cdf34dc6e12fd976317dc5242e28f4b5a5a9d8cd6536085b82d5ec

Download Submit
\Windows\SysWOW64\Flmecm32.exe

Filesize
109KB

MD5
1fdef030b4dc05a1ee636a069611bbc4

SHA1
78605a72ad710bfca845e586c59d1643370dab45

SHA256
73217560287cafa00c633d480d5c6b4cefef9d0232fa8862d10377f8be2215fc

SHA512
198431f40f037d9d7bd8fda7b19d4d551814657fa8041c2ec9a4bc8ddd043c76e4713f1855dffa0b69ee4d20808d8377b0b43ee54c2f38e1a727a1feff53fbea

Download Submit
\Windows\SysWOW64\Gdmcbojl.exe

Filesize
109KB

MD5
db03b538de002e2de55bdb3783cae6e8

SHA1
0f901adb8fb300bcf73b2d24b3faaa85df03c8d8

SHA256
8b8e174e2062fbc9e51a1f258509f50c53a22b1d878c1619a9750cb765233076

SHA512
819c2e2ed227695ce7e88272928b4dfcb100e5a7b51a8847f8bdf7a6d462c1b5d473fec2f698c611b2b4f457e64c602ea7c7adc86ce62f8003ae0892f47594c9

Download Submit
\Windows\SysWOW64\Gkancm32.exe

Filesize
109KB

MD5
f9b6b2dce3e266859d03093d78bbc64f

SHA1
4eb04bda2c6089f7266eebed38bdc10dca74ec6d

SHA256
476afaa9d3d3fb541309dfe3e1327183a0df83425c76a43e645899f758bfa986

SHA512
842ad7d0e73d774462b928d4a731423da8124d5c3f2b4bb119f271f0ff99271ac677e77b10ffca256d4a7a75c1f414fda9628e594bcf86d06b7ae0a8524d0caa

Download Submit
\Windows\SysWOW64\Hfiofefm.exe

Filesize
109KB

MD5
4f774dbcb838336540187477871ab672

SHA1
12f70c131d5043e616d7389a87ab367c7a360521

SHA256
a47d205c1ca2607b57e2e81e1de02b73b45547846949561c71f7ce4d7a5bd9a5

SHA512
3912b3ff7a1fc19fad3bdfac0e30c35fa47e6d7304b8a6292a9cf1b5a71f3dfcaf15756b75e04e91f967486a0ed61a6a17f6816f814b20109bbd400e3a38714c

Download Submit
memory/236-262-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/236-293-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/236-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/236-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-174-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/800-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-175-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/800-232-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1028-286-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1028-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1028-237-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1028-276-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1028-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-98-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1724-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-112-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1724-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-193-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1784-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-131-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1784-125-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1784-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1844-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1844-239-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1844-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1844-191-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2080-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2080-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-297-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2252-287-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2252-288-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2252-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-273-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2412-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-275-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2412-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-295-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2428-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2428-53-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/2428-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2532-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2532-291-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2532-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-18-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2552-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-17-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2552-70-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2552-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-113-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2648-177-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2696-221-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2696-155-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2696-159-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2696-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-95-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2744-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-69-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2876-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-62-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2876-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-138-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2916-145-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/3032-269-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3032-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3032-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads